5 matches found
DFG JIT Use-After-Free
DFG's doesGC is incorrect about the HasIndexedProperty operation's behavior on StringObjects. This can lead to a use-after-free condition. See also https://bugs.chromium.org/p/project-zero/issues/detail?id=1699 for a similar issue. The DFG JIT compiler attempts to determine whether a DFG IR...
macOS < 10.14.5 / iOS < 12.3 DFG JIT Compiler - HasIndexedProperty Use-After-Free Exploit
macOS 10.14.5 / iOS 12.3 DFG JIT Compiler - HasIndexedProperty Use-After-Free Exploit See also https://bugs.chromium.org/p/project-zero/issues/detail?id=1699 for a similar issue. The DFG JIT compiler attempts to determine whether a DFG IR operation could cause garbage collection GC during its...
Apple macOS 10.14.5 iOS 12.3 DFG JIT Compiler - HasIndexedProperty Use-After-Free
Apple macOS 10.14.5 iOS 12.3 DFG JIT Compiler - HasIndexedProperty Use-After-Free See also https://bugs.chromium.org/p/project-zero/issues/detail?id=1699 for a similar issue. The DFG JIT compiler attempts to determine whether a DFG IR operation could cause garbage collection GC during its executi...
Apple macOS < 10.14.5 / iOS < 12.3 DFG JIT Compiler - 'HasIndexedProperty' Use-After-Free
See also https://bugs.chromium.org/p/project-zero/issues/detail?id=1699 for a similar issue. The DFG JIT compiler attempts to determine whether a DFG IR operation could cause garbage collection GC during its execution 1. With this, it is then possible for the compiler to determine whether there...
Safari+macOS full exploit chain-vulnerability and early warning-the black bar safety net
At this year's Pwn2Own 2018 game, there is more for the Apple Safari browser attack challenge, today we will introduce for Safari remote code executionRCE, sandbox escapes, local privilege escalationLPEand for macOS 10.13.3 kernel exploits. To attack the challenges of the environment settings...