Webkit JSC: JIT - Uninitialized Variable Access in ArgumentsEliminationPhase::transform

https://github.com/WebKit/webkit/blob/94e868c940d46c5745869192d07255331d00102b/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cppL743 case GetByVal: ... unsigned numberOfArgumentsToSkip = 0; if candidate-op == PhantomCreateRest numberOfArgumentsToSkip = candidate-numberOfArgumentsToSkip;...

Webkit JSC: JIT - Uninitialized Variable Access in ArgumentsEliminationPhase::transform

Webkit JSC: JIT - Uninitialized Variable Access in ArgumentsEliminationPhase::transform https://github.com/WebKit/webkit/blob/94e868c940d46c5745869192d07255331d00102b/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cppL743 case GetByVal: ... unsigned numberOfArgumentsToSkip = 0; if...

WebKit JSC - reifyStaticProperty Needs to set the PropertyAttribute::CustomAccessor flag for CustomGetterSetter

/ https://github.com/WebKit/webkit/blob/3fff8c40c665a09de5e3ede46fc35908f69353c3/Source/JavaScriptCore/runtime/Lookup.hL392 if value.attributes & PropertyAttribute::PropertyCallback JSValue result = value.lazyPropertyCallbackvm, &thisObj; thisObj.putDirectvm, propertyName, result,...

WebKit JSC JIT - GetIndexedPropertyStorage Use-After-Free Exploit

/ The doesGC function simply takes a node, and tells if it might cause a garbage collection. This function is used to determine whether to insert write barriers. But it's missing GetIndexedPropertyStorage that can cause a garbage collection via rope strings. As a result, it can lead to UaF. PoC: ...

WebKit JSC - JSArray::shiftCountWithArrayStorage Out-of-Bounds ReadWrite

WebKit JSC - JSArray::shiftCountWithArrayStorage Out-of-Bounds ReadWrite / bool JSArray::shiftCountWithArrayStorageVM& vm, unsigned startIndex, unsigned count, ArrayStorage storage unsigned oldLength = storage-length; RELEASEASSERTcount hasHoles && this-structurevm-holesMustForwardToPrototypevm,...

WebKit JSC JIT JSPropertyNameEnumerator Type Confusion

WebKit: JSC: JIT: A bug with JSPropertyNameEnumerator CVE-2018-4416 When a for-in loop is executed, a JSPropertyNameEnumerator object is created at the beginning and used to store the information of the input object to the for-in loop. Inside the loop, the structure ID of the "this" object of eve...

WebKit JSC - BytecodeGenerator::hoistSloppyModeFunctionIfNecessary Exploit

WebKit JSC - BytecodeGenerator::hoistSloppyModeFunctionIfNecessary Does not Invalidate the ForInContext Object / This is simillar to issue 1263 . When hoisting a function onto the outer scope, if it overwrites the iteration variable for a for-in loop it should invalidate the corresponding...

WebKit JSC - BytecodeGenerator::hoistSloppyModeFunctionIfNecessary Does not Invalidate the ForInContext Object

WebKit JSC - BytecodeGenerator::hoistSloppyModeFunctionIfNecessary Does not Invalidate the ForInContext Object / This is simillar to issue 1263 . When hoisting a function onto the outer scope, if it overwrites the iteration variable for a for-in loop it should invalidate the corresponding...

WebKit JSC - BytecodeGenerator::emitGetByVal Incorrect Optimization (2)

WebKit JSC - BytecodeGenerator::emitGetByVal Incorrect Optimization 2 function f let o = ; for let i in xx: 0 for i of 0 printoi; f;...

WebKit JSC - 'BytecodeGenerator::emitGetByVal' Incorrect Optimization (2)

function f let o = ; for let i in xx: 0 for i of 0 printoi; f;...

WebKit JSC Incorrect Optimization

WebKit: JSC: Incorrect for-in optimization 2 CVE-2017-7117 The following PoC bypasses the fix for the https://bugs.chromium.org/p/project-zero/issues/detail?id=1263 WebKit: JSC: Incorrect optimization in BytecodeGenerator::emitGetByVal PoC: function f let o = ; for let i in xx: 0 for i of 0...

WebKit JSC BytecodeGenerator::emitGetByVal Incorrect Optimization Exploit

Exploit for multiple platform in category dos / poc WebKit: JSC: Incorrect optimization in BytecodeGenerator::emitGetByVal CVE-2017-7061 Let's start with JS code. let o = ; for let i in xx: 0 oi; 0; i-- ForInContext& context = mforInContextStacki - 1.get; if context.local != property continue; if...

WebKit JSC - JSObject::putInlineSlow JSValue::putToPrimitive Universal Cross-Site Scripting

WebKit JSC - JSObject::putInlineSlow JSValue::putToPrimitive Universal Cross-Site Scripting let f = document.body.appendChilddocument.createElement'iframe'; let loc = f.contentWindow.location; f.onload = = let a = 1.2; a.proto.proto = f.contentWindow; a'test' = toString: function...

WebKit JSC - 'JSObject::putInlineSlow' / 'JSValue::putToPrimitive' Universal Cross-Site Scripting

let f = document.body.appendChilddocument.createElement'iframe'; let loc = f.contentWindow.location; f.onload = = let a = 1.2; a.proto.proto = f.contentWindow; a'test' = toString: function arguments.callee.caller.constructor'alertlocation'; ; ; f.src = 'data:text/html,' +...

WebKit JSC - 'DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry)' Incorrect Scope Register Handling

scopeRegister; mcodeBlock| instead of |mcodeBlock|. But it doesn't. As a result, the scope register of |inlineStackEntry-mcodeBlock| may have an incorrect offset in the stack layout phase. PoC: -- function f function eval'1'; f; ; throw 1; f;...

WebKit JSC - JSGlobalObject::haveABadTime Causes Type Confusions Exploit

Exploit for multiple platform in category dos / poc switchToSlowPutArrayStoragevm; = MINSPARSEARRAYINDEX || structurevm-holesMustForwardToPrototypevm return nullptr; Structure...

WebKit JSC - arrayProtoFuncSplice does not Initialize all Indices Exploit

Exploit for multiple platform in category dos / poc lexicalGlobalObject-arrayStructureForIndexingTypeDuringAllocationArrayWithUndecided, actualDeleteCount; if !result return JSValue::encodethrowOutOfMemoryErrorexec, scope; for unsigned k = 0; k initializeIndexvm, k, v;...

WebKit JSC Intl.getCanonicalLocales Heap Buffer Overflow

WebKit: JSC: heap buffer overflow in Intl.getCanonicalLocales CVE-2017-6984 Here's tryCreateArrayButterfly which is invoked from intlObjectFuncGetCanonicalLocales to create a JSArray object. inline Butterfly tryCreateArrayButterflyVM& vm, JSCell intendedOwner, unsigned initialLength Butterfly...

WebKit JSC emitPutDerivedConstructorToArrowFunctionContextScope Incorrect Check(CVE-2017-2531)

WebKit: JSC: incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope When a super expression is used in an arrow function, the following code, which generates bytecode, is called. if needsToUpdateArrowFunctionContext && !codeBlock-isArrowFunction bool canReuseLexicalEnvironment =...

WebKit JSC - 'JSObject::ensureLength' ensureLengthSlow Check Failure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1165 Here's a snippet of JSObject::ensureLength. bool WARNUNUSEDRETURN ensureLengthVM& vm, unsigned length ASSERTlength vectorLength publicLength setPublicLengthlength; return result; |setPublicLength| is called whether...