159241 CVE-2016-4734 2016-06-28 17:50:45 -0700 Possible Info Leak in TypedArray.indexOf/lastIndexOf 2017-10-11 10:25:31 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified Unspecified RESOLVED DUPLICATE 159400 InRadar P2 Minor --- 1 natashenka keith_miller bfulgham fpizlo ggaren keith_miller mark.lam webkit-bug-importer oldest_to_newest 1206247 0 282308 natashenka 2016-06-28 17:50:45 -0700 Created attachment 282308 Crashing sample There is a possible info leak in TypedArray.indexOf. In JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h, the function genericTypedArrayViewProtoFuncIndexOf has the following code: JSValue valueToFind = exec->argument(0); unsigned index = argumentClampedIndexFromStartOrEnd(exec, 1, length); typename ViewClass::ElementType* array = thisObject->typedVector(); typename ViewClass::ElementType target = ViewClass::toAdaptorNativeFromValue(exec, valueToFind); if (exec->hadException()) return JSValue::encode(jsUndefined()); for (; index < length; ++index) { if (array[index] == target) return JSValue::encode(jsNumber(index)); } There are two places that an attacker can call into script and neuter the array and cause problems. The first is at the argumentClampedIndexFromStartOrEnd, in which case array will be 0, and an absolute pointer specified by index can be compared against value. It's also possible to use this issue as a read-only use-after-free by setting the first parameter to an object with valueOf defined. Since this value is converted after the array pointer is set, the array will be searched after it is freed. I'm not sure if searching an array bytewise for every value between 0 and 255 is a practical attack, so there is no deadline on this issue unless we figure out how to exploit it. 1210472 1 webkit-bug-importer 2016-07-13 09:13:46 -0700 <rdar://problem/27324561> 1211142 2 mark.lam 2016-07-14 14:24:35 -0700 (In reply to comment #0) > The first is at the argumentClampedIndexFromStartOrEnd, in which case array will be 0, and an > absolute pointer specified by index can be compared against value. This no longer an issue because r202982: <http://trac.webkit.org/changeset/202982> added a neuter check immediately after the call to argumentClampedIndexFromStartOrEnd(). 1211149 3 mark.lam 2016-07-14 14:38:57 -0700 Brent, it's not fixed yet. There's a second issue ... (In reply to comment #0) > It's also possible to use this issue as a read-only use-after-free by setting the > first parameter to an object with valueOf defined. Since this value is > converted after the array pointer is set, the array will be searched after > it is freed. Here, I think Natalie is referring to this line in the code: typename ViewClass::ElementType target = ViewClass::toAdaptorNativeFromValue(exec, valueToFind); Keith already has this baking in a fix he's implementing. So, I'll send this bug over to Keith. 1212024 4 keith_miller 2016-07-18 11:17:15 -0700 *** This bug has been marked as a duplicate of bug 159400 *** 282308 2016-06-28 17:50:45 -0700 2016-06-28 17:50:45 -0700 Crashing sample indexOf.html text/html 504 natashenka PGh0bWw+Cjxib2R5Pgo8c2NyaXB0PgoKZnVuY3Rpb24gZigpewogICB0cnl7CiAgIGFsZXJ0KCJ0 Iik7CiAgIHBvc3RNZXNzYWdlKCJ0ZXN0IiwgImh0dHA6Ly8xMjcuMC4wLjEiLCBbcV0pCiAgIGFs ZXJ0KGEuYnl0ZUxlbmd0aCk7CiAgIGFsZXJ0KHEuYnl0ZUxlbmd0aCk7CiAgfSBjYXRjaChlKXsK ICAgICBhbGVydChlLm1lc3NhZ2UpOwogICBhbGVydChhLmJ5dGVMZW5ndGgpCiAgIGFsZXJ0KHEu Ynl0ZUxlbmd0aCk7CiAgfQogICByZXR1cm4gMHgxMjM0NTY3ODsKfQoKYWxlcnQoRGF0ZSk7Cgp2 YXIgcSA9IG5ldyBBcnJheUJ1ZmZlcigweDdmZmZmZmZmKTsKdmFyIG8gPSB7dmFsdWVPZiA6IGZ9 CnZhciBhID0gbmV3IFVpbnQ4QXJyYXkocSk7CgogIC8vIGFsZXJ0KHEuYnl0ZUxlbmd0aCk7CnZh ciB0ID0gW107Cgp0cnl7CiAgICBhLmluZGV4T2YoMHgxMiwgbyk7Cn0gY2F0Y2goZSl7CgogICAg YWxlcnQoZS5tZXNzYWdlKTsKCn0KCjwvc2NyaXB0Pgo8L2JvZHk+CjwvaHRtbD4K