160680 2016-08-08 17:22:56 -0700 Use after free in JS array sort 2018-02-16 13:40:25 -0800 1 1 1 Unclassified WebKit JavaScriptCore Safari 8 Unspecified Unspecified RESOLVED FIXED InRadar P2 Major --- 1 don.olmstead webkit-unassigned bfulgham fpizlo ggaren webkit-bug-importer oldest_to_newest 1218642 0 285614 don.olmstead 2016-08-08 17:22:56 -0700 Created attachment 285614 Example exploit A use after free occurs in the sort of the JS array. In the attached exploit `z.toString()` was evaluated and a new element was pushed to W in the function triggering a growth and reallocation of the array. However it tried to write the sorted elements onto the old already freed memory. The patch updates the location of `data` before writing to it. This bug was present from revisions 130826 to 183570. It has not been exploitable for awhile but is being reported in case there are other places that may have similar issues, and so a test case might be implemented to ensure it doesn't crop up again. 1218643 1 webkit-bug-importer 2016-08-08 17:23:21 -0700 <rdar://problem/27757708> 1218649 2 285617 don.olmstead 2016-08-08 17:24:48 -0700 Created attachment 285617 Fix for use after free 1218650 3 don.olmstead 2016-08-08 17:26:00 -0700 Fixed in 183570 1218651 4 bfulgham 2016-08-08 17:27:33 -0700 Fix committed in r183570 <https://trac.webkit.org/changeset/183570/>. 1219090 5 bfulgham 2016-08-10 13:09:04 -0700 Note: We should turn the exploit example into a test case so we can guard against this in the future. 1219103 6 bfulgham 2016-08-10 13:24:08 -0700 Test case added: Committed in r204344 <https://trac.webkit.org/changeset/204344>. 1400008 7 bfulgham 2018-02-16 13:40:25 -0800 This fix shipped a few years ago, opening for public access. 285614 2016-08-08 17:22:56 -0700 2016-08-08 17:22:56 -0700 Example exploit exploit.html text/html 331 don.olmstead PGh0bWw+DQo8aGVhZD4NCjxzY3JpcHQ+DQpmdW5jdGlvbiBmb28oKSB7DQogICAgdmFyIE4gPSAx MjI4ODsgLy8gMzAwMGgNCiAgICB2YXIgVyA9IEFycmF5LnByb3RvdHlwZS5jb25zdHJ1Y3Rvci5h cHBseShudWxsLCBuZXcgQXJyYXkoTikpOw0KICAgIHZhciB6ID0ge307DQogICAgei50b1N0cmlu ZyA9IGZ1bmN0aW9uKCkgew0KICAgICAgICBXLnB1c2goMTIzNDUpOw0KICAgICAgICByZXR1cm4g IiINCiAgICB9Ow0KICAgIFdbMF0gPSB6Ow0KICAgIFcuc29ydCgpOw0KfQ0KPC9zY3JpcHQ+DQo8 L2hlYWQ+DQo8Ym9keSBvbmNsaWNrPSJmb28oKSI+PC9ib2R5Pg0KPC9odG1sPg== 285617 2016-08-08 17:24:48 -0700 2016-08-08 17:24:48 -0700 Fix for use after free JSArray.patch text/plain 1883 don.olmstead SW5kZXg6IEpTQXJyYXkuY3BwDQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQotLS0gSlNBcnJheS5jcHAJKHJldmlzaW9u IDEzMjExKQ0KKysrIEpTQXJyYXkuY3BwCSh3b3JraW5nIGNvcHkpDQpAQCAtMTA4NywxMCArMTA4 NywzNyBAQA0KICAgICB9CiB9OwogCit0ZW1wbGF0ZSA8PgorQ29udGlndW91c0pTVmFsdWVzIEpT QXJyYXk6OnN0b3JhZ2U8QXJyYXlXaXRoSW50MzIsIFdyaXRlQmFycmllcjxVbmtub3duPiA+KCkK K3sKKyAgICByZXR1cm4gbV9idXR0ZXJmbHktPmNvbnRpZ3VvdXNJbnQzMigpOworfQogCit0ZW1w bGF0ZSA8PgorQ29udGlndW91c0RvdWJsZXMgSlNBcnJheTo6c3RvcmFnZTxBcnJheVdpdGhEb3Vi bGUsIGRvdWJsZT4oKQoreworICAgIHJldHVybiBtX2J1dHRlcmZseS0+Y29udGlndW91c0RvdWJs ZSgpOworfQorCit0ZW1wbGF0ZSA8PgorQ29udGlndW91c0pTVmFsdWVzIEpTQXJyYXk6OnN0b3Jh Z2U8QXJyYXlXaXRoQ29udGlndW91cywgV3JpdGVCYXJyaWVyPFVua25vd24+ID4oKQoreworICAg IHJldHVybiBtX2J1dHRlcmZseS0+Y29udGlndW91cygpOworfQorCit0ZW1wbGF0ZSA8PgorQ29u dGlndW91c0pTVmFsdWVzIEpTQXJyYXk6OnN0b3JhZ2U8QXJyYXlXaXRoQXJyYXlTdG9yYWdlLCBX cml0ZUJhcnJpZXI8VW5rbm93bj4gPigpCit7CisgICAgQXJyYXlTdG9yYWdlKiBzdG9yYWdlID0g bV9idXR0ZXJmbHktPmFycmF5U3RvcmFnZSgpOworICAgIEFTU0VSVCghc3RvcmFnZS0+bV9zcGFy c2VNYXApOworICAgIHJldHVybiBzdG9yYWdlLT52ZWN0b3IoKTsKK30KKwogdGVtcGxhdGU8SW5k ZXhpbmdUeXBlIGluZGV4aW5nVHlwZSwgdHlwZW5hbWUgU3RvcmFnZVR5cGU+CiB2b2lkIEpTQXJy YXk6OnNvcnRDb21wYWN0ZWRWZWN0b3IoRXhlY1N0YXRlKiBleGVjLCBDb250aWd1b3VzRGF0YTxT dG9yYWdlVHlwZT4gZGF0YSwgdW5zaWduZWQgcmVsZXZhbnRMZW5ndGgpCiB7CisgICAgZGF0YSA9 IHN0b3JhZ2U8aW5kZXhpbmdUeXBlLCBTdG9yYWdlVHlwZT4oKTsKKwogICAgIGlmICghcmVsZXZh bnRMZW5ndGgpCiAgICAgICAgIHJldHVybjsKICAgICAKQEAgLTExNjcsNiArMTE5NCw3IEBADQog ICAgICAgICBDUkFTSCgpOwogICAgIH0KIAorICAgIGRhdGEgPSBzdG9yYWdlPGluZGV4aW5nVHlw ZSwgU3RvcmFnZVR5cGU+KCk7CiAgICAgZm9yIChzaXplX3QgaSA9IDA7IGkgPCByZWxldmFudExl bmd0aDsgaSsrKQogICAgICAgICBDb250aWd1b3VzVHlwZUFjY2Vzc29yPGluZGV4aW5nVHlwZT46 OnNldFdpdGhWYWx1ZSh2bSwgdGhpcywgZGF0YSwgaSwgdmFsdWVzW2ldLmZpcnN0KTsKICAgICAK SW5kZXg6IEpTQXJyYXkuaA0KPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0KLS0tIEpTQXJyYXkuaAkocmV2aXNpb24gMTMy MTEpDQorKysgSlNBcnJheS5oCSh3b3JraW5nIGNvcHkpDQpAQCAtMTcyLDYgKzE3Miw5IEBADQog ICAgICAgICAKICAgICB0ZW1wbGF0ZTxJbmRleGluZ1R5cGUgaW5kZXhpbmdUeXBlPgogICAgIHZv aWQgY29tcGFjdEZvclNvcnRpbmcodW5zaWduZWQmIG51bURlZmluZWQsIHVuc2lnbmVkJiBuZXdS ZWxldmFudExlbmd0aCk7CisKKyAgICB0ZW1wbGF0ZTxJbmRleGluZ1R5cGUgaW5kZXhpbmdUeXBl LCB0eXBlbmFtZSBTdG9yYWdlVHlwZT4KKyAgICBDb250aWd1b3VzRGF0YTxTdG9yYWdlVHlwZT4g c3RvcmFnZSgpOwogfTsKIAogaW5saW5lIEJ1dHRlcmZseSogY3JlYXRlQ29udGlndW91c0FycmF5 QnV0dGVyZmx5KFZNJiB2bSwgdW5zaWduZWQgbGVuZ3RoLCB1bnNpZ25lZCYgdmVjdG9yTGVuZ3Ro KQo=