Bug 160680

Summary: Use after free in JS array sort
Product: WebKit Reporter: Don Olmstead <don.olmstead>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Major CC: bfulgham, fpizlo, ggaren, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Safari 8   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Example exploit
none
Fix for use after free none

Description Don Olmstead 2016-08-08 17:22:56 PDT
Created attachment 285614 [details]
Example exploit

A use after free occurs in the sort of the JS array. In the attached exploit `z.toString()` was evaluated and a new element was pushed to W in the function triggering a growth and reallocation of the array. However it tried to write the sorted elements onto the old already freed memory. The patch updates the location of `data` before writing to it.

This bug was present from revisions 130826 to 183570. It has not been exploitable for awhile but is being reported in case there are other places that may have similar issues, and so a test case might be implemented to ensure it doesn't crop up again.
Comment 1 Radar WebKit Bug Importer 2016-08-08 17:23:21 PDT
<rdar://problem/27757708>
Comment 2 Don Olmstead 2016-08-08 17:24:48 PDT
Created attachment 285617 [details]
Fix for use after free
Comment 3 Don Olmstead 2016-08-08 17:26:00 PDT
Fixed in 183570
Comment 4 Brent Fulgham 2016-08-08 17:27:33 PDT
Fix committed in r183570 <https://trac.webkit.org/changeset/183570/>.
Comment 5 Brent Fulgham 2016-08-10 13:09:04 PDT
Note: We should turn the exploit example into a test case so we can guard against this in the future.
Comment 6 Brent Fulgham 2016-08-10 13:24:08 PDT
Test case added:
Committed in r204344 <https://trac.webkit.org/changeset/204344>.
Comment 7 Brent Fulgham 2018-02-16 13:40:25 PST
This fix shipped a few years ago, opening for public access.