Bug 160680

Summary: Use after free in JS array sort
Product: WebKit Reporter: Don Olmstead <don.olmstead>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Major CC: bfulgham, fpizlo, ggaren, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Safari 8   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Example exploit
none
Fix for use after free none

Don Olmstead
Reported 2016-08-08 17:22:56 PDT
Created attachment 285614 [details] Example exploit A use after free occurs in the sort of the JS array. In the attached exploit `z.toString()` was evaluated and a new element was pushed to W in the function triggering a growth and reallocation of the array. However it tried to write the sorted elements onto the old already freed memory. The patch updates the location of `data` before writing to it. This bug was present from revisions 130826 to 183570. It has not been exploitable for awhile but is being reported in case there are other places that may have similar issues, and so a test case might be implemented to ensure it doesn't crop up again.
Attachments
Example exploit (331 bytes, text/html)
2016-08-08 17:22 PDT, Don Olmstead
no flags
Fix for use after free (1.84 KB, patch)
2016-08-08 17:24 PDT, Don Olmstead
no flags
Radar WebKit Bug Importer
Comment 1 2016-08-08 17:23:21 PDT
Don Olmstead
Comment 2 2016-08-08 17:24:48 PDT
Created attachment 285617 [details] Fix for use after free
Don Olmstead
Comment 3 2016-08-08 17:26:00 PDT
Fixed in 183570
Brent Fulgham
Comment 4 2016-08-08 17:27:33 PDT
Brent Fulgham
Comment 5 2016-08-10 13:09:04 PDT
Note: We should turn the exploit example into a test case so we can guard against this in the future.
Brent Fulgham
Comment 6 2016-08-10 13:24:08 PDT
Test case added: Committed in r204344 <https://trac.webkit.org/changeset/204344>.
Brent Fulgham
Comment 7 2018-02-16 13:40:25 PST
This fix shipped a few years ago, opening for public access.
Note You need to log in before you can comment on or make changes to this bug.