RESOLVED FIXED 157089
CVE-2016-4735 Crash for non-static super property call in derived class constructor 
https://bugs.webkit.org/show_bug.cgi?id=157089
Summary Crash for non-static super property call in derived class constructor
André Bargull
Reported 2016-04-27 10:32:03 PDT
SVN: rev200124 Build with: perl Tools/Scripts/build-jsc --gtk --debug Test case: --- (new class D extends class {} { constructor() { eval(`super["m"]()`) } }) --- Crashes with: --- Thread 1 "jsc-debug" received signal SIGSEGV, Segmentation fault. 0x00007ffff6a33742 in llint_entry () from /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18 --- Also reproducible with: --- (new class D extends class {} { constructor(f) { super[f()]() } }) --- And with: --- new class extends class {} { constructor() { super["m"](super()) } } --- Stack trace: --- #0 0x00007ffff6a33742 in llint_entry () from /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18 #1 0x00007ffff6a2d895 in vmEntryToJavaScript () from /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18 #2 0x00007ffff69d46d2 in JSC::JITCode::execute (this=0x7ffff0d9c848, vm=0x7fffb09f1000, protoCallFrame=0x7fffffffc000) at ../../Source/JavaScriptCore/jit/JITCode.cpp:80 #3 0x00007ffff6999ca2 in JSC::Interpreter::execute (this=0x7ffff0def058, eval=0x7fffaedfbee0, callFrame=0x7fffffffca50, thisValue=..., scope=0x7fffaeddbec0) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:1255 #4 0x00007ffff6995405 in JSC::eval (callFrame=0x7fffffffca50) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:208 #5 0x00007ffff6a29fd7 in JSC::(anonymous namespace)::llint_slow_path_call_eval (exec=0x7fffffffcae0, pc=0x7ffff0dd7628) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1354 #6 0x00007ffff6a33ea2 in llint_entry () from /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18 #7 0x00007ffff6a33b4b in llint_entry () from /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18 #8 0x00007ffff6a2d895 in vmEntryToJavaScript () from /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18 #9 0x00007ffff69d46d2 in JSC::JITCode::execute (this=0x7ffff0d9c5f0, vm=0x7fffb09f1000, protoCallFrame=0x7fffffffcd30) at ../../Source/JavaScriptCore/jit/JITCode.cpp:80 #10 0x00007ffff6997f4f in JSC::Interpreter::execute (this=0x7ffff0def058, program=0x7fffaedfbf70, callFrame=0x7fffaede7940, thisObj=0x7fffaedba360) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:960 #11 0x00007ffff6b849ad in JSC::evaluate (exec=0x7fffaede7940, source=..., thisValue=..., returnedException=...) at ../../Source/JavaScriptCore/runtime/Completion.cpp:106 #12 0x000000000043a120 in runInteractive (globalObject=0x7fffaede7900) at ../../Source/JavaScriptCore/jsc.cpp:2083 #13 0x000000000043abcb in runJSC (vm=0x7fffb09f1000, options=...) at ../../Source/JavaScriptCore/jsc.cpp:2244 #14 0x000000000043b0a1 in jscmain (argc=1, argv=0x7fffffffdbb8) at ../../Source/JavaScriptCore/jsc.cpp:2293 #15 0x000000000043967f in main (argc=1, argv=0x7fffffffdbb8) at ../../Source/JavaScriptCore/jsc.cpp:1947 Warning: the current language does not match this frame. ---
Attachments
Patch (5.79 KB, patch)
2016-04-28 06:47 PDT, GSkachkov 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
André Bargull
Comment 1 2016-04-27 10:33:06 PDT
Preemptively marked as s-s, please unhide if this issue is not security relevant.
GSkachkov
Comment 2 2016-04-27 23:49:06 PDT
At first look, there is problem that we do not emit TDZ check of super when we are trying access to the super by bracket notation in constructor. I'll try to fix.
GSkachkov
Comment 3 2016-04-28 06:47:20 PDT
Created attachment 277618 [details] Patch hot fix
Darin Adler
Comment 4 2016-04-28 07:22:49 PDT
Comment on attachment 277618 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=277618&action=review > Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:940 > + } > else WebKit coding style puts this brace and else on the same line
GSkachkov
Comment 5 2016-04-28 10:03:55 PDT
Comment on attachment 277618 [details] Patch Patch landed Committed 200191: <http://trac.webkit.org/changeset/200191>
Radar WebKit Bug Importer
Comment 6 2016-07-13 10:29:18 PDT
<rdar://problem/27326239>
Note You need to log in before you can comment on or make changes to this bug.