Bug 160680 - Use after free in JS array sort
Summary: Use after free in JS array sort
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: Safari 8
Hardware: Unspecified Unspecified
: P2 Major
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2016-08-08 17:22 PDT by Don Olmstead
Modified: 2018-02-16 13:40 PST (History)
4 users (show)

See Also:


Attachments
Example exploit (331 bytes, text/html)
2016-08-08 17:22 PDT, Don Olmstead
no flags Details
Fix for use after free (1.84 KB, patch)
2016-08-08 17:24 PDT, Don Olmstead
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Don Olmstead 2016-08-08 17:22:56 PDT
Created attachment 285614 [details]
Example exploit

A use after free occurs in the sort of the JS array. In the attached exploit `z.toString()` was evaluated and a new element was pushed to W in the function triggering a growth and reallocation of the array. However it tried to write the sorted elements onto the old already freed memory. The patch updates the location of `data` before writing to it.

This bug was present from revisions 130826 to 183570. It has not been exploitable for awhile but is being reported in case there are other places that may have similar issues, and so a test case might be implemented to ensure it doesn't crop up again.
Comment 1 Radar WebKit Bug Importer 2016-08-08 17:23:21 PDT
<rdar://problem/27757708>
Comment 2 Don Olmstead 2016-08-08 17:24:48 PDT
Created attachment 285617 [details]
Fix for use after free
Comment 3 Don Olmstead 2016-08-08 17:26:00 PDT
Fixed in 183570
Comment 4 Brent Fulgham 2016-08-08 17:27:33 PDT
Fix committed in r183570 <https://trac.webkit.org/changeset/183570/>.
Comment 5 Brent Fulgham 2016-08-10 13:09:04 PDT
Note: We should turn the exploit example into a test case so we can guard against this in the future.
Comment 6 Brent Fulgham 2016-08-10 13:24:08 PDT
Test case added:
Committed in r204344 <https://trac.webkit.org/changeset/204344>.
Comment 7 Brent Fulgham 2018-02-16 13:40:25 PST
This fix shipped a few years ago, opening for public access.