RESOLVED FIXED 276934
ASSERTION FAILED: isCell() WebKit/Source/JavaScriptCore/runtime/JSCJSValueInlines.h(598) : JSC::JSCell* JSC::JSValue::asCell() const 
https://bugs.webkit.org/show_bug.cgi?id=276934
Summary ASSERTION FAILED: isCell() WebKit/Source/JavaScriptCore/runtime/JSCJSValueInl...
Jikai Ren
Reported 2024-07-23 01:15:38 PDT
PoC: ```javascript function F() { return runString(); } class C extends F { "undefined" = this; } new C(); ``` TARGET ARGS: `WebKitBuild/JSCOnly/Debug/bin/jsc PoC.js` Output: ``` ASSERTION FAILED: isCell() /home/jack/JavaScriptEngine/WebKit/Source/JavaScriptCore/runtime/JSCJSValueInlines.h(598) : JSC::JSCell* JSC::JSValue::asCell() const 1 0x7f8c9519fc3d /home/jack/JavaScriptEngine/WebKit/WebKitBuild/JSCOnly/Debug/lib/libJavaScriptCore.so.1(+0x214ec3d) [0x7f8c9519fc3d] 2 0x7f8c9519e241 /home/jack/JavaScriptEngine/WebKit/WebKitBuild/JSCOnly/Debug/lib/libJavaScriptCore.so.1(+0x214d241) [0x7f8c9519e241] 3 0x7f8c9683c6b5 /home/jack/JavaScriptEngine/WebKit/WebKitBuild/JSCOnly/Debug/lib/libJavaScriptCore.so.1(+0x37eb6b5) [0x7f8c9683c6b5] 4 0x7f8c9509a28d /home/jack/JavaScriptEngine/WebKit/WebKitBuild/JSCOnly/Debug/lib/libJavaScriptCore.so.1(+0x204928d) [0x7f8c9509a28d] Aborted (core dumped) ``` Seems that `runString()` return a realm and something magic happened on realm, which caused `baseValue` in `slow_path_put_by_id` to be `0xa`.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2024-07-23 01:15:51 PDT
<rdar://problem/132305364>
Jikai Ren
Comment 2 2024-07-23 01:17:13 PDT
Reproduce with latest WebKit.
Keith Miller
Comment 3 2024-08-19 10:26:30 PDT
Hi, thanks for the report. I don’t know if this is a security issue for a few reasons: 1) runString() is needed to return a direct pointer to the GlobalObject instead of the globalThis(), which isn’t normally possible in JS. runString() is also only part of the cli not part of WebKit proper. 2) In and of itself we’d probably still consider an exploit if an attacker got ahold of the GlobalObject rather than the globalThis and could do bad things, however this crash is just effectively a nullptr deference (the zero page is never mapped on most platforms). 3) F should always return an object since it’s called as a constructor. Normally, if a constructor returns a non-object the this value is returned instead. Since a GlobalObject is an object we happily return it. 4) C’s ToThis will convert a GlobalObject to undefined since it’s strict then we try to do a put_by_id_direct on this which expects an object. That said, a raw globalObject is the only way to get an undefined into this inside a class body, which isn’t normally possible in JS. That said, we should just have runString() return the GlobalThis proxy like other places do. This should also prevent fuzzers from crashing here too in the future.
Keith Miller
Comment 4 2024-08-19 11:10:38 PDT
Pull request: https://github.com/WebKit/WebKit/pull/32394
EWS
Comment 5 2024-08-19 12:59:28 PDT
Committed 282453@main (22b1c6974350): <https://commits.webkit.org/282453@main> Reviewed commits have been landed. Closing PR #32394 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.