Created attachment 474590 [details] simplified poc # What is required to reproduce the issue? My environment: Ubuntu 22.04.2 LTS https://github.com/WebKit/WebKit.git ec5c28c0e698b3cd3c028f50141923a95a29dcde # Summary A vulnerability has been identified in the JavaScriptCore engine where executing certain WebAssembly code causes a crash due to a null pointer dereference in the reduceValueStrength() function of B3ReduceStrength.cpp. Specifically, the optimizer fails to check for null pointers when accessing child nodes, leading to a segmentation fault at address 0x000000000030. This issue can be remotely triggered by specially crafted WebAssembly code, posing a security risk as it may allow attackers to crash the application or potentially execute arbitrary code. # Steps to reproduce 1. **Execute the PoC:** ```bash ./jsc ./poc.js ``` # Expected results Exit normally. # Actual results JavaScriptCore crashed with a segmentation fault: ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==2011591==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x56203613413f bp 0x7f66baaedb70 sp 0x7f66baaed6a0 T2) ==2011591==The signal is caused by a READ memory access. ==2011591==Hint: address points to the zero page. #0 0x56203613413f in JSC::B3::(anonymous namespace)::ReduceStrength::reduceValueStrength() /data/workspace/WebKit/Source/JavaScriptCore/b3/B3ReduceStrength.cpp:2043:101 #1 0x56203610fb69 in JSC::B3::(anonymous namespace)::ReduceStrength::run() /data/workspace/WebKit/Source/JavaScriptCore/b3/B3ReduceStrength.cpp:548:21 #2 0x56203610fb69 in JSC::B3::reduceStrength(JSC::B3::Procedure&) /data/workspace/WebKit/Source/JavaScriptCore/b3/B3ReduceStrength.cpp:3861:27 #3 0x5620360eb762 in JSC::B3::generateToAir(JSC::B3::Procedure&) /data/workspace/WebKit/Source/JavaScriptCore/b3/B3Generate.cpp:86:9 #4 0x5620360eb316 in JSC::B3::prepareForGeneration(JSC::B3::Procedure&) /data/workspace/WebKit/Source/JavaScriptCore/b3/B3Generate.cpp:60:5 #5 0x562038ec14c5 in JSC::Wasm::parseAndCompileOMG(JSC::Wasm::CompilationContext&, JSC::Wasm::OptimizingJITCallee&, JSC::Wasm::FunctionData const&, JSC::Wasm::TypeDefinition const&, WTF::Vector<JSC::Wasm::UnlinkedWasmToWasmCall, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::Wasm::CalleeGroup&, JSC::Wasm::ModuleInformation const&, JSC::MemoryMode, JSC::Wasm::CompilationMode, JSC::Wasm::FunctionCodeIndex, std::optional<bool>, unsigned int) /data/workspace/WebKit/Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp:5840:9 #6 0x562038ee78bf in JSC::Wasm::OMGPlan::work() /data/workspace/WebKit/Source/JavaScriptCore/wasm/WasmOMGPlan.cpp:138:34 #7 0x562039192b0a in JSC::Wasm::Worklist::Thread::work() /data/workspace/WebKit/Source/JavaScriptCore/wasm/WasmWorklist.cpp:114:15 #8 0x5620395aa56a in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const /data/workspace/WebKit/Source/WTF/wtf/AutomaticThread.cpp:225:37 #9 0x5620395aa56a in WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() /data/workspace/WebKit/Source/WTF/wtf/Function.h:53:39 #10 0x5620396390cb in WTF::Function<void ()>::operator()() const /data/workspace/WebKit/Source/WTF/wtf/Function.h:82:35 #11 0x5620396390cb in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) /data/workspace/WebKit/Source/WTF/wtf/Threading.cpp:268:5 #12 0x5620399d9ed3 in WTF::wtfThreadEntryPoint(void*) /data/workspace/WebKit/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:241:5 #13 0x562033953558 in asan_thread_start(void*) crtstuff.c #14 0x7f6706df0ac2 (/lib/x86_64-linux-gnu/libc.so.6+0x94ac2) (BuildId: cd410b710f0f094c6832edd95931006d883af48e) #15 0x7f6706e8284f (/lib/x86_64-linux-gnu/libc.so.6+0x12684f) (BuildId: cd410b710f0f094c6832edd95931006d883af48e) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /data/workspace/WebKit/Source/JavaScriptCore/b3/B3ReduceStrength.cpp:2043:101 in JSC::B3::(anonymous namespace)::ReduceStrength::reduceValueStrength() ``` # Credit Xiangwei Zhang of Tencent Security YUNDING LAB