Created attachment 477158 [details] poc_file.js Credit: Gandalf4a of PKU-ICODE Product: WebKit / JavaScriptCore Code Version：commit 7fd0359ffa67a16628870bba5b09d84fd1db0a5c Code Date: Sun Oct 19 22:52:43 2025 -0700 Affected Component: JavaScriptCore (JSC) – Memory Management (`PageCount`) Build Configuration: ASan-enabled debug build (assertions enabled) Severity: (Denial-of-Service in debug builds; potential undefined behavior in release) --- ### Summary A controlled input to the `maxByteLength` property of resizable memory objects (e.g., `WebAssembly.Memory` or `ArrayBuffer`) can trigger an assertion failure in `PageCount::fromBytes()`, causing the JavaScriptCore engine to abort. This occurs when an excessively large value is provided, leading to an invalid page count during internal memory size validation. While the crash is currently limited to assertion-enabled builds (e.g., debug or ASan builds), the lack of input validation prior to page-count conversion may result in undefined behavior or memory corruption in release builds under certain conditions. --- ### Steps to Reproduce The following JavaScript snippet reliably triggers the assertion failure in an ASan-enabled JSC build: the attachment ### Crash Details ``` /home/gandalf/fuzz/fuzz_jsc/WebKit/build_asan/bin/jsc /home/gandalf/fuzz/fuzzilli/Targets/JavaScriptCore/out/crashes/program_20251021131017_8B665E35-6381-4268-AE29-A3EADD9410A3_deterministic.js WARNING: ASAN interferes with JSC signal handlers; useWasmFastMemory and useWasmFaultSignalHandler will be disabled. Fuzzer output channel not available, printing to stdout instead. EXPLORE_ACTION: {"operation":"SET_PROPERTY","inputs":[{"special":{"name":"exploredValue"}},{"string":{"value":"maxByteLength"}},{"argument":{"index":1}}],"isGuarded":false,"id":"v35"} ASSERTION FAILED: PageCount::isValid(numPages) build_asan/JavaScriptCore/PrivateHeaders/JavaScriptCore/PageCount.h(79) : static PageCount JSC::PageCount::fromBytes(uint64_t) 1 0x5f1470b3c6e0 /home/gandalf/fuzz/fuzz_jsc/WebKit/build_asan/bin/jsc(+0x6c136e0) [0x5f1470b3c6e0] 2 0x5f146eebf240 /home/gandalf/fuzz/fuzz_jsc/WebKit/build_asan/bin/jsc(+0x4f96240) [0x5f146eebf240] 3 0x5f146eeba41d /home/gandalf/fuzz/fuzz_jsc/WebKit/build_asan/bin/jsc(+0x4f9141d) [0x5f146eeba41d] 4 0x5f146eebf558 /home/gandalf/fuzz/fuzz_jsc/WebKit/build_asan/bin/jsc(+0x4f96558) [0x5f146eebf558] 5 0x5f146f3091c1 /home/gandalf/fuzz/fuzz_jsc/WebKit/build_asan/bin/jsc(+0x53e01c1) [0x5f146f3091c1] 6 0x769a50e0c3e7 [0x769a50e0c3e7] 已中止 (核心已转储) ``` The crash occurs because `numPages = bytes / pageSize` exceeds `PageCount`’s maximum representable value (`0xFFFFFFFF` pages), causing `PageCount::isValid()` to return false. --- ### Impact - **Debug/ASan builds**: Immediate abort (Denial-of-Service). - **Release builds**: Assertions are disabled, but the resulting invalid `PageCount` may lead to: - Integer truncation - Incorrect memory reservation - Potential heap corruption or out-of-bounds access (depending on downstream usage) This could be exploitable in environments where untrusted JavaScript controls memory sizing parameters. --- ### Recommended Fix Add explicit bounds checking **before** converting user-provided byte sizes to `PageCount`. For example: ```cpp // In WebAssembly.Memory constructor or ArrayBuffer options parsing if (maxByteLength > PageCount::max().bytes()) { throwException(..., "Maximum memory size exceeds engine limits"); return; } ``` Ensure all code paths that accept `maxByteLength` or similar size parameters validate against `PageCount::max().bytes()`.