[webkit-help] A Webkit exploit - Apple Safari Heap Buffer Overflow

Sharma, Rupali rupsharma at ea.com
Wed Dec 9 10:18:33 PST 2015


A Webkit exploit was reported where WebKit implementation was vulnerable to ROP(return oriented programming) attacks. Here are the details: https://www.exploit-db.com/exploits/28081/.
However, we are interested in knowing which revision of WebKit has the fix for resolving this vulnerability.

Digging more info, we found that the exploit was due to an heap buffer overflow issue in JavaScriptCore JSArray::Sort() method.

The heap memory buffer overflow vulnerability exists within the WebKit's
JavaScriptCore JSArray::sort(...) method.  This method accepts the user-defined
JavaScript function and calls it from the native code to compare array items.
If this compare function reduces array length, then the trailing array items
will be written outside the "m_storage->m_vector[]" buffer, which leads to the
heap memory corruption.

The exploit for this vulnerability is a JavaScript code which shows how to
use it for memory corruption of internal JS objects (Unit32Array and etc.)
and subsequent arbitrary code execution (custom ARM/x64 payloads can be pasted
into the JS code).

So our question is, can point us to the fix (i.e. changelist/revision) which patched this exploit?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-help/attachments/20151209/dcb1a869/attachment.html>

More information about the webkit-help mailing list