[Webkit-unassigned] [Bug 199796] New: Found a bug while fuzzing

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jul 15 04:29:35 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=199796

            Bug ID: 199796
           Summary: Found a bug while fuzzing
           Product: WebKit
           Version: Other
          Hardware: Unspecified
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: nine.twelve at foxmail.com

# env 

ubuntu 18.04
webkit cb9ca26

# bug
it crashed in the function WTF::SymbolImpl
    0x1ef6345 <WTF::SymbolImpl::create(WTF::StringImpl&)+5> push   r12
    0x1ef6347 <WTF::SymbolImpl::create(WTF::StringImpl&)+7> push   rbx
    0x1ef6348 <WTF::SymbolImpl::create(WTF::StringImpl&)+8> mov    r15, rsi
 →  0x1ef634b <WTF::SymbolImpl::create(WTF::StringImpl&)+11> mov    r14, rdi
    0x1ef634e <WTF::SymbolImpl::create(WTF::StringImpl&)+14> lea    rdi, [rip+0x9104a7]        # 0x28067fc
    0x1ef6355 <WTF::SymbolImpl::create(WTF::StringImpl&)+21> call   0x7b2890 <__sanitizer_cov_trace_pc_guard>
    0x1ef635a <WTF::SymbolImpl::create(WTF::StringImpl&)+26> mov    ebp, DWORD PTR [r15+0x10]
    0x1ef635e <WTF::SymbolImpl::create(WTF::StringImpl&)+30> mov    eax, ebp
    0x1ef6360 <WTF::SymbolImpl::create(WTF::StringImpl&)+32> and    eax, 0x3


the r15 here is NULL, this is passed from the PrivateName function. The rsi it passed into the chunk is a value from stack, and its NULL.
$r14   : 0x00007fffffffc400  →  0x0000000000000000
When we check the source code, we found that the javascript code triggered the javascript's internal method Symbol::create(), this function will new a symbol object, and will call Symbol function inside it.
Symbol* Symbol::create(ExecState* exec, JSString* description)
 {
     VM& vm = exec->vm();
     String desc = description->value(exec);
     Symbol* symbol = new (NotNull, allocateCell<Symbol>(vm.heap)) Symbol(vm, desc);
     symbol->finishCreation(vm);
     return symbol;
 }
In this Symbol function, it will call another create function
  45     enum DescriptionTag { Description };
  46     explicit PrivateName(DescriptionTag, const String& description)
  47         : m_uid(SymbolImpl::create(*description.impl()))
  48     {
  49     }
how ever the rsi is NULL...

# poc 

function main() {
function v3(v4,v5,v6,v7,v8) {
    'use strict'
    const v10 = Symbol(v6);
    function v12(v13,v14,v15,v16,v17) {
        'use strict'
        const v20 = [-268435456,-3654755103];
        const v21 = [-3654755103,v20];
        let v24 = v21;
        const v25 = v24.toLocaleString();
        const v26 = v25.padEnd(2147483647,Promise);
        const v27 = v3(Promise,"gBxRp/rynU",v26);
    }
    const v28 = new Promise(v12);
}
const v29 = new Promise(v3);
}
noDFG(main);
noFTL(main);
main();

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190715/3f903cb4/attachment-0001.html>

More information about the webkit-unassigned mailing list