[Webkit-unassigned] [Bug 212460] New: fillBufferWithContentsOfFile<WTF::Vector<char> > (buffer=..., file=0x5555556341f0) in jsc.cpp

Thu May 28 05:01:15 PDT 2020

https://bugs.webkit.org/show_bug.cgi?id=212460

            Bug ID: 212460
           Summary: fillBufferWithContentsOfFile<WTF::Vector<char> >
                    (buffer=..., file=0x5555556341f0) in jsc.cpp
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: v.owl337 at gmail.com

Created attachment 400443

  --> https://bugs.webkit.org/attachment.cgi?id=400443&action=review

poc.js

Description of problem:

The vulnerability was triggered in function fillBufferWithContentsOfFile() at ../../Source/JavaScriptCore/jsc.cpp:948

How reproducible:

./jsc poc.js

(gdb) bt
#0  __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff2465801 in __GI_abort () at abort.c:79
#2  0x00005555555d5f61 in WTF::VectorBufferBase<char, WTF::FastMalloc>::allocateBuffer (newCapacity=<optimized out>, this=0x7fffffb1dc70)
    at DerivedSources/ForwardingHeaders/wtf/Vector.h:289
#3  WTF::Vector<char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::reserveCapacity (newCapacity=<optimized out>, this=0x7fffffb1dc70)
    at DerivedSources/ForwardingHeaders/wtf/Vector.h:1190
#4  WTF::Vector<char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::expandCapacity (this=0x7fffffb1dc70, 
    newMinCapacity=<optimized out>) at DerivedSources/ForwardingHeaders/wtf/Vector.h:1048
#5  0x000055555557f8eb in WTF::Vector<char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::resize (size=9223372036854775807, 
    this=0x7fffffb1dc70) at DerivedSources/ForwardingHeaders/wtf/Vector.h:1099
#6  fillBufferWithContentsOfFile<WTF::Vector<char> > (buffer=..., file=0x5555556341f0) at ../../Source/JavaScriptCore/jsc.cpp:948
#7  fillBufferWithContentsOfFile (fileName=..., buffer=...) at ../../Source/JavaScriptCore/jsc.cpp:961
#8  0x00005555555fc785 in fetchScriptFromLocalFileSystem (buffer=..., fileName=...) at ../../Source/JavaScriptCore/jsc.cpp:969
#9  functionRun (globalObject=0x7fffaedfab68, callFrame=0x7fffffb1dd00) at ../../Source/JavaScriptCore/jsc.cpp:1473

The vulnerability was triggered in function fillBufferWithContentsOfFile() at ../../Source/JavaScriptCore/jsc.cpp:948

 937 static bool fillBufferWithContentsOfFile(FILE* file, Vector& buffer)
 938 {
 939     // We might have injected "use strict"; at the top.
 940     size_t initialSize = buffer.size();
 941     if (fseek(file, 0, SEEK_END) == -1)
 942         return false;
 943     long bufferCapacity = ftell(file);
 944     if (bufferCapacity == -1)
 945         return false;
 946     if (fseek(file, 0, SEEK_SET) == -1)
 947         return false;
 948     buffer.resize(bufferCapacity + initialSize);
 949     size_t readSize = fread(buffer.data() + initialSize, 1, buffer.size(), file);
 950     return readSize == buffer.size() - initialSize;
 951 }

Additional info:

This vulnerability is detected by chong from OWL337

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200528/83ab2bbb/attachment-0001.htm>