[Webkit-unassigned] [Bug 257312] New: Memory crash error. jsc shell execution of a specific js statement causes an abnormal memory crash.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu May 25 00:49:32 PDT 2023 

https://bugs.webkit.org/show_bug.cgi?id=257312

            Bug ID: 257312
           Summary: Memory crash error. jsc shell execution of a specific
                    js statement causes an abnormal memory crash.
           Product: WebKit
           Version: WebKit Local Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: 824870754 at qq.com

jsc lacks a memory request check and interrupt mechanism for specific statements, leading to attackers who can design js statements to trigger jsc shell crashes and program deadlocks. The trigger code is as follows:
for (let v0 = 0; v0 < 100; v0++) {
    const v1 = `
        const v3 = new Uint8ClampedArray();
        v3.__proto__;
        const o6 = {
            "maxByteLength": 12515763,
        };
        function f7(a8, a9) {
            with (v1) {
            }
            const v10 = \`
                115120.85238135792;
                v10.replace(v0, EvalError);
            \`;
            const v16 = eval(v10).toLocaleLowerCase();
            try {
                eval(v16);
            } catch(e18) {
            }
            return v1;
        }
        const v19 = \`
            function f20(a21, a22) {
                class C23 {
                    constructor(a25, a26, a27, a28) {
                    }
                    getInt32(a30, ...a31) {
                    }
                }
                return v19;
            }
            v19.replace(v0, v19);
        \`;
        const v35 = eval(v19).toLocaleLowerCase();
        try {
            eval(v35);
        } catch(e37) {
        }
        v1.replace(v0, v1);
    `;
    const v41 = eval(v1).toLocaleLowerCase();
    try {
        const v42 = eval(v41);
        Reflect.deleteProperty(Object.freeze(v0), v0);
        Object.freeze(v42);
    } catch(e49) {
    }
    for (let v50 = 0; v50 < 100; v50++) {
    }
    try {
        const v53 = new ArrayBuffer(10567071);
        const v55 = new Float64Array(v53, 10567071);
    } catch(e56) {
    }
}

shell ARGS: Debug/bin/jsc --validateOptions=true --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --reprl

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230525/78b46867/attachment.htm>

More information about the webkit-unassigned mailing list