Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 10 Nov 2016 15:07:51 -0300
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: Heap read out-of-bounds parsing a Javascript file with
 the last revision of JavaScript Core

Hi,

We recently found a read out-of-bounds parsing JavaScript code in the last
revision of WebKit (
https://github.com/WebKit/webkit/commit/fcf81f3ad83cd910727c7a1824e50377a474c8f4).
I tested this issue in ArchLinux (x86_64) but other configurations could be
affected. To reproduce:

1. Recompile jsc with ASAN support.
2. Execute:

$ ./jsc red.-4050783292692436029.nkpzevdpie.js
...
=================================================================
==24637==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x603000014fc8 at pc 0x7ffff67f04b0 bp 0x7fffaccf8820 sp 0x7fffaccf8810
READ of size 16 at 0x603000014fc8 thread T2
==24637==AddressSanitizer: while reporting a bug found another one.
Ignoring.
    #0 0x7ffff67f04af in WTF::(anonymous namespace)::lockHashtable()
(/home/g/Work/Code/webkit-master/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18+0x20cc4af)
    #1 0x7ffff67f1b6c in WTF::ParkingLot::parkConditionallyImpl(void
const*, WTF::ScopedLambda<bool ()> const&, WTF::ScopedLambda<void ()>
const&, std::chrono::time_point<std::chrono::_V2::steady_clock,
std::chrono::duration<long, std::ratio<1l, 1000000000l> > >)
(/home/g/Work/Code/webkit-master/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18+0x20cdb6c)
    #2 0x7ffff67cc1cb in std::_Function_handler<void (),
WTF::AutomaticThread::start(WTF::Locker<WTF::LockBase>
const&)::{lambda()#1}>::_M_invoke(std::_Any_data const&)
(/home/g/Work/Code/webkit-master/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18+0x20a81cb)
    #3 0x7ffff67f7da5 in WTF::threadEntryPoint(void*)
(/home/g/Work/Code/webkit-master/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18+0x20d3da5)
    #4 0x7ffff685a530 in WTF::wtfThreadEntryPoint(void*)
(/home/g/Work/Code/webkit-master/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18+0x2136530)
    #5 0x7ffff1df1453 in start_thread (/usr/lib/libpthread.so.0+0x7453)
    #6 0x7ffff0c017de in __GI___clone (/usr/lib/libc.so.6+0xe87de)

0x603000014fd0 is located 0 bytes to the right of 32-byte region
[0x603000014fb0,0x603000014fd0)
allocated by thread T2 here:
    #0 0x7ffff6efee60 in __interceptor_malloc
/build/gcc-multilib/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:62
    #1 0x7ffff686792f in bmalloc::Allocator::allocateSlowCase(unsigned
long)
(/home/g/Work/Code/webkit-master/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18+0x214392f)

Thread T2 created by T0 here:
    #0 0x7ffff6e69498 in __interceptor_pthread_create
/build/gcc-multilib/src/gcc/libsanitizer/asan/asan_interceptors.cc:236
    #1 0x7ffff685b983 in WTF::createThreadInternal(void (*)(void*), void*,
char const*)
(/home/g/Work/Code/webkit-master/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18+0x2137983)

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/g/Work/Code/webkit-master/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18+0x20cc4af)
in WTF::(anonymous namespace)::lockHashtable()
Shadow bytes around the buggy address:
  0x0c067fffa9a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa9b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa9c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa9d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa9e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fffa9f0: fa fa fa fa fa fa 00 00 00[00]fa fa fd fd fd fd
  0x0c067fffaa00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffaa10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffaa20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffaa30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffaa40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24637==ABORTING

I'm forwarding this issue since i receive no answer from the Webkit
developers in more than 3 weeks. The original bug report (private) is here:

https://bugs.webkit.org/show_bug.cgi?id=164000

The reproducer are available upon request. Please assign a CVE if
necessary.

This issue was found using QuickFuzz.

Regards,
Gustavo.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.