多款Apple产品安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1611235 漏洞类型 缓冲区错误
发布时间 2019-05-22 更新时间 2019-06-06
CVE编号 CVE-2019-8622 CNNVD-ID CNNVD-201905-532
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019050244
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201905-532
|漏洞详情
Apple iOS等都是美国苹果(Apple)公司的产品。Apple iOS是一套为移动设备所开发的操作系统。Apple tvOS是一套智能电视操作系统。Apple macOS Mojave是一套专为Mac计算机所开发的专用操作系统。 多款Apple产品中的WebKit组件存在缓冲区错误漏洞。该漏洞源于网络系统或产品在内存上执行操作时,未正确验证数据边界,导致向关联的其他内存位置上执行了错误的读写操作。攻击者可利用该漏洞导致缓冲区溢出或堆溢出等。以下产品及版本受到影响:Apple iOS 12.3之前版本;macOS Mojave 10.14.5之前版本;tvOS 12.3之前版本;Safari 12.1.1之前版本,watchOS 5.2.1之前版本。
|漏洞EXP
JSC: DFG's doesGC() is incorrect about the HasIndexedProperty operation's behaviour on StringObjects 

Related CVE Numbers: CVE-2019-8622.


See also https://bugs.chromium.org/p/project-zero/issues/detail?id=1699 for a similar issue.

The DFG JIT compiler attempts to determine whether a DFG IR operation could cause garbage collection (GC) during its execution [1]. With this, it is then possible for the compiler to determine whether there could be a GC between point A and point B in a function, which in turn can be used to omit write barriers (see e.g. https://v8.dev/blog/concurrent-marking#reducing-marking-pause for an explanation of write barriers) [2]. For example, in case an (incremental) GC cannot happen between an allocation of an object and a property store to it, the write barrier after the property store can be omitted (because in that case the newly allocated object could not already have been marked, so must be white). However, if the analysis is incorrect and a GC can happen in between, then the emitted code can cause use-after-free issues, e.g. if an unmarked (white) object is assigned as property to an object that was marked during an unexpected GC (and is thus black).

Since commit 9725889d5172a204aa1120e06be9eab117357f4b [3] \"Add code to validate expected GC activity modelled by doesGC() against what the runtime encounters\", JSC, in debug builds, asserts that the information computed by doesGC is correct: \"In DFG::SpeculativeJIT::compile() and FTL::LowerDFGToB3::compileNode(), before emitting code / B3IR for each DFG node, we emit a write to set Heap::m_expectDoesGC to the value returned by doesGC() for that node. In the runtime (i.e. in allocateCell() and functions that can resolve a rope), we assert that Heap::m_expectDoesGC is true.\". The following sample (found through fuzzing and then simplified), triggers such an assertion:

    function f(a) {
        return 0 in a;
    }
    for (let i = 0; i < 100000; i++) {
        const s = new String('asdf');
        s[42] = 'x';                   // Give it ArrayStorage
        f(s);
    }

Here, the `in` operation is converted to a HasIndexedProperty DFG operation [4]. Since the String object has ArrayStorage (due to the additional element), DFGClobberize will report that it does not write to the heap [5]. Afterwards, doesGC reports that the operation cannot trigger GC [6]. However, during the execution of the operation (in the DFG JIT implemented by a call to operationHasIndexedPropertyByInt [7]) the code ends up in JSString::getIndex (to determine whether the index is valid in the underlying string), which can end up flattening a rope string, thus causing a heap allocation and thus potentially causing garbage collection. This is where, in debug builds, the assertion fails:

    ASSERTION FAILED: vm()->heap.expectDoesGC()
    ../../Source/JavaScriptCore/runtime/JSString.h(1023) : WTF::StringView JSC::JSString::unsafeView(JSC::ExecState *) const
    1   0x10d67e769 WTFCrash
    2   0x10bb6948b WTFCrashWithInfo(int, char const*, char const*, int)
    3   0x10bba9e59 JSC::JSString::unsafeView(JSC::ExecState*) const
    4   0x10bba9c6e JSC::JSString::getIndex(JSC::ExecState*, unsigned int)
    5   0x10c712a24 JSC::JSString::getStringPropertySlot(JSC::ExecState*, unsigned int, JSC::PropertySlot&)
    6   0x10d330b90 JSC::StringObject::getOwnPropertySlotByIndex(JSC::JSObject*, JSC::ExecState*, unsigned int, JSC::PropertySlot&)
    7   0x10bbaa368 JSC::JSObject::getPropertySlot(JSC::ExecState*, unsigned int, JSC::PropertySlot&)
    8   0x10d20d831 JSC::JSObject::hasPropertyGeneric(JSC::ExecState*, unsigned int, JSC::PropertySlot::InternalMethodType) const
    9   0x10c70132f operationHasIndexedPropertyByInt

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.

[1] https://github.com/WebKit/webkit/blob/3d654baa90ee906da6de3a4f19eaa48b2e90a5bc/Source/JavaScriptCore/dfg/DFGDoesGC.cpp#L38
[2] https://github.com/WebKit/webkit/blob/3d654baa90ee906da6de3a4f19eaa48b2e90a5bc/Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp#L442
[3] https://github.com/WebKit/webkit/commit/9725889d5172a204aa1120e06be9eab117357f4b
[4] https://github.com/WebKit/webkit/blob/3d654baa90ee906da6de3a4f19eaa48b2e90a5bc/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp#L1681
[5] https://github.com/WebKit/webkit/blob/3d654baa90ee906da6de3a4f19eaa48b2e90a5bc/Source/JavaScriptCore/dfg/DFGClobberize.h#L344
[6] https://github.com/WebKit/webkit/blob/3d654baa90ee906da6de3a4f19eaa48b2e90a5bc/Source/JavaScriptCore/dfg/DFGDoesGC.cpp#L198
[7] https://github.com/WebKit/webkit/blob/3d654baa90ee906da6de3a4f19eaa48b2e90a5bc/Source/JavaScriptCore/dfg/DFGOperations.cpp#L2073", "sequenceNum": 3, "timestamp": 1552319568}]"


Found by: saelo@google.com

|参考资料

来源:support.apple.com

链接:https://support.apple.com/en-au/HT210122


来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/152849/Apple-Security-Advisory-2019-5-13-5.html


来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/80842