Vulnerability-Analysis/CVE-2020-9802
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

PoC Reproduction in version Safari-614.1.9

Browse Source
This commit is contained in:
Jack Ren
2022-12-14 12:29:48 +08:00
commit f6094610c5
3 changed files with 184 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

139
Safari-614.1.9/PoC/CVE-2020-9802-Safari-614.1.9.patch Normal file
View File

@@ -0,0 +1,139 @@
diff --git a/.gitignore b/.gitignore
index f1dbddf346c9..1aae9461405e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,6 +5,7 @@
.DS_Store
.directory
/WebKitBuild/
+/Output*/
/test262-results/
autoinstall.cache.d
project.xcworkspace
diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h b/Source/JavaScriptCore/dfg/DFGClobberize.h
index 67b010bc2f21..757f15597bfa 100644
--- a/Source/JavaScriptCore/dfg/DFGClobberize.h
+++ b/Source/JavaScriptCore/dfg/DFGClobberize.h
@@ -283,7 +283,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
case ArithAbs:
if (node->child1().useKind() == Int32Use || node->child1().useKind() == DoubleRepUse)
- def(PureValue(node, node->arithMode()));
+ def(PureValue(node));
else
clobberTop();
return;
@@ -299,7 +299,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
if (node->child1().useKind() == Int32Use
|| node->child1().useKind() == DoubleRepUse
|| node->child1().useKind() == Int52RepUse)
- def(PureValue(node, node->arithMode()));
+ def(PureValue(node));
else
clobberTop();
return;
diff --git a/Source/JavaScriptCore/runtime/JSCast.h b/Source/JavaScriptCore/runtime/JSCast.h
index a6993159099c..1608afc0ff8f 100644
--- a/Source/JavaScriptCore/runtime/JSCast.h
+++ b/Source/JavaScriptCore/runtime/JSCast.h
@@ -33,12 +33,14 @@ template<typename To, typename From>
inline To jsCast(From* from)
{
static_assert(std::is_base_of<JSCell, typename std::remove_pointer<To>::type>::value && std::is_base_of<JSCell, typename std::remove_pointer<From>::type>::value, "JS casting expects that the types you are casting to/from are subclasses of JSCell");
+/*
#if (ASSERT_ENABLED || ENABLE(SECURITY_ASSERTIONS)) && CPU(X86_64)
if (from && !from->JSCell::inherits(from->JSCell::vm(), std::remove_pointer<To>::type::info()))
reportZappedCellAndCrash(*from->JSCell::heap(), from);
#else
ASSERT_WITH_SECURITY_IMPLICATION(!from || from->JSCell::inherits(from->JSCell::vm(), std::remove_pointer<To>::type::info()));
#endif
+*/
return static_cast<To>(from);
}
@@ -46,6 +48,7 @@ template<typename To>
inline To jsCast(JSValue from)
{
static_assert(std::is_base_of<JSCell, typename std::remove_pointer<To>::type>::value, "JS casting expects that the types you are casting to is a subclass of JSCell");
+/*
#if (ASSERT_ENABLED || ENABLE(SECURITY_ASSERTIONS)) && CPU(X86_64)
ASSERT_WITH_SECURITY_IMPLICATION(from.isCell());
JSCell* cell = from.asCell();
@@ -54,6 +57,7 @@ inline To jsCast(JSValue from)
#else
ASSERT_WITH_SECURITY_IMPLICATION(from.isCell() && from.asCell()->JSCell::inherits(from.asCell()->vm(), std::remove_pointer<To>::type::info()));
#endif
+*/
return static_cast<To>(from.asCell());
}
@@ -142,7 +146,7 @@ inline bool inheritsJSTypeImpl(VM& vm, From* from, JSTypeRange range)
static_assert(std::is_base_of<JSCell, Target>::value && std::is_base_of<JSCell, typename std::remove_pointer<From>::type>::value, "JS casting expects that the types you are casting to/from are subclasses of JSCell");
bool canCast = range.contains(from->type());
// Do not use inherits<Target>(vm) since inherits<T> depends on this function.
- ASSERT_UNUSED(vm, canCast == from->JSCell::inherits(vm, Target::info()));
+ // ASSERT_UNUSED(vm, canCast == from->JSCell::inherits(vm, Target::info()));
return canCast;
}
diff --git a/Source/JavaScriptCore/runtime/WriteBarrier.h b/Source/JavaScriptCore/runtime/WriteBarrier.h
index 383f72d04f1e..e24843e22c64 100644
--- a/Source/JavaScriptCore/runtime/WriteBarrier.h
+++ b/Source/JavaScriptCore/runtime/WriteBarrier.h
@@ -53,6 +53,7 @@ template<> class WriteBarrierBase<JSValue>;
JS_EXPORT_PRIVATE void slowValidateCell(JSCell*);
JS_EXPORT_PRIVATE void slowValidateCell(JSGlobalObject*);
+/*
#if ENABLE(GC_VALIDATION)
template<class T> inline void validateCell(T cell)
{
@@ -69,10 +70,11 @@ template<> inline void validateCell<JSGlobalObject*>(JSGlobalObject* globalObjec
slowValidateCell(globalObject);
}
#else
+*/
template<class T> inline void validateCell(T)
{
}
-#endif
+//#endif
// We have a separate base class with no constructors for use in Unions.
template <typename T, typename Traits> class WriteBarrierBase {
diff --git a/Source/bmalloc/bmalloc/Gigacage.cpp b/Source/bmalloc/bmalloc/Gigacage.cpp
index d10214881d9b..b47532b5e3ed 100644
--- a/Source/bmalloc/bmalloc/Gigacage.cpp
+++ b/Source/bmalloc/bmalloc/Gigacage.cpp
@@ -135,6 +135,7 @@ void ensureGigacage()
// largest value of n so that n! <= 2^64.
static_assert(NumberOfKinds <= 21, "too many kinds");
uint64_t random;
+ /*
cryptoRandom(reinterpret_cast<unsigned char*>(&random), sizeof(random));
for (unsigned i = NumberOfKinds; i--;) {
unsigned limit = i + 1;
@@ -142,7 +143,7 @@ void ensureGigacage()
random /= limit;
std::swap(shuffledKinds[i], shuffledKinds[j]);
}
-
+ */
auto alignTo = [] (Kind kind, size_t totalSize) -> size_t {
return roundUpToMultipleOf(alignment(kind), totalSize);
};
diff --git a/Source/bmalloc/bmalloc/VMAllocate.h b/Source/bmalloc/bmalloc/VMAllocate.h
index de8e8b2589f4..1138135fe640 100644
--- a/Source/bmalloc/bmalloc/VMAllocate.h
+++ b/Source/bmalloc/bmalloc/VMAllocate.h
@@ -123,7 +123,9 @@ inline void vmValidatePhysical(void* p, size_t vmSize)
inline void* tryVMAllocate(size_t vmSize, VMTag usage = VMTag::Malloc)
{
vmValidate(vmSize);
- void* result = mmap(0, vmSize, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON | BMALLOC_NORESERVE, static_cast<int>(usage), 0);
+ static long long mmapPrefix = 1;
+ void* result = mmap((void*)(mmapPrefix*0x10000000000ll), vmSize, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON | BMALLOC_NORESERVE, static_cast<int>(usage), 0);
+ mmapPrefix++;
if (result == MAP_FAILED)
return nullptr;
return result;