PoC Reproduction in version Safari-614.1.9

Safari-614.1.9/PoC/README.md

@@ -0,0 +1,30 @@
+# Motivation
+The repository is for solving the following problem encountered in reproducing CVE-2020-9802 in the AFL crash exploring mode of fuzzing process.
+1. The `jsc` interpreter(Commit ID: `17218d1485b0f5d98d2aad116d4fdb2bad6aee2d`), whose version just before patching CVE-2020-9802, unexpected crash when receiving input don't conform to JavaScript language syntax.
+2. The heap allocator of JavaScriptCore is probabilistic, which lead to unstable crash in reproducing CVE-2020-9802 in JavaScriptCore. AFL even doesn't accept the PoC as seed as it doesn't produce crash in `perform_dry_run()`.
+
+# Solution
+1. JavaScriptCore was updated into the latest compilable version `Safari-614.1.9`. It won't crash when receiving input don't conform to JavaScript language syntax.
+2. The heap allocator of JavaScriptCore is modified to be deterministic.
+
+# Reproduction
+```bash
+export WEBKIT_PATH="WEBKIT_PATH" # Modify this to your WebKit directory path
+export AFL_PATH="AFL_PATH" # Modify this to your AFL directory path
+
+# Git Clone
+git clone https://github.com/WebKit/WebKit.git
+
+# Switch version and patch
+git checkout Safari-614.1.9
+patch -p1 -i CVE-2020-9802-Safari-614.1.9.patch
+
+# Static linking of JavaScriptCore
+# Build for tracing
+WEBKIT_OUTPUTDIR=$WEBKIT_PATH/OutputTrace/ Tools/Scripts/build-webkit --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DUSE_THIN_ARCHIVES=OFF"
+# Build for fuzzing
+CC=$AFL_PATH/afl-gcc CXX=$AFL_PATH/afl-g++ WEBKIT_OUTPUTDIR=$WEBKIT_PATH/OutputFuzz/ Tools/Scripts/build-webkit --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DUSE_THIN_ARCHIVES=OFF"
+
+# Deterministic Reproduction
+./jsc --useConcurrentJIT=false PoC.js
+```