Vulnerability-Analysis/CVE-2020-9802
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
f6094610c577e60bf1685be231e38a214c9be919
CVE-2020-9802/Safari-614.1.9/PoC
History

README.md

Motivation

The repository is for solving the following problem encountered in reproducing CVE-2020-9802 in the AFL crash exploring mode of fuzzing process.

  1. The jsc interpreter(Commit ID: 17218d1485b0f5d98d2aad116d4fdb2bad6aee2d), whose version just before patching CVE-2020-9802, unexpected crash when receiving input don't conform to JavaScript language syntax.
  2. The heap allocator of JavaScriptCore is probabilistic, which lead to unstable crash in reproducing CVE-2020-9802 in JavaScriptCore. AFL even doesn't accept the PoC as seed as it doesn't produce crash in perform_dry_run().

Solution

  1. JavaScriptCore was updated into the latest compilable version Safari-614.1.9. It won't crash when receiving input don't conform to JavaScript language syntax.
  2. The heap allocator of JavaScriptCore is modified to be deterministic.

Reproduction

export WEBKIT_PATH="WEBKIT_PATH" # Modify this to your WebKit directory path
export AFL_PATH="AFL_PATH" # Modify this to your AFL directory path

# Git Clone
git clone https://github.com/WebKit/WebKit.git

# Switch version and patch
git checkout Safari-614.1.9
patch -p1 -i CVE-2020-9802-Safari-614.1.9.patch

# Static linking of JavaScriptCore
# Build for tracing
WEBKIT_OUTPUTDIR=$WEBKIT_PATH/OutputTrace/ Tools/Scripts/build-webkit --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DUSE_THIN_ARCHIVES=OFF"
# Build for fuzzing
CC=$AFL_PATH/afl-gcc CXX=$AFL_PATH/afl-g++ WEBKIT_OUTPUTDIR=$WEBKIT_PATH/OutputFuzz/ Tools/Scripts/build-webkit --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DUSE_THIN_ARCHIVES=OFF"

# Deterministic Reproduction
./jsc --useConcurrentJIT=false PoC.js