30 lines
1.6 KiB
Markdown
30 lines
1.6 KiB
Markdown
# Motivation
|
|
The repository is for solving the following problem encountered in reproducing CVE-2020-9802 in the AFL crash exploring mode of fuzzing process.
|
|
1. The `jsc` interpreter(Commit ID: `17218d1485b0f5d98d2aad116d4fdb2bad6aee2d`), whose version just before patching CVE-2020-9802, unexpected crash when receiving input don't conform to JavaScript language syntax.
|
|
2. The heap allocator of JavaScriptCore is probabilistic, which lead to unstable crash in reproducing CVE-2020-9802 in JavaScriptCore. AFL even doesn't accept the PoC as seed as it doesn't produce crash in `perform_dry_run()`.
|
|
|
|
# Solution
|
|
1. JavaScriptCore was updated into the latest compilable version `Safari-614.1.9`. It won't crash when receiving input don't conform to JavaScript language syntax.
|
|
2. The heap allocator of JavaScriptCore is modified to be deterministic.
|
|
|
|
# Reproduction
|
|
```bash
|
|
export WEBKIT_PATH="WEBKIT_PATH" # Modify this to your WebKit directory path
|
|
export AFL_PATH="AFL_PATH" # Modify this to your AFL directory path
|
|
|
|
# Git Clone
|
|
git clone https://github.com/WebKit/WebKit.git
|
|
|
|
# Switch version and patch
|
|
git checkout Safari-614.1.9
|
|
patch -p1 -i CVE-2020-9802-Safari-614.1.9.patch
|
|
|
|
# Static linking of JavaScriptCore
|
|
# Build for tracing
|
|
WEBKIT_OUTPUTDIR=$WEBKIT_PATH/OutputTrace/ Tools/Scripts/build-webkit --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DUSE_THIN_ARCHIVES=OFF"
|
|
# Build for fuzzing
|
|
CC=$AFL_PATH/afl-gcc CXX=$AFL_PATH/afl-g++ WEBKIT_OUTPUTDIR=$WEBKIT_PATH/OutputFuzz/ Tools/Scripts/build-webkit --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DUSE_THIN_ARCHIVES=OFF"
|
|
|
|
# Deterministic Reproduction
|
|
./jsc --useConcurrentJIT=false PoC.js
|
|
``` |