Hello, A Webkit exploit was reported where WebKit implementation was vulnerable to ROP(return oriented programming) attacks. Here are the details: https://www.exploit-db.com/exploits/28081/. However, we are interested in knowing which revision of WebKit has the fix for resolving this vulnerability.
Digging more info, we found that the exploit was due to an heap buffer overflow issue in JavaScriptCore JSArray::Sort() method. Details: The heap memory buffer overflow vulnerability exists within the WebKit's JavaScriptCore JSArray::sort(...) method. This method accepts the user-defined JavaScript function and calls it from the native code to compare array items. If this compare function reduces array length, then the trailing array items will be written outside the "m_storage->m_vector[]" buffer, which leads to the heap memory corruption. The exploit for this vulnerability is a JavaScript code which shows how to use it for memory corruption of internal JS objects (Unit32Array and etc.) and subsequent arbitrary code execution (custom ARM/x64 payloads can be pasted into the JS code). So our question is, can point us to the fix (i.e. changelist/revision) which patched this exploit? Thanks, Rupali
_______________________________________________ webkit-help mailing list webkit-help@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-help
