
Root Cause Analysis of a Non-Deterministic JavaScriptCore Vulnerability - zspitzer
http://blog.ret2.io/2018/06/19/pwn2own-2018-root-cause-analysis/
======
tetrep
There's not a lot of comments here, so I'll give a tl;dr:

They found a "use after free" bug in JavaScriptCore due to some asnyc GC and
used it to get RCE in Safari at Pwn2Own. By making a large array of arrays,
and then reversing them, they interfered with the "mark" part of "mark and
sweep", resulting in some of the arrays not being marked and therefore being
swept (freed) and used for other things. Pretty picture showing what's going
on: [http://blog.ret2.io/2018/06/19/pwn2own-2018-root-cause-
analy...](http://blog.ret2.io/2018/06/19/pwn2own-2018-root-cause-
analysis/#arrayreverse-considered-harmful)

some more details:

\- this was found with a fuzzing tool

\- they make a large array of arrays (~20k)

\- they map over the array of arrays and reverse the arrays inside it

\- they print out the contents of all the arrays and find that some of the
objects they are printing are not arrays, but are an entirely different
javascript object: promises (this is a symptom of the bug)

\- they use a very nice debugging tool[0] that let's them step _backwards_ in
time, this proves invaluable as they can start with the symptoms of the bug
and then go backwards to see what has caused them

\- they discover that the memory of the arrays is being marked as "not used",
getting freed by GC, and then used by (unrelated) promises. this is a "use
after free" bug and they're very serious (this one is used to get RCE at
pwn2own) \- this happens because the GC is marking this as used in an async
manner, so when they make their large array of arrays, not all of the memory
allocated for it is actually marked as "in use". as the GC is iterating over
everything and marking it as "in use", JavaScript continues executing, and in
this case, starts reversing the arrays.

[0]: [https://rr-project.org](https://rr-project.org)

~~~
matheusmoreira
These debugging tools are amazing. They also mentioned Hubble, some kind of
visualizer for rr execution traces. I didn't find any information on it.

------
nowarninglabel
Great read, and nice-follow up to the array.reverse() exploit from last year
which I hadn't ever seen fully explained.

