Exploits / Vulnerability Discovered : 2019-01-16 |
Type : dos |
Platform : multiple
This exploit / vulnerability Webkit jsc jit getindexedpropertystorage useafterfree is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
/*
The doesGC function simply takes a node, and tells if it might cause a garbage collection. This function is used to determine whether to insert write barriers. But it's missing GetIndexedPropertyStorage that can cause a garbage collection via rope strings. As a result, it can lead to UaF.
PoC:
*/
function gc() {
for (let i = 0; i < 10; i++) {
new ArrayBuffer(1024 * 1024 * 10);
}
}