JSC JIT hits a SIGILL

[saaramar]

Hi,

I think I have found a bug in JSC JIT on Morello (repro on morello-qemu). If you try to the POC for CVE-2019-8623 WITH the patch, you get the following crash:

Core was generated by `jsc --useConcurrentJIT=false ./uninitiailized_2019-8623.js'.
Program terminated with signal SIGILL, Illegal instruction.
#0  0x00000000425b3a50 in ?? ()
(gdb) x/4i $pcc
=> 0x425b3a50:    .inst   0x42401360 ; undefined
   0x425b3a54:    .inst   0x00000000 ; undefined
   0x425b3a58:    .inst   0x1307d005 ; undefined
   0x425b3a5c:    .inst   0xdc5d4000 ; undefined
(gdb) i r pcc
pcc            0xfc5fc00012e612da00000000425b3a50 0x425b3a50 [rwxRWE,0x425b0000-0x4a5c0000]
(gdb)

I can confirm this capability is written to the RWX memory via performJITMemcpy. I added a call to mprotect that wraps the memcpy call for the specific address in the JIT (0x425b3000), and I made it RWX before the memcpy and R-X afterward, and I still got the SIGILL. This means that this write is intentional, not a corruption that happens later as a result of some temporal/type safety issue.

I know there are capabilities in the JIT region in legit scenarios for some reasons (probably perf/optimizations), and that there are branch instructions before these. But this one is clearly a bug, and it's clearly exploitable.

[jrtc27]

Please report possible WebKit bugs against https://github.com/CTSRD-CHERI/WebKit not CheriBSD.

[saaramar]

Sorry! Thank you, done :)