[2] [JSC YARR] Fix integer overflow in AssemblerBuffer leading to heap overflow

Severity: High | Component: JSC AssemblerBuffer / YARR | 7663d81

Rated High because the diff widens code-buffer length arithmetic that previously wrapped 32-bit under attacker-shaped regex pressure; the downstream putIntegralUnchecked performs an unchecked write past the real allocation, yielding a linear write-anything-the-JIT-emits primitive into adjacent heap.

Widens m_index, m_capacity, and the arithmetic in isAvailable(), putIntegral(), and grow() from unsigned to a width that does not wrap under YARR-driven code emission. Adds TooManyCaptures and FrameTooLarge YARR errors — the commit message labels these "not actually critical" (DoS and frame-bookkeeping overflows in pattern compilation).

Source/JavaScriptCore/assembler/AssemblerBuffer.h

-    bool isAvailable(unsigned space)
-    {
-        return m_index + space <= m_capacity;
-    }
+    bool isAvailable(size_t space)
+    {
+        return m_index + space <= m_capacity;
+    }

32-bit overflow in JIT code buffer length arithmetic: wrapped nextIndex bypasses the capacity check, then putIntegralUnchecked writes the emitted machine code past the real allocation.

Patch Details

Buffer width is widened; the isAvailable / putIntegral / grow arithmetic is recomputed in the wider type. YARR's pattern compiler gains TooManyCaptures and FrameTooLarge early bailouts so pathological patterns fail before reaching the emitter.

Background

AssemblerBuffer is JSC's emission buffer used by every JIT backend — YARR, baseline, DFG, FTL, and Wasm BBQ/OMG — to accumulate machine code before linking. The contract is: isAvailable(n) is the precondition for putIntegralUnchecked<T>, which performs WTF::unalignedStore<T>(m_storageBuffer + m_index, value) and bumps m_index. grow() is called by putIntegral when isAvailable reports insufficient room. The buffer was sized in unsigned despite YARR being capable of driving emission size past 2^32 with adversarial patterns.

Analysis

The three pre-fix arithmetic sites all evaluated in 32-bit:

isAvailable(space):   return m_index + space <= m_capacity;        // unsigned wrap
putIntegral(value):   nextIndex = m_index + sizeof(IntegralType);   // unsigned wrap, "nextIndex > capacity" guard bypassed
grow(extra):          newCapacity = m_capacity + m_capacity/2 + extra;  // unsigned wrap, undersize allocation

A YARR pattern driving emission toward 2^32 bytes wraps these expressions. After wrap, isAvailable returns true, putIntegral's nextIndex > capacity test is bypassed, and grow() resizes to a value smaller than the data actually written. putIntegralUnchecked then performs an unaligned store of the encoded machine code past the live allocation.

Aaa Aaaaa Aa Aaaaaa Aaa Aaa Aaaaaaa Aa Aaa Aaaaa Aaaaaaa Aaaaa a Aaa Aaaaaaa Aaaaaaaa Aaaaaaaa Aaaaaaaaaaa Aaaaaaaaaaaaaa Aaa Aaaaaaaa Aaa Aa Aaaaa Aaaaaa Aaaaaaaaaaaaaaaaaaa Aaaa Aa Aaa Aaaaaaaaa Aaaa Aaaaaa Aaaaaaaaa Aaaaaaaa Aaaaa Aaaaaaaaa Aa Aaa Aaaaaa Aaa Aaa Aaaaaa Aaaa Aaaa Aaaaaa Aaa Aaaa Aa Aaaaa Aaaaa Aa Aaa Aaaaa Aaaaaaa Aaaaaaaa Aaaa Aaaaaaa Aaa Aaaa Aaaa Aaaaaaa Aaaa Aa Aaa Aaaa Aaaaaaaaaa Aaaaaaaaaaa

Aaa Aaa Aaaaaaaaa Aaaaaaa Aaa Aaaaaaaaaaaa Aaaaaaaaaaa Aaaaaa Aaaaaaaaaaaaaaaaa Aaaaaaaa Aaaa Aaa Aaaaaa Aaaaaaa Aaaaa Aaaaa Aaaaaaaa Aaa Aaaaaaaa Aaaaaaaaa Aaaaa Aaaaaaa Aaa Aaaaaaaaaaaaaaa Aaaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaaa Aaaaaa Aaaaaaaaaa Aaaaaaaaaaa Aaaaaaa Aaaaa Aaaaaaaa Aaaaaaaaaaaa Aaaaaaaaa Aaaaa Aaaaaaa Aa Aaaaaaaa Aaaaaaaaaaa

Aaaa Aaaaaaa Aaa Aaa Aaaaaa Aaaaaaaaa Aaaa Aaa Aaaaaaa Aaaaa Aaaaaa Aaaa Aaa Aaaa Aaaaaaa Aaa Aaaaaaa Aaaaaaaaa Aa Aaaa Aaaaa Aa Aaaaaaaaaaaaaaaaaaa Aaaaa Aaaa Aaaaaaaa Aaaaaaa Aaa Aaaaaaaaa Aaaa Aaaaaa Aa Aaa Aaa Aaaaaaaaaa

🔒

Detailed analysis of how a 4 GiB JIT-buffer size limit was being enforced, and what could happen when that enforcement folded under arithmetic wrap.

Subscribe to read more

Audit directions

a Aaaaaaa Aaaaaaaaaa Aaaaaaaaaaaaa Aaaaaaaaaa Aaaa Aa a Aaaaaa Aaaaa Aaaa Aa Aaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaa Aaa Aaaaaaaaa Aaaaaaaaaa Aaaaaaaaaa Aa Aaaaaaaaa Aa Aaaaaaaaaaa
a Aaaaaaa Aaa Aaaaaaa Aaaa Aaaaaaaaaaaaaaa Aaaaaaaaa Aaaaaaaaaaaa Aaaa Aaaaaaaa Aaa Aa Aaaaaaaa Aaaa Aaaaaa Aaaaaa Aaaaaa Aaa Aaa Aaaa Aaaaaaa Aaaaaaaa Aaaaaaa Aaa Aaa Aaaa Aaaa Aaaaa Aaaaaaa a Aaaaaaa Aaaa Aa Aaaa Aaaa Aa Aaaaaaaaaa Aaaaaaaaaa Aaa Aaaaaaa
a Aaaaaa Aaaaaaaaaaaaaaaa Aaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaa Aaa Aaaaaaa Aaaaaaaaaaaaaaaa Aaaaaaaa Aaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaa Aaaaa Aaaaaaaaaaaa Aaa Aaaa

🔒

Multiple reusable audit patterns identified for integer-overflow-in-code-emission and parser-driven frame-layout accumulators, with concrete starting points across JSC's JIT pipelines.

Subscribe to read more