Editing Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 290: | Line 290: | ||
[https://web.archive.org/web/20241007081407/https://doc.dl.playstation.net/doc/ps4-oss/webkit.html WebKit sources] archived currently up to version 11.00. Useful for people that cannot access PlayStation URLs and also for when Sony will inevitably stop hosting the sources. | [https://web.archive.org/web/20241007081407/https://doc.dl.playstation.net/doc/ps4-oss/webkit.html WebKit sources] archived currently up to version 11.00. Useful for people that cannot access PlayStation URLs and also for when Sony will inevitably stop hosting the sources. | ||
=== Untested - mmap issue involving pointer address misalignment leading to nothing for now === | |||
==== Credits ==== | |||
* Jasmine, working for Sony, for information through a WebKit commit (2022-10-19) | |||
==== Analysis ==== | |||
* https://bugs.webkit.org/show_bug.cgi?id=246763 | |||
==== Bug Description ==== | |||
There is a mmap issue involving pointer address misalignmen because of a failing assert [https://github.com/WebKit/WebKit/blob/main/Source/JavaScriptCore/heap/StructureAlignedMemoryAllocator.cpp#L94 here]. A workaround is to set HAVE_MAP_ALIGNED flag as OFF in OptionsPlayStation.cmake: [https://github.com/WebKit/WebKit/commit/626585db9857b7630cf34d82f9a0555720f15bca]. This workaround can be reverted after the mmap issue is resolved. Currently, the workaround is still enabled: [https://github.com/WebKit/WebKit/blob/ab2fff92b37e52d6c65e215b155e6b92f1646954/Source/cmake/OptionsPlayStation.cmake#L251] | |||
==== Exploit Implementation ==== | |||
==== Patched ==== | |||
'''Maybe''' | |||
==== Tested ==== | |||
Not tested yet on PS4 or PS5. | |||
---- | |||
=== FW ?6.00-11.52? - get_by_id_with_this associated with ProxyObject can leak JSScope objects === | === FW ?6.00-11.52? - get_by_id_with_this associated with ProxyObject can leak JSScope objects === | ||
Line 329: | Line 349: | ||
---- | ---- | ||
=== FW ?10.00-11.52? - | === FW ?10.00-11.52? - Integer underflow in WebKit renderer (CVE-2024-27833) leading to arbitrary code execution === | ||
==== Credits ==== | ==== Credits ==== | ||
* Manfred Paul (@_manfp), working with Trend Micro Zero Day Initiative, for discovering the vulnerability on Apple Safari at pwn2own 2024 (2024-03-21) [https://twitter.com/thezdi/status/1770611705510293546 Zero Day Initiative's tweet] | * Manfred Paul (@_manfp), working with Trend Micro Zero Day Initiative, for discovering the vulnerability on Apple Safari at pwn2own 2024 (2024-03-21) [https://twitter.com/thezdi/status/1770611705510293546 Zero Day Initiative's tweet] | ||
* Apple Safari update integrates a fix (2024-06-10) | |||
==== Analysis ==== | |||
==== Bug Description ==== | |||
There is an integer underflow in WebKit renderer. It was addressed with improved input validation. | |||
It is associated with WebKit Bugzilla #271491. | |||
==== Exploit Implementation ==== | |||
==== Patched ==== | |||
'''Maybe''' on PS4 FW 12.00 and PS5 FW ?10.00?. | |||
==== Tested ==== | |||
Not tested as there is no PoC available. | |||
---- | |||
=== FW ?10.00-11.52? - Immediate overflow in JSC SBFX leading to crash === | |||
==== Credits ==== | |||
* Justin Michaud for fix commit, Yusuke Suzuki for fix commit review (2024-05-15) | * Justin Michaud for fix commit, Yusuke Suzuki for fix commit review (2024-05-15) | ||
* xvonfers for discovering it affects PS4 and PS5 (2024-06-11) [https://twitter.com/xvonfers/status/1800426437486485635 xvonfer's tweet] | |||
* xvonfers | |||
==== Analysis ==== | ==== Analysis ==== | ||
* [https://github.com/WebKit/WebKit/commit/1ea4ef8127276fd00ca43ffcb22bed162072abde WebKit fix commit by Justin Michaud (2024-05-15)] | * [https://github.com/WebKit/WebKit/commit/1ea4ef8127276fd00ca43ffcb22bed162072abde WebKit fix commit by Justin Michaud (2024-05-15)] | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
The JavaScriptCore Isel SBFX patterns in JavaScriptCore/b3/B3LowerToAir.cpp allowed immediate overflow as 'lsb' and 'width' are not properly checked. | The JavaScriptCore Isel SBFX patterns in JavaScriptCore/b3/B3LowerToAir.cpp allowed immediate overflow as 'lsb' and 'width' are not properly checked. | ||