Pwning the Ladybird Browser

Summary

IntroLadybird is a relatively new browser engine originating from the SerenityOS project. Currently, it’s in pre-alpha and improving quickly. Take a look at the website and the GitHub for more information!I’ll be researching the JavaScript engine of Ladybird, LibJS.ArchitectureLibJS has an interpreter tier and no compilation tiers (yet!). It includes common modern JS engineoptimizations and is built with extensive verification checks across its critical code paths and datastructures, including vectors, making scenarios such as integer overflows leading to out-of-boundsaccesses harder to exploit.FuzzingWe’ll be using Fuzzilli, a popular fuzzer for JavaScript interpreters. Here’s the description from the GitHub:A (coverage-)guided fuzzer for dynamic language interpreters based on a custom intermediate language ("FuzzIL") which can be mutated and translated to JavaScript. - FuzzilliFuzzilli can be configured with additional code generators that can be specialized to trigger specific bugs. LibJS isn’t actively being OSS-fuzzed, so I didn’t add any custom generators and hoped there would be enough shallow bugs around. There was already some persistent fuzzing code in LibJS. After some work — like needing to compile and link Skia with RTTI (Nix 💜), fixing some build scripts, and compiling Fuzzilli with an additional profile (again, Nix was great for this) — I got it all working!I ran the fuzzer for ~10 days and found 10 unique crashes. A lot of the bugs were boring:There were a few bugs that were more interesting:Initially, I thought the regex bug was an integer overflow… unfortunately, it wasn’t. The real integer overflowin TypedArray looked really promising — but it seems hard to exploit, with all the bounds checks protectingvectors from bad accesses.There were three bugs that looked really good: a heap buffer overflow, freelist corruption (or UAF) in the garbage collector, and a heap use-after-free (UAF) in the malloc heap. But unfortunately, only the last UAF was...