ladybird/Libraries/LibJS/Tests/regress/proxied-constructor-leads-to-use-after-free.js

test("Proxied constructor should handle argument_buffer reallocation during prototype get()", () => {
    function foo() {}

    let handler = {
        get() {
            // prettier-ignore
            foo(
                // make extra sure we trigger a reallocation
                0x41,  0x41,  0x41,  0x41,  0x41,  0x41,
                0x41,  0x41,  0x41,  0x41,  0x41,  0x41,
                0x41,  0x41,  0x41,  0x41,  0x41,  0x41,
                0x41,  0x41,  0x41,  0x41,  0x41,  0x41,
                0x41,  0x41,  0x41,  0x41,  0x41,  0x41,
                0x41,  0x41,  0x41,  0x41,  0x41,  0x41,
                0x41,  0x41,  0x41,  0x41,  0x41,  0x41,
                0x41,  0x41,  0x41,  0x41,  0x41,  0x41,
                0x41,  0x41,  0x41,  0x41,  0x41,  0x41,
                0x41,  0x41,  0x41,  0x41,  0x41,  0x41
            );

            return null;
        },
    };

    function Construct() {
        // later use dangling pointer
        console.log(arguments);
    }

    let ConstructProxy = new Proxy(Construct, handler);

    new ConstructProxy(0x1);
});
LibJS: Fix UAF in ECMAScriptFunctionObject::internal_construct Currently, we create `this_argument` with `ordinary_create_from_constructor`, then we use `arguments_list` to build the callee_context. The issue is we don't properly model the side-effects of `ordinary_create_from_constructor`, if `new_target` is a proxy object then when we `get` the prototype, arbitrary javascript can run. This javascript could perform a function call with enough arguments to reallocate the interpreters m_argument_values_buffer vector. This is dangerous and leads to a use-after-free, as our stack frame maintains a pointer to m_argument_values_buffer (`arguments_list`). 2025-03-18 00:13:20 +13:00			`test("Proxied constructor should handle argument_buffer reallocation during prototype get()", () => {`
			`function foo() {}`

			`let handler = {`
			`get() {`
			`// prettier-ignore`
			`foo(`
			`// make extra sure we trigger a reallocation`
			`0x41, 0x41, 0x41, 0x41, 0x41, 0x41,`
			`0x41, 0x41, 0x41, 0x41, 0x41, 0x41,`
			`0x41, 0x41, 0x41, 0x41, 0x41, 0x41,`
			`0x41, 0x41, 0x41, 0x41, 0x41, 0x41,`
			`0x41, 0x41, 0x41, 0x41, 0x41, 0x41,`
			`0x41, 0x41, 0x41, 0x41, 0x41, 0x41,`
			`0x41, 0x41, 0x41, 0x41, 0x41, 0x41,`
			`0x41, 0x41, 0x41, 0x41, 0x41, 0x41,`
			`0x41, 0x41, 0x41, 0x41, 0x41, 0x41,`
			`0x41, 0x41, 0x41, 0x41, 0x41, 0x41`
			`);`

			`return null;`
			`},`
			`};`

			`function Construct() {`
			`// later use dangling pointer`
			`console.log(arguments);`
			`}`

			`let ConstructProxy = new Proxy(Construct, handler);`

			`new ConstructProxy(0x1);`
			`});`