DFG register allocation bug in JavaScriptCore# cve-2024-44308
> Michael Goppert, Michael Jennings, and John Jennings
## Safety
This issue in WebKit was patched long before this proof-of-concept was released.
As such, it did not pose any danger to real users: the whole purpose is to document these kinds of exploits so that we know how to protect against them.
## Documentation
This repository has a writeup documenting our findings, as well as a presentation from our talk about it.
Find these in the `doc/` subdirectory.
## Building
This directory should be cloned into the directory containing WebKit, then it can be used.
I.e.,
```
git clone https://github.com/WebKit/WebKit.git
cd WebKit
git checkout c52da7c313795d61665253f23c9f298005549c73
git clone https://github.com/migopp/cve-2024-44308.git
```
Then, take a peek at the `Makefile` to get a feel for what is available.
[4.0K] /data/pocs/034fc4f99362a78978a031e03bc693355972a342
├── [7.7K] cve-2024-44308.js
├── [4.0K] doc
│ ├── [ 43K] cve-2024-44308.md
│ └── [1.4M] cve-2024-44308.slides.pdf
├── [3.3K] Makefile
├── [4.0K] patches
│ ├── [4.0K] debug
│ │ ├── [ 396] call-compile-fn.patch
│ │ ├── [ 386] check-regalloc.patch
│ │ ├── [ 502] generate-slowpath.patch
│ │ └── [1.7K] slowpath-jmp-fn.patch
│ └── [4.0K] release
│ ├── [ 404] call-compile-fn.patch
│ ├── [ 386] check-regalloc.patch
│ ├── [ 510] generate-slowpath.patch
│ └── [1.8K] slowpath-jmp-fn.patch
├── [ 843] README.md
└── [1.8K] trigger.js
4 directories, 14 files