4 matches found
JITSploitation I: A JIT Bug
By Samuel Groß, Project Zero This three-part series highlights the technical challenges involved in finding and exploiting JavaScript engine vulnerabilities in modern web browsers and evaluates current exploit mitigation technologies. The exploited vulnerability, CVE-2020-9802, was fixed in iOS...
JSC JIT Out-Of-Bounds Access Vulnerability
The DFG and FTL JIT compilers incorrectly replace Checked with Unchecked ArithNegate operations and vice versa during Common Subexpression Elimination. This can then be exploited to cause out-of-bounds accesses and potentially other memory safety violations. JSC: JIT: Incorrect Common Subexpressi...
JSC JIT Out-Of-Bounds Access
JSC: JIT: Incorrect Common Subexpression Elimination for ArithNegate, leading to OOB accesses The DFG and FTL JIT compilers incorrectly replace Checked with Unchecked ArithNegate operations and vice versa during Common Subexpression Elimination. This can then be exploited to cause out-of-bounds...
Microsoft Edge Chakra JIT Type Confusion
Microsoft Edge: Chakra: JIT: Type confusion with switch statements CVE-2017-11811 Let's start with a switch statement and its IR code for JIT. JS: for let i = 0; i 100; i++ switch i case 2: case 4: case 6: case 8: case 10: case 12: case 14: case 16: case 18: case 20: case 22: case 24: case 26: ca...