5 matches found
Microsoft Edge Chakra JIT - Type Confusion with Hoisted SetConcatStrMultiItemBE Instructions
Microsoft Edge Chakra JIT - Type Confusion with Hoisted SetConcatStrMultiItemBE Instructions / Here's a PoC: / function optstr for let i = 0; i .var s9.var = LdSlot s32s18l53.var s7.var = LdSlot s20s18l51.var s8.var = LdSlot s19s18l52.var s1Object.var = LdA 0x7FFFF47A0000 GlobalObjectObject.var...
Microsoft Edge Chakra JIT SetConcatStrMultiItemBE Type Confusion
Microsoft Edge: Chakra: JIT: Type confusion with hoisted SetConcatStrMultiItemBE instructions CVE-2018-8229 Here's a PoC: function optstr for let i = 0; i .var s9.var = LdSlot s32s18l53.var s7.var = LdSlot s20s18l51.var s8.var = LdSlot s19s18l52.var s1Object.var = LdA 0x7FFFF47A0000...
Microsoft Edge Chakra JIT - 'BailOutOnTaggedValue' Bailouts Type Confusion
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1364 1. In the Chakra's JIT compilation process, it stores variables' type information by basic block. function optb let o; if b // BASIC BLOCK a o = ; else // BASIC BLOCK b o = 1.1; // BASIC BLOCK c return o; For example, let's...
Microsoft Edge Chakra JIT - BailOutOnTaggedValue Bailouts Type Confusion
Microsoft Edge Chakra JIT - BailOutOnTaggedValue Bailouts Type Confusion / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1364 1. In the Chakra's JIT compilation process, it stores variables' type information by basic block. function optb let o; if b // BASIC BLOCK a o = ; else...
Microsoft Edge Chakra JIT BailOutOnTaggedValue Bailouts
Microsoft Edge: Chakra: JIT: BailOutOnTaggedValue bailouts can be generated for constant values CVE-2017-11839 1. In the Chakra's JIT compilation process, it stores variables' type information by basic block. function optb let o; if b // BASIC BLOCK a o = ; else // BASIC BLOCK b o = 1.1; // BASIC...