Microsoft Edge Chakra JIT BailOutOnInvalidatedArrayHeadSegment Check Bypass

Microsoft Edge: Chakra: JIT: BailOutOnInvalidatedArrayHeadSegment check bypass CVE-2018-8466 The BailOutOnInvalidatedArrayHeadSegment check uses the JavascriptArray::GetArrayForArrayOrObjectWithArray method to check whether the given object is an array. If it's not an array, it will decide to ski...

Microsoft Edge Chakra JIT - BailOutOnInvalidatedArrayHeadSegment Check Bypass Exploit

Exploit for windows platform in category dos / poc / The BailOutOnInvalidatedArrayHeadSegment check uses the JavascriptArray::GetArrayForArrayOrObjectWithArray method to check whether the given object is an array. If it's not an array, it will decide to skip the check which means that no bailout...

chakra: Crash in void* Js::JavascriptArray::EveryObjectHelper<unsigned int>

Project: https://github.com/Microsoft/ChakraCore.git Detailed report: https://oss-fuzz.com/testcase?key=5978651605598208 Project: chakra Fuzzer: jsfuzzer Job Type: asanchakra Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x7fff81af3470 Crash State: void...

Microsoft Edge Chakra JIT - Stack-to-Heap Copy (Incomplete Fix) (2)

Microsoft Edge Chakra JIT - Stack-to-Heap Copy Incomplete Fix 2 / Here's a snippet of JavascriptArray::BoxStackInstance. template T JavascriptArray::BoxStackInstanceT instance, bool deepCopy AssertThreadContext::IsOnStackinstance; // On the stack, the we reserved a pointer before the object as to...

Microsoft Edge Chakra JIT - Stack-to-Heap Copy (Incomplete Fix) (1)

/ Here's a snippet of JavascriptArray::BoxStackInstance. To fix issue 1420 , "deepCopy" was introduced. But it only deep-copies the array when "instance-head" is on the stack. So simply by adding a single line of code that allocates "head" to the heap, we can bypass the fix. template T...

Microsoft Edge Chakra JIT - Stack-to-Heap Copy (Incomplete Fix 2) Exploit

Exploit for windows platform in category dos / poc / Here's a snippet of JavascriptArray::BoxStackInstance. template T JavascriptArray::BoxStackInstanceT instance, bool deepCopy AssertThreadContext::IsOnStackinstance; // On the stack, the we reserved a pointer before the object as to store the...

Microsoft Edge Chakra JIT - Stack-to-Heap Copy (Incomplete Fix) (1)

Microsoft Edge Chakra JIT - Stack-to-Heap Copy Incomplete Fix 1 / Here's a snippet of JavascriptArray::BoxStackInstance. To fix issue 1420 , "deepCopy" was introduced. But it only deep-copies the array when "instance-head" is on the stack. So simply by adding a single line of code that allocates...

Microsoft Edge Chakra JIT - Array.prototype.reverse Array Type Confusion

Microsoft Edge Chakra JIT - Array.prototype.reverse Array Type Confusion / This is simillar to the previous issue 1457. But this time, we use Array.prototype.reverse. Array.prototype.reverse can be inlined and may invoke EnsureNonNativeArray to convert the prototype of "this" to a Var array. Call...

chakra: Crash in void* Js::JavascriptArray::ReduceRightObjectHelper<unsigned int>

Project: https://github.com/Microsoft/ChakraCore.git Detailed report: https://oss-fuzz.com/testcase?key=5736487027998720 Project: chakra Fuzzer: jsfuzzer Job Type: asanchakra Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x7fea144e51f0 Crash State: void...

Microsoft Edge: Chakra: OOB read in AppendLeftOverItemsFromEndSegment(CVE-2018-0767)

Here's a snippet of AppendLeftOverItemsFromEndSegment in JavascriptArray.inl. growby = endSeg-length; current = current-GrowByMinrecycler, growby; CopyArraycurrent-elements + endIndex + 1, endSeg-length, Js::SparseArraySegmentendSeg-elements, endSeg-length;...

chakra: Dynamic-stack-buffer-overflow in Js::JavascriptArray::NewInstance

Project: https://github.com/Microsoft/ChakraCore.git Detailed report: https://oss-fuzz.com/testcase?key=6106023170408448 Project: chakra Fuzzer: jsfuzzer Job Type: asanchakra Platform Id: linux Crash Type: Dynamic-stack-buffer-overflow READ 8 Crash Address: 0x7ffd13bb0260 Crash State:...

Microsoft Edge Chakra - &#039;JavascriptArray::ConcatArgs&#039; Type Confusion

void JavascriptArray::ConcatArgsRecyclableObject pDestObj, TypeId remoteTypeIds, Js::Arguments& args, ScriptContext scriptContext, uint start, uint startIdxDest, BOOL firstPromotedItemIsSpreadable, BigIndex firstPromotedItemLength, bool spreadableCheckedAndTrue JSREENTRANCYLOCKjsReentLock,...

Microsoft Edge: Chakra: Type confusion in JavascriptArray::ConcatArgs(CVE-2017-8634)

Let's assume that the following method is called with "firstPromotedItemIsSpreadable = true", and "args" has two elements an array and an integer 0x1234 sequentially. In the first loop, "aItem" is an array, and "firstPromotedItemIsSpreadable" remains true because the condition for the fast path i...

Microsoft Edge Chakra - JavascriptArray::ConcatArgs Type Confusion

Microsoft Edge Chakra - JavascriptArray::ConcatArgs Type Confusion void JavascriptArray::ConcatArgsRecyclableObject pDestObj, TypeId remoteTypeIds, Js::Arguments& args, ScriptContext scriptContext, uint start, uint startIdxDest, BOOL firstPromotedItemIsSpreadable, BigIndex firstPromotedItemLength...

Microsoft Edge Chakra JavascriptArray::ConcatArgs Type Confusion Exploit

Exploit for windows platform in category dos / poc Microsoft Edge: Chakra: Type confusion in JavascriptArray::ConcatArgs CVE-2017-8634 Let's assume that the following method is called with "firstPromotedItemIsSpreadable = true", and "args" has two elements an array and an integer 0x1234...

Windows 10 x64 Edge CVE-2016-7200 & CVE-2016-7201 vulnerability analysis and exploit-vulnerability warning-the black bar safety net

The 1. Analysis of the environment Operating system: Windows 10 x64 Professional Edition 10.0.14393 browser: Microsoft Edge x64 38.14393.0 2. CVE-2016-7200 analysis This is happening in the JavascriptArray::FilterHelper, due to the type of Confusion caused by the vulnerability, look at the commit...

Microsoft Edge - FillFromPrototypes Type Confusion Exploit

Exploit for windows platform in category dos / poc var a = new Array0x11111111, 0x22222222, 0x33333333, 0x44444444, 0x12121212, 0x23232323, 0x12345670, 0x7777; var handler = getPrototypeOf: functiontarget, name...

Microsoft Edge - &#039;Array.reverse&#039; Overflow

left = uint32length - seg-left + seg-length; Can become a very large value as length is larger than seg-length and seg-left is generally 0. This can cause the segment length to become larger than the segment size the next time SparseArraySegmentBase::EnsureSizeInBound is called, as the method...

Microsoft Edge - FillFromPrototypes Type Confusion

Microsoft Edge - FillFromPrototypes Type Confusion var a = new Array0x11111111, 0x22222222, 0x33333333, 0x44444444, 0x12121212, 0x23232323, 0x12345670, 0x7777; var handler = getPrototypeOf: functiontarget, name // print"get proto"; return a;...

Microsoft Edge - &#039;FillFromPrototypes&#039; Type Confusion

var a = new Array0x11111111, 0x22222222, 0x33333333, 0x44444444, 0x12121212, 0x23232323, 0x12345670, 0x7777; var handler = getPrototypeOf: functiontarget, name // print"get proto"; return a; ; var...