Microsoft Edge Chakra Uninitialized Arguments Exploit

ID 1337DAY-ID-28291
Type zdt
Reporter Google Security Research
Modified 2017-08-17T00:00:00


Microsoft Edge Chakra suffers from an uninitialized arguments vulnerability.

                                            Microsoft Edge: Chakra: Uninitialized arguments 


Here's a snippet of "ParseVariableDeclaration" which is used for parsing declarations.
template<bool buildAST>
ParseNodePtr Parser::ParseVariableDeclaration(
    tokens declarationType, charcount_t ichMin,
    BOOL fAllowIn/* = TRUE*/,
    BOOL* pfForInOk/* = nullptr*/,
    BOOL singleDefOnly/* = FALSE*/,
    BOOL allowInit/* = TRUE*/,
    BOOL isTopVarParse/* = TRUE*/,
    BOOL isFor/* = FALSE*/,
    BOOL* nativeForOk /*= nullptr*/)
    if (pid == wellKnownPropertyPids.arguments && m_currentNodeFunc)
        // This var declaration may change the way an 'arguments' identifier in the function is resolved
        if (declarationType == tkVAR)
            m_currentNodeFunc->grfpn |= PNodeFlags::fpnArguments_varDeclaration;
            if (GetCurrentBlockInfo()->pnodeBlock->sxBlock.blockType == Function)
                // Only override arguments if we are at the function block level.
                m_currentNodeFunc->grfpn |= PNodeFlags::fpnArguments_overriddenByDecl;

"m_currentNodeFunc" is only replaced when "buildAST" is true. So I think it's not supposed to use "m_currentNodeFunc" when "buildAST" is false. But the above code is using it regardless of "buildAST". So it may change a wrong function's "grfpn" flag. What I noticed is the "PNodeFlags::fpnArguments_overriddenByDecl" flag which makes the function's arguments uninitialized.

function f() {
    ({a = () => {
        let arguments;
    }} = 1);



This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

# [2018-04-02]  #