Microsoft Edge Chakra - Heap Buffer Overflow

EDB-ID: 42468
Author: Huang Anwen
Published: 2017-08-17
CVE: CVE-2017-8636
Type: Dos
Platform: Windows
Vulnerable App: N/A

 Report by Huang Anwen, He Xiaoxiao of ichunqiu Ker Team 

This is the HEAP BASED OVERFLOW version of the issue.

// ChakraCore-master\lib\Runtime\Language\InterpreterStackFrame.cpp
Var InterpreterStackFrame::InterpreterHelper(ScriptFunction* function, ArgumentReader args, void* returnAddress, void* addressOfReturnAddress, const bool isAsmJs)
{

[...]

if (!isAsmJs && executeFunction->IsCoroutine())
{
[...]
}
else
{
InterpreterStackFrame::Setup setup(function, args);
size_t varAllocCount = setup.GetAllocationVarCount();
//printf("varAllocCount: %d(%X)\r\n", varAllocCount, varAllocCount);
size_t varSizeInBytes = varAllocCount * sizeof(Var);

//
// Allocate a new InterpreterStackFrame instance on the interpreter's virtual stack.
//
DWORD_PTR stackAddr;

// If the locals area exceeds a certain limit, allocate it from a private arena rather than
// this frame. The current limit is based on an old assert on the number of locals we would allow here.
if (varAllocCount > InterpreterStackFrame::LocalsThreshold) //we can make this condition satisfied so the buffer will be allocated on the heap instead of the stack!!!
{
ArenaAllocator *tmpAlloc = nullptr;
fReleaseAlloc = functionScriptContext->EnsureInterpreterArena(&tmpAlloc);
allocation = (Var*)tmpAlloc->Alloc(varSizeInBytes);
stackAddr = reinterpret_cast<DWORD_PTR>(&allocation); // use a stack address so the debugger stepping logic works (step-out, for example, compares stack depths to determine when to complete the step)
}
else
{
PROBE_STACK_PARTIAL_INITIALIZED_INTERPRETER_FRAME(functionScriptContext, Js::Constants::MinStackInterpreter + varSizeInBytes);
allocation = (Var*)_alloca(varSizeInBytes);
#if DBG
memset(allocation, 0xFE, varSizeInBytes);
Related Posts