Microsoft Edge Chakra JIT BoundFunction::NewInstance Bug

2018.07.13

Credit: Google Security Research

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2018-8139

CWE: CWE-119

CVSS Base Score: 7.6/10

Impact Subscore: 10/10

Exploitability Subscore: 4.9/10

Exploit range: Remote

Attack complexity: High

Authentication: No required

Confidentiality impact: Complete

Integrity impact: Complete

Availability impact: Complete

Microsoft Edge: Chakra: A bug in BoundFunction::NewInstance
CVE-2018-8139
BoundFunction::NewInstance is used to handle calls to a bound function. The method first allocates a new argument array and copies the prepended arguments and others into the new argument array and calls the actual function. The problem is, it doesn't care about the CallFlags_NewTarget flag which indicates that there's an extra argument (new.target) at the end of the argument array. So the size of the new argument array created with the CallFlags_NewTarget flag will be always 1 less then required, this leads to an OOB read.
PoC:
function func() {
new.target.x;
}
let bound = func.bind({}, 1);
Reflect.construct(bound, []);
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: lokihardt

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Microsoft Edge Chakra JIT BoundFunction::NewInstance Bug

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.