961 - Microsoft Edge: Uninitialized Memory in SIMD.toLocaleString - project-zero

Starred by 1 user

Status:	Fixed
Owner:	natashenka@google.com
Closed:	Dec 2016
Cc:	project-...@google.com
Finder-natashenka Deadline-90 CCProjectZeroMembers Severity-High Vendor-Microsoft Product-Edge Reported-2016-Oct-4 CVE-2016-7286

Microsoft Edge: Uninitialized Memory in SIMD.toLocaleString

Project Member Reported by natashenka@google.com, Oct 4 2016

Back to list

The following code occurs in JavascriptSIMDObject::ToLocaleString in JavascriptSimdObject.cpp:

        Var* newArgs = HeapNewArray(Var, numArgs);
        switch (numArgs)
        {
        case 1:
            break;
        case 2:
            newArgs[1] = args[1];
            break;
        case 3:
            newArgs[1] = args[1];
            newArgs[2] = args[2];
            break;
        default:
            Assert(UNREACHED);
        }

If the call has more than three arguments, it will fall through, leaving newArgs uninitialized. This will cause toLocaleString to be called on uninitialized memory, having a similar effect to type confusion (as integers in the memory can be confused for pointers and vice-versa). A minimal PoC is as follows, and a full PoC is attached:

    var v = SIMD.Int32x4(1, 2, 3, 4);
    v.toLocaleString(1, 2, 3, 4)

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

simd.html
183 bytes View Download

Project Member Comment 1 by natashenka@google.com, Dec 20 2016

Labels: CVE-2016-7286

Project Member Comment 2 by natashenka@google.com, Dec 20 2016

Labels: -Restrict-View-Commit
Status: Fixed

Fixed in the December update.

Comment 3 Deleted

► Sign in to add a comment