[CVE-2018-8276] Edge - Bypass CFG by Exploiting Design Flaw in Chakra - Individual

If attacker can force ServerAddDOMFastPathHelper to be called with bad arguments (e.g. using a separate OOB write vuln on the content process), then we will have an OOB read in JIT process, which leads us to lower a direct call to that OOB value.

Author: MikeHolman

lib/Backend/JnHelperMethod.cpp

@@ -283,6 +283,7 @@ DECLSPEC_GUARDIGNORE  _NOINLINE intptr_t GetNonTableMethodAddress(ThreadContextI
 ///----------------------------------------------------------------------------
 intptr_t GetMethodOriginalAddress(ThreadContextInfo * context, JnHelperMethod helperMethod)
 {
+    AssertOrFailFast(helperMethod >= 0 && helperMethod < IR::JnHelperMethodCount);
     intptr_t address = GetHelperMethods()[static_cast<WORD>(helperMethod)];
     if (address == 0)
     {

lib/JITServer/JITServer.cpp

@@ -329,6 +329,11 @@ ServerAddDOMFastPathHelper(
         Assert(false);
         return RPC_S_INVALID_ARG;
     }
+    if (helper < 0 || helper >= IR::JnHelperMethodCount)
+    {
+        Assert(UNREACHED);
+        return E_ACCESSDENIED;
+    }
 
     return ServerCallWrapper(scriptContextInfo, [&]()->HRESULT
     {