This vulnerability was analyzed during Episode 176 on 13 December 2022
A JIT optimization based type confusion in jscript9. The root cause of this bug is the fact that the OptArraySrc optimization would call ShouldExpectConventionalArrayIndexValue() to decide if it should keep a type check in place, but that function could sometimes return false and cause the optimization to remove a type check when it shouldn’t. The POC takes advantage of this by creating an Int32Array object (q) that uses a backing ArrayBuffer object (g), and a raw object (e) with some properties. It also contains a boom(m) function which would behave differently depending on m. If m was not set, it would read the first Int32Array value from q then essentially do nothing. If m was set, it would switch q to e and try to write to q[0].
They then call boom with an m=false 100k times to get it JIT’d, and train the JIT to believe it doesn’t need the type check anymore. It then calls boom with m=true, which switches the type and ends up writing using e instead of the Int32Array, giving arbitrary write via e.e’s pointer which jscript9 thinks is the pointer to the int32array’s backing ArrayBuffer. Ultimately, this achieves a relative read/write primitive which can be taken to arbitrary read/write and subsequently code execution fairly easily via causing more type confusions in the browser.