by Mitja Kolsek, the 0patch Team
May 2021 Windows Updates brought a fix for an "Exploitation More Likely" memory corruption vulnerability in Scripting Engine (CVE-2021-26419) discovered by Ivan Fratric of Google Project Zero. Ivan published details and a proof-of-concept the next day, and we took these to reproduce the vulnerability in our lab and create a micropatch for it.
Since Microsoft's patch was available, we reviewed it and found they only changed function ByteCodeGenerator::LoadCachedHeapArguments such that instead of calling ByteCodeGenerator::EmitPropStore, it now calls ByteCodeGenerator::EmitLocalPropInit.These are undocumented and largely unknown functions but their names imply the vulnerability resides in just-in-time compiler's code generation logic, where the generated code gets an improper level of access to the arguments object.
Our micropatch is logically identical to Microsoft's:
PIT jscript9!0x8be60 ; ByteCodeGenerator::EmitLocalPropInit
mov r9, rbp ; Some instructions are erased and a new function call added
mov r8, rdi
mov edx, esi
mov rcx, rbx
mov rbx, [rsp+70h]
add rsp, 40h
jmp PIT_0x8be60 ; New call to EmitLocalPropInit
See the micropatch in action: