CVE-2025-4919: Corruption via Math Space in Mozilla Firefox
Manfred Paul exploited a vulnerability (CVE-2025-4919, ZDI-25-291) in Firefox's IonMonkey JavaScript JIT compiler at Pwn2Own Berlin 2025. The vulnerability resided within the ExtractLinearSum function, used for simplifying linear expressions. This function incorrectly handled the Modulo math space, causing issues with bounds checks. The TryEliminateBoundsCheck function, utilizing ExtractLinearSum, merged bounds checks without accounting for potential integer overflows. This flaw allowed bypassing bounds checks in large typed arrays. Exploiting this involved creating a large typed array and manipulating indices to trigger an out-of-bounds read or write. The exploit used bitwise operations to force wrapping additions, misleading the bounds check elimination. A BigInt was used to prevent compiler optimizations that might otherwise hinder the exploit. The vulnerability's root cause lies in inconsistent math space handling within the ExtractLinearSum function's various call sites. Similar vulnerabilities might exist in other parts of the Ion compiler that use ExtractLinearSum for loop analysis. Mozilla patched the vulnerability in Firefox 138.0.4. The exploit demonstrated the danger of unchecked integer operations in JIT compilers.
ExtractLinearSumfunction, used for simplifying linear expressions. This function incorrectly handled theModulomath space, causing issues with bounds checks. TheTryEliminateBoundsCheckfunction, utilizingExtractLinearSum, merged bounds checks without accounting for potential integer overflows. This flaw allowed bypassing bounds checks in large typed arrays. Exploiting this involved creating a large typed array and manipulating indices to trigger an out-of-bounds read or write. The exploit used bitwise operations to force wrapping additions, misleading the bounds check elimination. A BigInt was used to prevent compiler optimizations that might otherwise hinder the exploit. The vulnerability's root cause lies in inconsistent math space handling within theExtractLinearSumfunction's various call sites. Similar vulnerabilities might exist in other parts of the Ion compiler that useExtractLinearSumfor loop analysis. Mozilla patched the vulnerability in Firefox 138.0.4. The exploit demonstrated the danger of unchecked integer operations in JIT compilers.