star ctf chrome oob writeup

发表于 2019-04-29 | 分类于浏览器 | | 阅读次数:

star ctf chrome oob writeup

bug

+BUILTIN(ArrayOob){
+    uint32_t len = args.length();
+    if(len > 2) return ReadOnlyRoots(isolate).undefined_value();//check len<=2,else return undefine
+    Handle<JSReceiver> receiver;
+    ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
+            isolate, receiver, Object::ToObject(isolate, args.receiver()));
+    Handle<JSArray> array = Handle<JSArray>::cast(receiver);
+    FixedDoubleArray elements = FixedDoubleArray::cast(array->elements());
+    uint32_t length = static_cast<uint32_t>(array->length()->Number());
+    if(len == 1){
+        //read
+        return *(isolate->factory()->NewNumber(elements.get_scalar(length)));---->length off by one
+    }else{
+        //write
+        Handle<Object> value;
+        ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
+                isolate, value, Object::ToNumber(isolate, args.at<Object>(1)));
+        elements.set(length,value->Number());---->length off by one
+        return ReadOnlyRoots(isolate).undefined_value();
+    }
+}

可以看到在length这里有一个off-by-one

另外，这里有一个非预期的UAF，其实在Object::ToNumber(isolate, args.at