Moved JavaScript/PwnCollegeV8Exploitation/ to PwnCollege/V8Exploitation/

2024-09-27 10:32:08 +08:00
parent ed5918f284
commit 41c959a465
52 changed files with 1 additions and 0 deletions
--- a/PwnCollege/V8Exploitation/Level8/README.md
+++ b/PwnCollege/V8Exploitation/Level8/README.md
@@ -0,0 +1,24 @@
+# Level 8
+
+## Problem
+
+The elimination of `CheckBounds` node had been changed to:
+- Assume `CheckBounds` node has two input operand node `index` and `length`.
+    - Each of them have a type labeled with their range `[min, max]`. 
+- When `index.min >= 0.0 && index.min < length.min`, the `CheckBounds` will be eliminated.
+
+## Key Knowledge
+- Bound Check Elimination based Out of Bound Access
+    - CVE-2020-9802
+        - [Exploitation of CVE-2020-9802: a JavaScriptCore JIT Bug](https://shxdow.me/cve-2020-9802/)
+        - [JITSploitation I: A JIT Bug](https://googleprojectzero.blogspot.com/2020/09/jitsploitation-one.html)
+        - [CVE-2020-9802 JSC CSE漏洞分析](https://www.anquanke.com/post/id/245946)
+        - [CVE-2020-9802-WebKit JIT优化漏洞分析](https://xz.aliyun.com/t/8913)
+    - `String.lastIndexOf` Off By One bug in V8
+        - [Security: off by one in TurboFan range optimization for String.indexOf](https://issues.chromium.org/issues/40088942)
+        - [Attacking Client-Side JIT Compilers, Page 76-86](https://i.blackhat.com/us-18/Wed-August-8/us-18-Gross-New-Trends-In-Browser-Exploitation-Attacking-Client-Side-JIT-Compilers.pdf#page=76)
+    - Bound Check Elimination related Simplified Lowering Phase in V8
+        - [浅析 V8-turboFan](https://kiprey.github.io/2021/01/v8-turboFan/#4-SimplifiedLoweringPhase)
+    - Use this technique to corrupt array's length.
+- Make JIT engine consider an unspeculated parameter as an integer
+    - Use bitwise operations