Moved JavaScript/PwnCollegeV8Exploitation/ to PwnCollege/V8Exploitation/

2024-09-27 10:32:08 +08:00
parent ed5918f284
commit 41c959a465
52 changed files with 1 additions and 0 deletions
--- a/PwnCollege/V8Exploitation/Level9/patch
+++ b/PwnCollege/V8Exploitation/Level9/patch
@@ -0,0 +1,351 @@
+diff --git a/BUILD.bazel b/BUILD.bazel
+index 3d37f45cede..584701ef478 100644
+--- a/BUILD.bazel
+++ b/BUILD.bazel
+@@ -1921,6 +1921,8 @@ filegroup(
+         "src/sandbox/external-pointer.h",
+         "src/sandbox/external-pointer-table.cc",
+         "src/sandbox/external-pointer-table.h",
+		"src/sandbox/testing.cc",
+		"src/sandbox/testing.h",
+         "src/sandbox/sandbox.cc",
+         "src/sandbox/sandbox.h",
+         "src/sandbox/sandboxed-pointer-inl.h",
+diff --git a/BUILD.gn b/BUILD.gn
+index 7ef8c1f2e06..d0538db38c3 100644
+--- a/BUILD.gn
+++ b/BUILD.gn
+@@ -304,18 +304,18 @@ declare_args() {
+ 
+   # Enable the experimental V8 sandbox.
+   # Sets -DV8_SANDBOX.
+-  v8_enable_sandbox = false
+  v8_enable_sandbox = true
+ 
+   # Enable external pointer sandboxing. Requires v8_enable_sandbox.
+   # Sets -DV8_SANDBOXED_EXTERNAL_POINRTERS.
+-  v8_enable_sandboxed_external_pointers = false
+  v8_enable_sandboxed_external_pointers = true
+ 
+   # Enable sandboxed pointers. Requires v8_enable_sandbox.
+   # Sets -DV8_SANDBOXED_POINTERS.
+-  v8_enable_sandboxed_pointers = false
+  v8_enable_sandboxed_pointers = true
+ 
+   # Enable all available sandbox features. Implies v8_enable_sandbox.
+-  v8_enable_sandbox_future = false
+  v8_enable_sandbox_future = true
+ 
+   # Experimental feature for collecting per-class zone memory stats.
+   # Requires use_rtti = true
+@@ -3332,6 +3332,7 @@ v8_header_set("v8_internal_headers") {
+     "src/sandbox/sandbox.h",
+     "src/sandbox/sandboxed-pointer-inl.h",
+     "src/sandbox/sandboxed-pointer.h",
+    "src/sandbox/testing.h",
+     "src/snapshot/code-serializer.h",
+     "src/snapshot/context-deserializer.h",
+     "src/snapshot/context-serializer.h",
+@@ -4353,6 +4354,7 @@ v8_source_set("v8_base_without_compiler") {
+     "src/runtime/runtime.cc",
+     "src/sandbox/external-pointer-table.cc",
+     "src/sandbox/sandbox.cc",
+    "src/sandbox/testing.cc",
+     "src/snapshot/code-serializer.cc",
+     "src/snapshot/context-deserializer.cc",
+     "src/snapshot/context-serializer.cc",
+diff --git a/src/d8/d8.cc b/src/d8/d8.cc
+index 050cbdc78df..061379666a8 100644
+--- a/src/d8/d8.cc
+++ b/src/d8/d8.cc
+@@ -2860,7 +2860,7 @@ Local<FunctionTemplate> Shell::CreateNodeTemplates(Isolate* isolate) {
+ 
+ Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
+   Local<ObjectTemplate> global_template = ObjectTemplate::New(isolate);
+-  global_template->Set(Symbol::GetToStringTag(isolate),
+/*  global_template->Set(Symbol::GetToStringTag(isolate),
+                        String::NewFromUtf8Literal(isolate, "global"));
+   global_template->Set(isolate, "version",
+                        FunctionTemplate::New(isolate, Version));
+@@ -2877,13 +2877,13 @@ Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
+   global_template->Set(isolate, "readline",
+                        FunctionTemplate::New(isolate, ReadLine));
+   global_template->Set(isolate, "load",
+-                       FunctionTemplate::New(isolate, ExecuteFile));
+                       FunctionTemplate::New(isolate, ExecuteFile));*/
+   global_template->Set(isolate, "setTimeout",
+                        FunctionTemplate::New(isolate, SetTimeout));
+   // Some Emscripten-generated code tries to call 'quit', which in turn would
+   // call C's exit(). This would lead to memory leaks, because there is no way
+   // we can terminate cleanly then, so we need a way to hide 'quit'.
+-  if (!options.omit_quit) {
+/*  if (!options.omit_quit) {
+     global_template->Set(isolate, "quit", FunctionTemplate::New(isolate, Quit));
+   }
+   global_template->Set(isolate, "testRunner",
+@@ -2909,7 +2909,7 @@ Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
+   if (i::FLAG_expose_async_hooks) {
+     global_template->Set(isolate, "async_hooks",
+                          Shell::CreateAsyncHookTemplate(isolate));
+-  }
+  }*/
+ 
+   return global_template;
+ }
+diff --git a/src/init/bootstrapper.cc b/src/init/bootstrapper.cc
+index 16015435073..ecd1fbb4116 100644
+--- a/src/init/bootstrapper.cc
+++ b/src/init/bootstrapper.cc
+@@ -24,6 +24,7 @@
+ #include "src/logging/runtime-call-stats-scope.h"
+ #include "src/objects/instance-type.h"
+ #include "src/objects/objects.h"
+#include "src/sandbox/testing.h"
+ #ifdef ENABLE_VTUNE_TRACEMARK
+ #include "src/extensions/vtunedomain-support-extension.h"
+ #endif  // ENABLE_VTUNE_TRACEMARK
+@@ -5694,6 +5695,10 @@ bool Genesis::InstallSpecialObjects(Isolate* isolate,
+   }
+ #endif  // V8_ENABLE_WEBASSEMBLY
+ 
+  if (GetProcessWideSandbox()->is_initialized()) {
+    MemoryCorruptionApi::Install(isolate);
+  }
+
+   return true;
+ }
+ 
+diff --git a/src/sandbox/testing.cc b/src/sandbox/testing.cc
+new file mode 100644
+index 00000000000..327fd33588d
+--- /dev/null
+++ b/src/sandbox/testing.cc
+@@ -0,0 +1,194 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "src/sandbox/testing.h"
+
+#include "src/api/api-inl.h"
+#include "src/api/api-natives.h"
+#include "src/common/globals.h"
+#include "src/execution/isolate-inl.h"
+#include "src/heap/factory.h"
+#include "src/objects/backing-store.h"
+#include "src/objects/js-objects.h"
+#include "src/objects/templates.h"
+#include "src/sandbox/sandbox.h"
+
+namespace v8 {
+namespace internal {
+
+//#ifdef V8_EXPOSE_MEMORY_CORRUPTION_API
+
+namespace {
+
+// Sandbox.byteLength
+void SandboxGetByteLength(const v8::FunctionCallbackInfo<v8::Value>& args) {
+  v8::Isolate* isolate = args.GetIsolate();
+  double sandbox_size = GetProcessWideSandbox()->size();
+  args.GetReturnValue().Set(v8::Number::New(isolate, sandbox_size));
+}
+
+// new Sandbox.MemoryView(args) -> Sandbox.MemoryView
+void SandboxMemoryView(const v8::FunctionCallbackInfo<v8::Value>& args) {
+  v8::Isolate* isolate = args.GetIsolate();
+  Local<v8::Context> context = isolate->GetCurrentContext();
+
+  if (!args.IsConstructCall()) {
+    isolate->ThrowError("Sandbox.MemoryView must be invoked with 'new'");
+    return;
+  }
+
+  Local<v8::Integer> arg1, arg2;
+  if (!args[0]->ToInteger(context).ToLocal(&arg1) ||
+      !args[1]->ToInteger(context).ToLocal(&arg2)) {
+    isolate->ThrowError("Expects two number arguments (start offset and size)");
+    return;
+  }
+
+  Sandbox* sandbox = GetProcessWideSandbox();
+  CHECK_LE(sandbox->size(), kMaxSafeIntegerUint64);
+
+  uint64_t offset = arg1->Value();
+  uint64_t size = arg2->Value();
+  if (offset > sandbox->size() || size > sandbox->size() ||
+      (offset + size) > sandbox->size()) {
+    isolate->ThrowError(
+        "The MemoryView must be entirely contained within the sandbox");
+    return;
+  }
+
+  Factory* factory = reinterpret_cast<Isolate*>(isolate)->factory();
+  std::unique_ptr<BackingStore> memory = BackingStore::WrapAllocation(
+      reinterpret_cast<void*>(sandbox->base() + offset), size,
+      v8::BackingStore::EmptyDeleter, nullptr, SharedFlag::kNotShared);
+  if (!memory) {
+    isolate->ThrowError("Out of memory: MemoryView backing store");
+    return;
+  }
+  Handle<JSArrayBuffer> buffer = factory->NewJSArrayBuffer(std::move(memory));
+  args.GetReturnValue().Set(Utils::ToLocal(buffer));
+}
+
+// Sandbox.getAddressOf(object) -> Number
+void SandboxGetAddressOf(const v8::FunctionCallbackInfo<v8::Value>& args) {
+  v8::Isolate* isolate = args.GetIsolate();
+
+  if (args.Length() == 0) {
+    isolate->ThrowError("First argument must be provided");
+    return;
+  }
+
+  Handle<Object> arg = Utils::OpenHandle(*args[0]);
+  if (!arg->IsHeapObject()) {
+    isolate->ThrowError("First argument must be a HeapObject");
+    return;
+  }
+
+  // HeapObjects must be allocated inside the pointer compression cage so their
+  // address relative to the start of the sandbox can be obtained simply by
+  // taking the lowest 32 bits of the absolute address.
+  uint32_t address = static_cast<uint32_t>(HeapObject::cast(*arg).address());
+  args.GetReturnValue().Set(v8::Integer::NewFromUnsigned(isolate, address));
+}
+
+// Sandbox.getSizeOf(object) -> Number
+void SandboxGetSizeOf(const v8::FunctionCallbackInfo<v8::Value>& args) {
+  v8::Isolate* isolate = args.GetIsolate();
+
+  if (args.Length() == 0) {
+    isolate->ThrowError("First argument must be provided");
+    return;
+  }
+
+  Handle<Object> arg = Utils::OpenHandle(*args[0]);
+  if (!arg->IsHeapObject()) {
+    isolate->ThrowError("First argument must be a HeapObject");
+    return;
+  }
+
+  int size = HeapObject::cast(*arg).Size();
+  args.GetReturnValue().Set(v8::Integer::New(isolate, size));
+}
+
+Handle<FunctionTemplateInfo> NewFunctionTemplate(
+    Isolate* isolate, FunctionCallback func,
+    ConstructorBehavior constructor_behavior) {
+  // Use the API functions here as they are more convenient to use.
+  v8::Isolate* api_isolate = reinterpret_cast<v8::Isolate*>(isolate);
+  Local<FunctionTemplate> function_template =
+      FunctionTemplate::New(api_isolate, func, {}, {}, 0, constructor_behavior,
+                            SideEffectType::kHasSideEffect);
+  return v8::Utils::OpenHandle(*function_template);
+}
+
+Handle<JSFunction> CreateFunc(Isolate* isolate, FunctionCallback func,
+                              Handle<String> name, bool is_constructor) {
+  ConstructorBehavior constructor_behavior = is_constructor
+                                                 ? ConstructorBehavior::kAllow
+                                                 : ConstructorBehavior::kThrow;
+  Handle<FunctionTemplateInfo> function_template =
+      NewFunctionTemplate(isolate, func, constructor_behavior);
+  return ApiNatives::InstantiateFunction(function_template, name)
+      .ToHandleChecked();
+}
+
+void InstallFunc(Isolate* isolate, Handle<JSObject> holder,
+                 FunctionCallback func, const char* name, int num_parameters,
+                 bool is_constructor) {
+  Factory* factory = isolate->factory();
+  Handle<String> function_name = factory->NewStringFromAsciiChecked(name);
+  Handle<JSFunction> function =
+      CreateFunc(isolate, func, function_name, is_constructor);
+  function->shared().set_length(num_parameters);
+  JSObject::AddProperty(isolate, holder, function_name, function, NONE);
+}
+
+void InstallGetter(Isolate* isolate, Handle<JSObject> object,
+                   FunctionCallback func, const char* name) {
+  Factory* factory = isolate->factory();
+  Handle<String> property_name = factory->NewStringFromAsciiChecked(name);
+  Handle<JSFunction> getter = CreateFunc(isolate, func, property_name, false);
+  Handle<Object> setter = factory->null_value();
+  JSObject::DefineAccessor(object, property_name, getter, setter, FROZEN);
+}
+
+void InstallFunction(Isolate* isolate, Handle<JSObject> holder,
+                     FunctionCallback func, const char* name,
+                     int num_parameters) {
+  InstallFunc(isolate, holder, func, name, num_parameters, false);
+}
+
+void InstallConstructor(Isolate* isolate, Handle<JSObject> holder,
+                        FunctionCallback func, const char* name,
+                        int num_parameters) {
+  InstallFunc(isolate, holder, func, name, num_parameters, true);
+}
+
+}  // namespace
+
+// static
+void MemoryCorruptionApi::Install(Isolate* isolate) {
+  CHECK(GetProcessWideSandbox()->is_initialized());
+
+  Factory* factory = isolate->factory();
+
+  // Create the special Sandbox object that provides read/write access to the
+  // sandbox address space alongside other miscellaneous functionality.
+  Handle<JSObject> sandbox =
+      factory->NewJSObject(isolate->object_function(), AllocationType::kOld);
+
+  InstallGetter(isolate, sandbox, SandboxGetByteLength, "byteLength");
+  InstallConstructor(isolate, sandbox, SandboxMemoryView, "MemoryView", 2);
+  InstallFunction(isolate, sandbox, SandboxGetAddressOf, "getAddressOf", 1);
+  InstallFunction(isolate, sandbox, SandboxGetSizeOf, "getSizeOf", 1);
+
+  // Install the Sandbox object as property on the global object.
+  Handle<JSGlobalObject> global = isolate->global_object();
+  Handle<String> name = factory->NewStringFromAsciiChecked("Sandbox");
+  JSObject::AddProperty(isolate, global, name, sandbox, DONT_ENUM);
+}
+
+//#endif  // V8_EXPOSE_MEMORY_CORRUPTION_API
+
+}  // namespace internal
+}  // namespace v8
+diff --git a/src/sandbox/testing.h b/src/sandbox/testing.h
+new file mode 100644
+index 00000000000..0c30397c3c5
+--- /dev/null
+++ b/src/sandbox/testing.h
+@@ -0,0 +1,28 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef V8_SANDBOX_TESTING_H_
+#define V8_SANDBOX_TESTING_H_
+
+#include "src/common/globals.h"
+
+namespace v8 {
+namespace internal {
+
+//#ifdef V8_EXPOSE_MEMORY_CORRUPTION_API
+// A JavaScript API that emulates typical exploit primitives.
+//
+// This can be used for testing the sandbox, for example to write regression
+// tests for bugs in the sandbox or to develop fuzzers.
+class MemoryCorruptionApi {
+ public:
+  V8_EXPORT_PRIVATE static void Install(Isolate* isolate);
+};
+
+//#endif  // V8_EXPOSE_MEMORY_CORRUPTION_API
+
+}  // namespace internal
+}  // namespace v8
+
+#endif  // V8_SANDBOX_TESTING_H_