Level 8 of PwnCollegeV8Exploitation
This commit is contained in:
Jack Ren
21
JavaScript/PwnCollegeV8Exploitation/Level8/README.md
Normal file
21
JavaScript/PwnCollegeV8Exploitation/Level8/README.md
Normal file
@@ -0,0 +1,21 @@
|
||||
# Level 8
|
||||
|
||||
## Problem
|
||||
|
||||
The elimination of `CheckBounds` node had been changed to:
|
||||
- Assume `CheckBounds` node has two input operand node `index` and `length`.
|
||||
- Each of them have a type labeled with their range `[min, max]`.
|
||||
- When `index.min >= 0.0 && index.min < length.min`, the `CheckBounds` will be eliminated.
|
||||
|
||||
## Key Knowledge
|
||||
- Bound Check Elimination based Out of Bound Access
|
||||
- CVE-2020-9802
|
||||
- [Exploitation of CVE-2020-9802: a JavaScriptCore JIT Bug](https://shxdow.me/cve-2020-9802/)
|
||||
- [JITSploitation I: A JIT Bug](https://googleprojectzero.blogspot.com/2020/09/jitsploitation-one.html)
|
||||
- [CVE-2020-9802 JSC CSE漏洞分析](https://www.anquanke.com/post/id/245946)
|
||||
- [CVE-2020-9802-WebKit JIT优化漏洞分析](https://xz.aliyun.com/t/8913)
|
||||
- Bound Check Elimination related Simplified Lowering Phase in V8
|
||||
- [浅析 V8-turboFan](https://kiprey.github.io/2021/01/v8-turboFan/#4-SimplifiedLoweringPhase)
|
||||
- Use this technique to corrupt array's length.
|
||||
- Make JIT engine consider an unspeculated parameter as an integer
|
||||
- Use bitwise operations
|
||||
Reference in New Issue
Block a user