bjrjk/pwn-learning
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Modifed README.md for Level 8 of PwnCollegeV8Exploitation

Browse Source
This commit is contained in:
Jack Ren
2024-09-17 10:47:23 +08:00
parent cce85999cb
commit e585401435
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
JavaScript/PwnCollegeV8Exploitation/Level8/README.md
View File

@@ -14,6 +14,9 @@ The elimination of `CheckBounds` node had been changed to:
- [JITSploitation I: A JIT Bug](https://googleprojectzero.blogspot.com/2020/09/jitsploitation-one.html)
- [CVE-2020-9802 JSC CSE漏洞分析](https://www.anquanke.com/post/id/245946)
- [CVE-2020-9802-WebKit JIT优化漏洞分析](https://xz.aliyun.com/t/8913)
- `String.lastIndexOf` Off By One bug in V8
- [Security: off by one in TurboFan range optimization for String.indexOf](https://issues.chromium.org/issues/40088942)
- [Attacking Client-Side JIT Compilers, Page 76-86](https://i.blackhat.com/us-18/Wed-August-8/us-18-Gross-New-Trends-In-Browser-Exploitation-Attacking-Client-Side-JIT-Compilers.pdf#page=76)
- Bound Check Elimination related Simplified Lowering Phase in V8
- [浅析 V8-turboFan](https://kiprey.github.io/2021/01/v8-turboFan/#4-SimplifiedLoweringPhase)
- Use this technique to corrupt array's length.