24 lines
1.1 KiB
Markdown
24 lines
1.1 KiB
Markdown
# Level 6
|
|
|
|
## Problem
|
|
|
|
Given a vulnerable builtin `Array.prototype.functionMap(func)`:
|
|
- It takes a `PACKED_DOUBLE_ELEMENTS` JSArray receiver and a JSFunction argument.
|
|
- **reinterpret_cast** `elements` to a `FixedDoubleArray`, then for each element `e`:
|
|
- Trigger a custom JavaScript callback `func`, with
|
|
- Input: this double element `e`
|
|
- Output: any double element `o`
|
|
- And store `o` to `e`'s original position.
|
|
|
|
## Key Knowledge
|
|
|
|
- Side Effect based Array Element Type Confusion
|
|
- CVE-2018-4233
|
|
- [saelo/cve-2018-4233: Exploit for CVE-2018-4233, a WebKit JIT optimization bug used during Pwn2Own 2018](https://github.com/saelo/cve-2018-4233)
|
|
- [Attacking Client-Side JIT Compilers (v2)](https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf#page=106)
|
|
- [Pwn2Own 2018 CVE-2018-4233 分析](https://www.anquanke.com/post/id/244472)
|
|
- Use this technique to construct Address Of & Fake Object primitive.
|
|
- How to build d8 and debug them?
|
|
- [Building V8 from source](https://v8.dev/docs/build)
|
|
- [Building V8 with GN](https://v8.dev/docs/build-gn)
|