pwn-learning/JavaScript/PwnCollegeV8Exploitation/Level8/README.md

Level 8

Problem

The elimination of CheckBounds node had been changed to:

• Assume CheckBounds node has two input operand node index and length.
  • Each of them have a type labeled with their range [min, max].
• When index.min >= 0.0 && index.min < length.min, the CheckBounds will be eliminated.

Key Knowledge

• Bound Check Elimination based Out of Bound Access
  • CVE-2020-9802
    • Exploitation of CVE-2020-9802: a JavaScriptCore JIT Bug
    • JITSploitation I: A JIT Bug
    • CVE-2020-9802 JSC CSE漏洞分析
    • CVE-2020-9802-WebKit JIT优化漏洞分析
  • Bound Check Elimination related Simplified Lowering Phase in V8
    • 浅析 V8-turboFan
  • Use this technique to corrupt array's length.
• Make JIT engine consider an unspeculated parameter as an integer
  • Use bitwise operations