EUVD-2019-11850

Malware in sbrugna...

SUSE CVE-2017-5121

Inappropriate use of JIT optimisation in V8 in Google Chrome prior to 61.0.3163.100 for Linux, Windows, and Mac allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page, related to the escape analysis phase...

CVE-2019-2208

In PromiseBuiltinsAssembler::NewPromiseCapability of builtins-promise.cc, there is a possible out of bounds read in v8 JIT code due to a bug in code generation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for...

CVE-2019-2208

In PromiseBuiltinsAssembler::NewPromiseCapability of builtins-promise.cc, there is a possible out of bounds read in v8 JIT code due to a bug in code generation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for...

CVE-2019-2208

In PromiseBuiltinsAssembler::NewPromiseCapability of builtins-promise.cc, there is a possible out of bounds read in v8 JIT code due to a bug in code generation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for...

CVE-2019-2208

CVE-2019-2208 affects Android components (Android 8.1 and 9) with a flaw in V8 JIT code during PromiseBuiltinsAssembler::NewPromiseCapability, causing an out-of-bounds read. This can lead to remote information disclosure without user interaction or privileges. The connected records confirm the is...

Chrome V8 JIT - AwaitedPromise Update Bug

Chrome V8 JIT - AwaitedPromise Update Bug / Here's a snippet of AsyncGeneratorReturn. https://cs.chromium.org/chromium/src/v8/src/builtins/builtins-async-generator-gen.cc?rcl=bcd1365cf7fac0d7897c43b377c143aae2d22f92&l=650 Node const context = ParameterDescriptor::kContext; Node const outerpromise...

Chrome V8 JIT - AwaitedPromise Update Bug Exploit

Exploit for multiple platform in category dos / poc / Here's a snippet of AsyncGeneratorReturn. https://cs.chromium.org/chromium/src/v8/src/builtins/builtins-async-generator-gen.cc?rcl=bcd1365cf7fac0d7897c43b377c143aae2d22f92&l=650 Node const context = ParameterDescriptor::kContext; Node const...

Chrome V8 JIT - 'AwaitedPromise' Update Bug

/ Here's a snippet of AsyncGeneratorReturn. https://cs.chromium.org/chromium/src/v8/src/builtins/builtins-async-generator-gen.cc?rcl=bcd1365cf7fac0d7897c43b377c143aae2d22f92&l=650 Node const context = ParameterDescriptor::kContext; Node const outerpromise = LoadPromiseFromAsyncGeneratorRequestreq...

Chrome V8 JIT - 'NodeProperties::InferReceiverMaps' Type Confusion

/ https://cs.chromium.org/chromium/src/v8/src/compiler/node-properties.cc?rcl=df84e87191022bf6914f9570069908f10b303245&l=416 Here's a snippet of NodeProperties::InferReceiverMaps. case IrOpcode::kJSCreate: if IsSamereceiver, effect HeapObjectMatcher mtargetGetValueInputeffect, 0; HeapObjectMatche...

Chrome V8 JIT NodeProperties::InferReceiverMaps Type Confusion

Chrome: V8: JIT: Type confusion in NodeProperties::InferReceiverMaps https://cs.chromium.org/chromium/src/v8/src/compiler/node-properties.cc?rcl=df84e87191022bf6914f9570069908f10b303245&l=416 Here's a snippet of NodeProperties::InferReceiverMaps. case IrOpcode::kJSCreate: if IsSamereceiver, effec...

Google Chrome V8 JIT - LoadElimination::ReduceTransitionElementsKind Type Confusion

Exploit for multiple platform in category dos / poc / I think this commit has introduced the bug: https://chromium.googlesource.com/v8/v8.git/+/9884bc5dee488bf206655f07b8a487afef4ded9b Reduction LoadElimination::ReduceTransitionElementsKindNode node ... if objectmaps.containsZoneHandleSetsourcema...

Google Chrome V8 JIT - LoadElimination::ReduceTransitionElementsKind Type Confusion

Google Chrome V8 JIT - LoadElimination::ReduceTransitionElementsKind Type Confusion / I think this commit has introduced the bug: https://chromium.googlesource.com/v8/v8.git/+/9884bc5dee488bf206655f07b8a487afef4ded9b Reduction LoadElimination::ReduceTransitionElementsKindNode node ... if...

Google Chrome V8 JIT - 'LoadElimination::ReduceTransitionElementsKind' Type Confusion

/ I think this commit has introduced the bug: https://chromium.googlesource.com/v8/v8.git/+/9884bc5dee488bf206655f07b8a487afef4ded9b Reduction LoadElimination::ReduceTransitionElementsKindNode node ... if objectmaps.containsZoneHandleSetsourcemap objectmaps.removesourcemap, zone;...

Chrome V8 JIT - GetSpecializationContext Type Confusion

Chrome V8 JIT - GetSpecializationContext Type Confusion PoC: function optarg = = arg let tmp = opt.x; // LdaNamedProperty for ;; arg; yield; function inner tmp; break; for let i = 0; i arg; this; , opt let tmp = arg.x; for ;; arg; yield; tmp = inner tmp; ; for let i = 0; i 10000; i++ opt; What...

Chrome V8 JIT - Simplified-lowererer IrOpcode::kStoreField_ IrOpcode::kStoreElement Optimization Bug

Chrome V8 JIT - Simplified-lowererer IrOpcode::kStoreField IrOpcode::kStoreElement Optimization Bug / I think this commit has introduced the bugs: https://chromium.googlesource.com/v8/v8/+/c22ca7f73ba92f22d0cd29b06bb2944a545a8d3e%5E%21/F0 Here's a snippet. case IrOpcode::kStoreField: FieldAccess...

Chrome V8 JIT - Empty BytecodeJumpTable Out-of-Bounds Read

/ In the current implementation, the bytecode generator also emits empty jump tables. https://cs.chromium.org/chromium/src/v8/src/interpreter/bytecode-array-writer.cc?rcl=111e990462823c9faeee06b67c0dcf05749d4da8&l=89 So the bytecode for the example code would be generated as follows: Code: functi...