CVE-2019-5782 on Arzedlab 🪵https://arzedlab.github.io/tags/cve-2019-5782/Recent content in CVE-2019-5782 on Arzedlab 🪵Hugoen-us© RavshanFri, 01 Dec 2023 13:13:13 +0500CVE-2019-5782 Out-Of-Bounds V8https://arzedlab.github.io/posts/cve-2019-5782-oob-v8-f710491993d8478483ca99402710ec07/Fri, 01 Dec 2023 13:13:13 +0500https://arzedlab.github.io/posts/cve-2019-5782-oob-v8-f710491993d8478483ca99402710ec07/<h1 id="cve-2019-5782--oob-v8">CVE-2019-5782 | OOB V8</h1> <h1 id="research-done-by-ravshan-rikhsiev-2023">Research Done By <strong>Ravshan Rikhsiev</strong> (2023)</h1> <table> <thead> <tr> <th><strong>Type Of Vulnerability</strong></th> <th><strong>Out-Of-Bounds</strong></th> </tr> </thead> <tbody> <tr> <td><strong>Security Severity</strong></td> <td><strong>High</strong></td> </tr> <tr> <td><strong>Effected Components</strong></td> <td><strong>Javascript, Turbofan, Compiler</strong></td> </tr> <tr> <td><strong>Issue Source</strong></td> <td><a href="https://bugs.chromium.org/p/chromium/issues/detail?id=906043">https://bugs.chromium.org/p/chromium/issues/detail?id=906043</a></td> </tr> <tr> <td><strong>Writeup Source(s)</strong></td> <td>None</td> </tr> <tr> <td><strong>Tested Version</strong></td> <td>V8 7.3.0</td> </tr> <tr> <td><strong>Vulnerable commit</strong></td> <td>18b28402118b7918512c3e5b6bc5c6f348d43564</td> </tr> </tbody> </table> <h1 id="building">Building</h1> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>mkdir v8 </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">cd</span> v8 </span></span><span style="display:flex;"><span>fetch v8 </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">cd</span> v8 </span></span><span style="display:flex;"><span><span style="color:#6272a4"># Moving into vulnerable commit</span> </span></span><span style="display:flex;"><span>git checkout 18b28402118b7918512c3e5b6bc5c6f348d43564 </span></span><span style="display:flex;"><span><span style="color:#6272a4"># Sync depot tools</span> </span></span><span style="display:flex;"><span>gclient sync -D </span></span><span style="display:flex;"><span><span style="color:#6272a4"># Installing dependencies </span> </span></span><span style="display:flex;"><span>build/install-build-deps.sh </span></span><span style="display:flex;"><span><span style="color:#6272a4"># Installing ninja to build</span> </span></span><span style="display:flex;"><span>sudo apt install -y ninja-build </span></span><span style="display:flex;"><span><span style="color:#6272a4"># Release and Debug versions of V8</span> </span></span><span style="display:flex;"><span>tools/dev/gm.py x64.release; tools/dev/gm.py x64.debug </span></span></code></pre></div><h1 id="incorrect-optimization-assumptions-in-v8"><strong>Incorrect optimization assumptions in V8</strong></h1> <p><strong>Turbofan</strong> is an optimizing compiler in the <strong>V8</strong> JavaScript engine. It translates JavaScript code into highly optimized machine code for better performance. It uses various techniques, such as inlining functions, optimizing data types, and eliminating unnecessary operations, to generate efficient code. This helps improve the execution speed of JavaScript programs running in V8.</p>