Turbofan on Arzedlab 🪵

CVE-2021-38003 The Hole Leak to RCE

Sat, 30 Mar 2024 00:00:00 +0000

CVE-2021-38003 | The Hole Leak to RCE

Type Of Vulnerability	The Hole Leak
Security Severity	High
Effected Components	Javascript, Turbofan
Issue Source	https://issues.chromium.org/issues/40057710
Writeup Source(s)	None
Tested Version	Google Chrome 95.0.4638.54 (Official Build) (x86_64)
Vulnerable commit	a4252db3228433fed5c2bdb0fdff9a6b7b638f3b

Deep Dive Into Vulnerability

[1] The vulnerability arises as V8 attempts to handle exceptions in JSON.stringify(). If a exception appears in the built-in function, pending_exception_ is set by the Isolate::set_pending_exception() method. The calling code then moves to the V8 exception handling mechanism, where the Isolate::pending_exception() member is fetched from the active isolate and the currently active JavaScript exception handler is invoked using it.

CVE-2020-6418 Type Confusion V8

Fri, 02 Feb 2024 13:13:13 +0500

CVE-2020-6418 | Incorrect Optimization

Research Done By Ravshan Rikhsiev (2023)

Type Of Vulnerability	Type Confusion
Security Severity	High
Effected Components	Javascript, Turbofan, Optimizer
Issue Source	https://issues.chromium.org/issues/40051542
Writeup Source(s)	Later
Tested Version	V8 8.2.0
Vulnerable commit	bdaa7d66a37adcc1f1d81c9b0f834327a74ffe07

CVE-2020-6418 is a security vulnerability that was identified in the V8 JavaScript engine, which is used in various web browsers including Google Chrome. This vulnerability was reported by Clement Lecigne of Google’s Threat Analysis Group on 2020-02-18 [1] and assigned CVE-2020-6418. It was classified as a type confusion bug in the V8 engine.

CVE-2019-5782 Out-Of-Bounds V8

Fri, 01 Dec 2023 13:13:13 +0500

CVE-2019-5782 | OOB V8

Research Done By Ravshan Rikhsiev (2023)

Type Of Vulnerability	Out-Of-Bounds
Security Severity	High
Effected Components	Javascript, Turbofan, Compiler
Issue Source	https://bugs.chromium.org/p/chromium/issues/detail?id=906043
Writeup Source(s)	None
Tested Version	V8 7.3.0
Vulnerable commit	18b28402118b7918512c3e5b6bc5c6f348d43564

Building

mkdir v8
cd v8
fetch v8
cd v8
# Moving into vulnerable commit
git checkout 18b28402118b7918512c3e5b6bc5c6f348d43564
# Sync depot tools
gclient sync -D
# Installing dependencies 
build/install-build-deps.sh
# Installing ninja to build
sudo apt install -y ninja-build
# Release and Debug versions of V8
tools/dev/gm.py x64.release; tools/dev/gm.py x64.debug

Incorrect optimization assumptions in V8

Turbofan is an optimizing compiler in the V8 JavaScript engine. It translates JavaScript code into highly optimized machine code for better performance. It uses various techniques, such as inlining functions, optimizing data types, and eliminating unnecessary operations, to generate efficient code. This helps improve the execution speed of JavaScript programs running in V8.