V8 on Arzedlab 🪵

CVE-2021-38003 The Hole Leak to RCE

Sat, 30 Mar 2024 00:00:00 +0000

CVE-2021-38003 | The Hole Leak to RCE

Type Of Vulnerability	The Hole Leak
Security Severity	High
Effected Components	Javascript, Turbofan
Issue Source	https://issues.chromium.org/issues/40057710
Writeup Source(s)	None
Tested Version	Google Chrome 95.0.4638.54 (Official Build) (x86_64)
Vulnerable commit	a4252db3228433fed5c2bdb0fdff9a6b7b638f3b

Deep Dive Into Vulnerability

[1] The vulnerability arises as V8 attempts to handle exceptions in JSON.stringify(). If a exception appears in the built-in function, pending_exception_ is set by the Isolate::set_pending_exception() method. The calling code then moves to the V8 exception handling mechanism, where the Isolate::pending_exception() member is fetched from the active isolate and the currently active JavaScript exception handler is invoked using it.

CVE-2020-6418 Type Confusion V8

Fri, 02 Feb 2024 13:13:13 +0500

CVE-2020-6418 | Incorrect Optimization

Research Done By Ravshan Rikhsiev (2023)

Type Of Vulnerability	Type Confusion
Security Severity	High
Effected Components	Javascript, Turbofan, Optimizer
Issue Source	https://issues.chromium.org/issues/40051542
Writeup Source(s)	Later
Tested Version	V8 8.2.0
Vulnerable commit	bdaa7d66a37adcc1f1d81c9b0f834327a74ffe07

CVE-2020-6418 is a security vulnerability that was identified in the V8 JavaScript engine, which is used in various web browsers including Google Chrome. This vulnerability was reported by Clement Lecigne of Google’s Threat Analysis Group on 2020-02-18 [1] and assigned CVE-2020-6418. It was classified as a type confusion bug in the V8 engine.

CVE-2019-5782 Out-Of-Bounds V8

Fri, 01 Dec 2023 13:13:13 +0500

CVE-2019-5782 | OOB V8

Research Done By Ravshan Rikhsiev (2023)

Type Of Vulnerability	Out-Of-Bounds
Security Severity	High
Effected Components	Javascript, Turbofan, Compiler
Issue Source	https://bugs.chromium.org/p/chromium/issues/detail?id=906043
Writeup Source(s)	None
Tested Version	V8 7.3.0
Vulnerable commit	18b28402118b7918512c3e5b6bc5c6f348d43564

Building

mkdir v8
cd v8
fetch v8
cd v8
# Moving into vulnerable commit
git checkout 18b28402118b7918512c3e5b6bc5c6f348d43564
# Sync depot tools
gclient sync -D
# Installing dependencies 
build/install-build-deps.sh
# Installing ninja to build
sudo apt install -y ninja-build
# Release and Debug versions of V8
tools/dev/gm.py x64.release; tools/dev/gm.py x64.debug

Incorrect optimization assumptions in V8

Turbofan is an optimizing compiler in the V8 JavaScript engine. It translates JavaScript code into highly optimized machine code for better performance. It uses various techniques, such as inlining functions, optimizing data types, and eliminating unnecessary operations, to generate efficient code. This helps improve the execution speed of JavaScript programs running in V8.

V8 Internals: Tree

Sat, 05 Aug 2023 00:00:00 +0000

V8 source tree

v8/
├─ src/
│ ├─ [api]
│ ├─ [asmjs]
│ ├─ [ast]
│ ├─ [base]
│ ├─ [baseline]
│ ├─ [bigint]
│ ├─ [builtins]
│ ├─ [codegen]
│ ├─ [common]
│ ├─ [compiler-dispatcher]
│ ├─ [compiler]
│ ├─ [d8]
│ ├─ [date]
│ ├─ [debug]
│ ├─ [deoptimizer]
│ ├─ [diagnostics]
│ ├─ [execution]
│ ├─ [extensions]
│ ├─ [flags]
│ ├─ [fuzzilli]
│ ├─ [handles]
│ ├─ [heap]
│ ├─ [ic]
│ ├─ [init]
│ ├─ [inspector]
│ ├─ [interpreter]
│ ├─ [json]
│ ├─ [libplatform]
│ ├─ [libsampler]
│ ├─ [logging]
│ ├─ [maglev]
│ ├─ [numbers]
│ ├─ [objects]
│ ├─ [parsing]
│ ├─ [profiler]
│ ├─ [protobuf]
│ ├─ [regexp]
│ ├─ [roots]
│ ├─ [runtime]
│ ├─ [sandbox]
│ ├─ [snapshot]
│ ├─ [strings]
│ ├─ [tasks]
│ ├─ [temporal]
│ ├─ [third_party]
│ ├─ [torque]
│ ├─ [tracing]
│ ├─ [trap-handler]
│ ├─ [utils]
│ ├─ [wasm]
│ ├─ [zone]
├─ third_party/

`v8/src/api`

The v8/src/api directory in the V8 codebase is part of the V8 API. The V8 API provides functions for compiling and executing scripts, accessing C++ methods and data structures, handling errors, and enabling security checks¹.

Getting Started with Embedding V8

Thu, 06 Jul 2023 00:00:00 +0000

Getting Started with Embedding V8

Installing & Testing Standalone V8 application

Download the V8 source code
Create a build configuration using the helper script:

tools/dev/v8gen.py x64.release.sample

You can inspect and manually edit the build configuration by running:

gn args out.gn/x64.release.sample

Build the static library on a Linux 64 system:

ninja -C out.gn/x64.release.sample v8_monolith

Compile hello-world.cc, linking to the static library created in the build process. For example, on 64bit Linux using the GNU compiler:

g++ -I. -Iinclude samples/hello-world.cc -o hello_world -fno-rtti -lv8_monolith -lv8_libbase -lv8_libplatform -ldl -Lout.gn/x64.release.sample/obj/ -pthread -std=c++17 -DV8_COMPRESS_POINTERS -DV8_ENABLE_SANDBOX

For more complex code, V8 fails without an ICU data file. Copy this file to where your binary is stored:

cp out.gn/x64.release.sample/icudtl.dat .

Run the hello_world executable file at the command line. e.g. On Linux, in the V8 directory, run:

./hello_world

V8 as a standalone virtual machine has some key V8 concepts such as handles, scopes, and contexts. The V8 API provides functions for compiling and executing scripts, accessing C++ methods and data structures, handling errors, and enabling security checks. Your application can use V8 just like any other C++ library. Your C++ code accesses V8 through the V8 API by including the header include/v8.h.