![]() ![]() When the function is run in the future, if an object of a known map is passed, the optimized handler corresponding to this map is used to access the property of the object. In overly simplified terms, when the bytecode for a property access is run, the maps of the input objects are recorded, and an optimized handler is created for each map. This allows property accesses to be optimized once the map of an object is known. The memory layout of objects with the same map are the same, meaning that their properties are at the same offsets. The map of an object stores important information, such as the type of the object, and the offsets of each of its properties. To distinguish between object types and optimize property accesses, each JavaScript object in V8 stores a map as its first property: DebugPrint: 0x282908049499: Readers may also wish to consult “JavaScript engine fundamentals: Shapes and Inline Caches” by Mathias Bynens to get a high-level understanding of object types and inline cache in V8. As the V8 optimization pipeline is very well documented, I’ll not repeat the details here, but refer readers to this article and the references within. The feedback is then used by the JIT compiler to generate optimized machine code at a later stage. Roughly speaking, when a JavaScript function is run, Ignition will compile the function into bytecode, which then collects profiling data and feedback every time the function is run. Inline cache is an optimization used in V8 for speeding up property accesses in bytecode generated by Ignition (the interpreter in V8). In what follows, I’ll go through some implementation details of the inline cache, as well as interactions between V8 and Blink (the Chrome renderer), to fill in the background required to understand and exploit this bug. ![]() The bug exists in the super inline cache (SuperIC) feature, which has a history of exploitable vulnerabilities. This bug allows remote code execution (RCE) in the renderer sandbox of Chrome by a single visit to a malicious site. In this post I’ll exploit CVE-2022-1134, a type confusion in V8, the JavaScript engine of Chrome that I reported in March 2022, as bug 1308360 and was fixed in version 1.60. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |