CVE-2024-5274: A Minor Flaw in V8 Parser Leading to Catastrophes
In May of this year, we noticed that Chrome fixed a V8 vulnerability that was being exploited in the wild in this update. We quickly pinpointed the fix for this vulnerability and discovered that it was a rare bug in the Parser module, which piqued our interest greatly. This led to the following research. From Patch to PoC First, let’s take a look at the patch for this vulnerability: diff --git a/src/ast/scopes.cc b/src/ast/scopes.cc index 660fdd2e9ad..de4df35c0ad 100644 --- a/src/ast/scopes.cc +++ b/src/ast/scopes.cc @@ -2447,7 +2447,7 @@ bool Scope::MustAllocate(Variable* var) { var->set_is_used(); if (inner_scope_calls_eval_ && !var->is_this()) var->SetMaybeAssigned(); } - DCHECK(!var->has_forced_context_allocation() || var->is_used()); + CHECK(!var->has_forced_context_allocation() || var->is_used()); // Global variables do not need to be allocated. return !var->IsGlobalObjectProperty() && var->is_used(); } diff --git a/src/parsing/parser-base.h b/src/parsing/parser-base.h index 40914d39a4f..65c338f343f 100644 --- a/src/parsing/parser-base.h +++ b/src/parsing/parser-base.h @@ -2661,6 +2661,7 @@ typename ParserBase<Impl>::BlockT ParserBase<Impl>::ParseClassStaticBlock( } FunctionState initializer_state(&function_state_, &scope_, initializer_scope); + FunctionParsingScope body_parsing_scope(impl()); AcceptINScope accept_in(this, true); // Each static block has its own var and lexical scope, so make a new var The patch is very simple, the actual effective fix is just one line of code. This line introduces a variable of type FunctionParsingScope when parsing the static initialization block of a class. Let’s examine what this newly introduced variable does: ...