CVE-2024-5274: A Minor Flaw in V8 Parser Leading to Catastrophes
在今年5月,我们注意到Chrome在一次更新中修复了一个被在野利用的V8漏洞,我们迅速定位了这个漏洞的修复,发现他是近些年来罕见的Parser模块的漏洞,这引起了我们很大的兴趣,于是有了以下的研究。 从patch到PoC 首先我们看一下此漏洞的patch: diff --git a/src/ast/scopes.cc b/src/ast/scopes.cc index 660fdd2e9ad..de4df35c0ad 100644 --- a/src/ast/scopes.cc +++ b/src/ast/scopes.cc @@ -2447,7 +2447,7 @@ bool Scope::MustAllocate(Variable* var) { var->set_is_used(); if (inner_scope_calls_eval_ && !var->is_this()) var->SetMaybeAssigned(); } - DCHECK(!var->has_forced_context_allocation() || var->is_used()); + CHECK(!var->has_forced_context_allocation() || var->is_used()); // Global variables do not need to be allocated. return !var->IsGlobalObjectProperty() && var->is_used(); } diff --git a/src/parsing/parser-base.h b/src/parsing/parser-base.h index 40914d39a4f..65c338f343f 100644 --- a/src/parsing/parser-base.h +++ b/src/parsing/parser-base.h @@ -2661,6 +2661,7 @@ typename ParserBase<Impl>::BlockT ParserBase<Impl>::ParseClassStaticBlock( } FunctionState initializer_state(&function_state_, &scope_, initializer_scope); + FunctionParsingScope body_parsing_scope(impl()); AcceptINScope accept_in(this, true); // Each static block has its own var and lexical scope, so make a new var patch十分简单,实际真正有效的修复代码仅有一行,在解析class的static initialization block时新增了一个类型为FunctionParsingScope的变量,我们再看一下这个新增的变量做了什么: ...