Object wrappers for primitive values use out-dated [[PrimitiveValue]] naming for internal slots rather than [[StringData]], [[NumberData]] etc
Reported by
marsolle...@gmail.com,
Mar 11 2017
|
||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 Steps to reproduce the problem: 1. Have successfully reported caller.callee escalating into internal Chrome JS and v8 in the past 2. Have figured __proto__.__proto__ and constructor until I saw [[PrimitiveValue]] with arbitrary memory values in Debugger 3. window.window.__proto__.__proto__.__proto__.__proto__.constructor(1212121212121121+'A'+21212) 4. String0: "1"1: "2"2: "1"3: "2"4: "1"5: "2"6: "1"7: "2"8: "1"9: "2"10: "1"11: "2"12: "1"13: "1"14: "2"15: "1"16: "A"17: "2"18: "1"19: "2"20: "1"21: "2"length: 22__proto__: String[[PrimitiveValue]]: "1212121212121121A21212" What is the expected behavior? Noone of the __proto__.constructor magic, but if __proto__ because of internal v8 hierachy, then no [[PrimitiveValue]]'s in public website JS browser contexts What went wrong? You may have exposed too much of v8 into the public web. Did this work before? No Chrome version: 56.0.2924.87 Channel: stable OS Version: OS X 10.10.5 Flash Version: Might be expected behavior, but created [[PrimtiiveValue]] looks like a ground base for memory corruption in v8. Considering unescape() Heap Spray attacks in the past and present.
,
Mar 14 2017
I don't see what's supposedly wrong here; perhaps I'm misreading the example. At least the "exploit file" doesn't contain anything obviously wrong. window.window.__proto__.__proto__.__proto__.__proto__.constructor is simply Object. If you call that with a primitive value, it converts it to an object as required by the spec. Hence it creates a native-context specific object wrapper. For strings this is a string wrapper, for numbers a number wrapper. That's why typeof x and typeof y is "object". [[PrimitiveValue]] is simply V8 internal naming for [[StringData]], [[NumberData]] etc in the spec (see http://www.ecma-international.org/ecma-262/6.0/#sec-toobject). Also the values aren't arbitrary? They are exactly what you passed in? I guess you might be confused by how DevTools renders the string object with all characters separately?
,
Mar 14 2017
I wonder however why devtools exposes [[PrimitiveValue]] instead of the correct name of the internal slot as shown in the spec
,
Mar 14 2017
Primarily curious about [[PrimitiveValue]] as well, was wondering whether in combination with a Debugger/Memory Mapping useful for Use-After-Free etc. I was afraid that you might say "It's just Object". Shit happens.
,
Mar 14 2017
[[PrimitiveValue]] is just the ES5 naming for those internal slots actually. See e.g., https://es5.github.io/x15.7.html. We should probably update that to the new names.
,
Mar 14 2017
,
Mar 14 2017
I guess this part has to change a bit: https://cs.chromium.org/chromium/src/v8/src/runtime/runtime-debug.cc?type=cs&q=PrimitiveValue+package:%5Echromium$&l=287 |
||||
►
Sign in to add a comment |
||||
Comment 1 by palmer@chromium.org
, Mar 14 2017Components: Blink>JavaScript
Labels: Security_Impact-Stable OS-Android OS-Chrome OS-Linux OS-Windows
Owner: jochen@chromium.org
Status: Assigned (was: Unconfirmed)