Coordinated Disclosure Timeline

Summary

A type confusion in v8 can lead to remote code execution in the Chrome renderer sandbox.

Product

Chromium

Tested Version

98.0.4758.102

Details

Issue 1: Type confusion when using simple api call accessors with SuperIC (GHSL-2022-042)

When accessing properties using accessors, the holder of the accessors may be in the prototype of the object, but the accessors will be applied to the receiver itself. Many blink objects have accessors that are simple api calls and these accessors have specific signatures meaning that they can only operate on v8 object of the expected type. When a simple api call accessor is encountered during the creation of an IC handler, the expected type of the accessor will be checked against the lookup_start_object_map 1:

        CallOptimization call_optimization(isolate(), getter);
        if (call_optimization.is_simple_api_call()) {
          CallOptimization::HolderLookup holder_lookup;
          Handle<JSObject> api_holder =
              call_optimization.LookupHolderOfExpectedType(isolate(), map,
                                                           &holder_lookup);    //<----------- Checks that map is compatible with the expected type of the simple_api_call

The map used here is the lookup_start_object_map 2. On the other hand, when using the IC handler, the accessor is used with the receiver, instead of the lookup_start_object3:

void AccessorAssembler::HandleLoadAccessor(
    const LazyLoadICParameters* p, TNode<CallHandlerInfo> call_handler_info,
    TNode<WordT> handler_word, TNode<DataHandler> handler,
    TNode<IntPtrT> handler_kind, ExitPoint* exit_point) {
  Comment("api_getter");
  ...
  BIND(&load);
  TNode<IntPtrT> argc = IntPtrConstant(0);
  exit_point->Return(CallApiCallback(context, callback, argc, data,
                                     api_holder.value(), p->receiver()));  //<------- accessor used with receiver

This is normally correct. However, in the case of a super property access, the lookup_start_object is not the same as the receiver, so by creating an IC handler for the lookup_start_object that passes the signature test, and then uses this IC handler in a super ic call with an incompatible receiver, a type confusion occurs and a simple api accessor will be called with an incompatible receiver.

Impact

This issue can be exploited to gain RCE in the Chrome renderer sandbox by visiting a malicious website.

CVE

Credit

This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-042 in any communication regarding this issue.

Notes

  1. https://source.chromium.org/chromium/chromium/src/+/dd1159653baab787bc341ddbf42af5aeab3c1634:v8/src/ic/ic.cc;l=1055 

  2. https://source.chromium.org/chromium/chromium/src/+/dd1159653baab787bc341ddbf42af5aeab3c1634:v8/src/ic/ic.cc;l=963 

  3. https://source.chromium.org/chromium/chromium/src/+/af93b3d584c22547ae5d6c49c56df07f2f7a2ca5:v8/src/ic/accessor-assembler.cc;l=285