GHSL-2023-137: Type confusion in Chrome - CVE-2023-3420

Coordinated Disclosure Timeline

• 2023-06-07: Issue reported to Chromium security team as bug 1452137
• 2023-06-26: Issue fixed in version 114.0.5735.198/199

Summary

A type confusion caused by JSStackCheck can be exploited by an attacker to gain code execution in Chrome’s renderer.

Product

Chrome

Tested Version

version 114.0.5735.106

Details

Type confusion in v8 caused by incorrect side effect modelling of JSStackCheck (GHSL-2023-137)

The JSStackCheck operator is marked with the kNoWrite property [1], which is used for operators that do not have side effects. This operator, however, can call into the Runtime::kStackGuard function [2], which can handle interrupts from other threads [3]. As can be seen from the definition of HandleInterrupts [4], it can call many different functions, some of which may have side effects [4]. In particular, the INSTALL_CODE [5] interrupt will install optimized JIT code, which can install the PrototypePropertyDependency and call EnsureHasInitialMap [6]. EnsureHasInitialMap takes the function argument, and checks if the initial_map field is already set, if not, then it will call SetInitialMap, which sets the prototype object of the function to the prototype of a map [7]. This then calls OptimizeAsPrototype [8], which can change the map of the prototype object. Combining this side effect with CheckMaps elimination in the LoadElimination optimization phase, a JSStackCheck can be used to change the map of an object after a CheckMaps is performed. Since JSStackCheck is inserted at the end of every loop iteration [9], this can be done by inserting a loop between a CheckMaps and a subsequent property access of an object whose map is checked before the loop (the CheckMaps after the loop is eliminated if the loop does not have any side effects other than the ones that come from JSStackCheck). By changing the object’s map in JSStackCheck after the CheckMaps is passed, a type confusion occurs.

1. https://source.chromium.org/chromium/chromium/src/+/ba1b4d2b303094d63f500878f3670f2235f988c7:v8/src/compiler/js-operator.cc;l=1406
2. https://source.chromium.org/chromium/chromium/src/+/ba1b4d2b303094d63f500878f3670f2235f988c7:v8/src/compiler/js-generic-lowering.cc;l=1197
3. https://source.chromium.org/chromium/chromium/src/+/10e4809ce95862289c62ea30a18ab32bb77ea5c8:v8/src/runtime/runtime-internal.cc;l=349
4. https://source.chromium.org/chromium/chromium/src/+/10e4809ce95862289c62ea30a18ab32bb77ea5c8:v8/src/execution/stack-guard.cc;l=267
5. https://source.chromium.org/chromium/chromium/src/+/10e4809ce95862289c62ea30a18ab32bb77ea5c8:v8/src/execution/stack-guard.cc;l=324
6. https://source.chromium.org/chromium/chromium/src/+/10e4809ce95862289c62ea30a18ab32bb77ea5c8:v8/src/compiler/compilation-dependencies.cc;l=247
7. https://source.chromium.org/chromium/chromium/src/+/0cd12c35f217ed6982b34fcb29dc15d14a6e57eb:v8/src/objects/js-function.cc;l=762
8. https://source.chromium.org/chromium/chromium/src/+/0cd12c35f217ed6982b34fcb29dc15d14a6e57eb:v8/src/objects/map.cc;l=2308
9. https://source.chromium.org/chromium/chromium/src/+/0cd12c35f217ed6982b34fcb29dc15d14a6e57eb:v8/src/compiler/bytecode-graph-builder.cc;l=3547

Impact

Can be exploited to cause RCE in Chrome renderer

CVE

• CVE-2023-3420

Credit

This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-137 in any communication regarding this issue.