Exploring the Use of Sentinel Value to Bypass Chrome V8 Protection Mechanism

A sentinel value is a special value in algorithms, often used as a termination condition for loops or recursive algorithms. There are multiple sentinel values in the Chrome source code. Previous research has shown that leaking the TheHole object can achieve arbitrary code execution within the sandbox for certain CVEs. The Google team quickly updated the relevant CVEs on GitHub about a week after we published our explanation of this mitigation bypass.

The source code of Chrome shows a mitigation fix for the arbitrary code execution caused by the TheHole object. However, there are many other native objects in V8 that should not be exposed to JS. This article will discuss the Uninitialized Oddball object, which was first mentioned in Issue 1352549. It is worth noting that this method is still applicable in the latest version of V8, and Google has not yet addressed this issue.

This method has strong versatility:

1. The POC first provided in Issue1216437( CVE-2021-30551) is the internal uninitialized oddball leak.

2. Issue 1314616( CVE-2022-1486) also directly leaked UninitializedOddball.

3. The impact of Issue 1352549( No CVE ) cannot be ignored.

These all fully demonstrate the necessity to re-examine the software that may be affected by PatchGap.

Sentinel Value in V8

Most of the native objects of V8 are defined in the v8/src/roots/roots.h file, and they are arranged adjacently in memory. Once these native objects that should not be leaked are leaked into JavaScript, it can lead to arbitrary code execution within the sandbox.

To verify the effectiveness of this method in the latest version of V8, we can modify the native function %TheHole() in V8 to return Uninitialized Oddball.

Bypass HardenType

Issue 1352549 provides the complete code. After we extracted and simplified it, we found that it still allows for relatively arbitrary reads in V8 11.0.0.

The disassembly of the optimized JavaScript read function shows that when checking obj.prop, it does not check the value with obj.prop as the key, but directly calculates the offset to obtain the array value according to JavaScript semantics. This leads to type confusion during the calculation, allowing arbitrary reads.

When uninitialized_oddball is passed in, starting from obj, arbitrary read is completed in the vmovsd xmm0,[r9+r11*8+0x7] instruction, and the data is stored in the xmm0 register.

Since uninitialized_oddball is sorted earlier and is more primitive in V8 memory, it is easier to spoof and is the preferred method of bypassing. For arbitrary writes, refer to Issue1352549 for construction analysis.

The fix suggestion is to add a check for the array map when returning array elements from the optimized function, to avoid directly calculating the offset to return array values.

PatchGap Warning

After analyzing Issue 1352549, we investigated the software that may have PatchGap, and found that Skype has not yet fixed the vulnerability. The arbitrary read and write under x86 is slightly different; due to the lack of address compression, it is directly relative to the entire process.

In the use of Skype, although ASLR is enabled, due to the large file size, hackers only need to read and write to a specific fixed address, which is likely to read and write the contents of the Skype file. Combining traditional approaches such as PE parsing, it is not difficult to complete the entire vulnerability exploitation chain.

This time, PatchGap not only involves Issue 1352549, but the disclosure of the new bypass method has also significantly reduced the difficulty of exploiting similar issues like Issue 1314616 and Issue 1216437. Hackers can achieve a complete exploitation of any previously leaked uninitialized_oddball vulnerabilities with almost no research costs.

Summary

This article briefly discusses the implementation of arbitrary read primitives through the leak of uninitialized_Oddball. There are many other Sentinel values in V8, and it is also easy to encounter crashes that are not int3 during testing. Since both Uninitialized_Oddball and TheHole can bypass V8 protection, other Sentinel values may also have similar issues.

This gives us some insights:

1. Whether other uninitialized_Oddball leaks can also easily achieve RCE in V8.

2. Google quickly fixed the TheHole bypass, but the issue of bypassing ASLR through garbage collection has been left unresolved for a long time, indicating that there is still a blurred boundary regarding whether similar issues are considered formal security problems.

3. If it is regarded as a formal security issue, is it necessary to consider including Sentinel values such as %TheHole/uninitialized_Oddball as variables in the fuzzer to explore other exploitation primitives?

Whether such issues are formally regarded as security issues or not, they will significantly shorten the cycle for hackers to fully exploit them.