Exploring the Security Risks Caused by Sentinel Value Leakage in the Chrome V8 Engine

Introduction

A sentinel value is a special value in algorithms, typically used as a termination condition in loops or recursive algorithms. This special value is widely used in the Chrome source code. Recently, researchers achieved arbitrary code execution in the sandbox through the leakage of the TheHole object, leading to CVE-2021-38003 and CVE-2022-1364. The Google team quickly patched both vulnerabilities.

However, aside from the TheHole object, there are other native objects in V8 that should not be exposed to JavaScript. This article will focus on the Uninitialized Oddball object and introduce how to exploit it to bypass V8's HardenProtect mechanism. It is worth noting that this bypass method is still applicable to the latest version of V8 and has not yet been patched.

Sentinel Value in V8

Most of the native objects in V8 are defined in the v8/src/roots/roots.h file, and these objects are arranged consecutively in memory. Once these native objects, which should not be exposed to JavaScript, are leaked, it could lead to arbitrary code execution within the sandbox.

To verify this, we can modify the native function of V8 to leak Uninitialized Oddball into JavaScript. The specific method is to modify the offset relative to isolate in the %TheHole() function to make it return Uninitialized Oddball.

Bypassing HardenType Protection

Using an Uninitialized Oddball object can achieve relatively arbitrary read and write operations. In the optimized JavaScript code, the read function does not check the Value for the key obj.prop, but directly calculates the offset according to JavaScript semantics to obtain the value from the array. This leads to type confusion during computation, thereby achieving arbitrary read.

For any write operation, you can refer to the construction method in Issue 1352549 for analysis. The suggested fix is to add a check for the array map when returning array elements from the optimized function, to avoid directly calculating the offset to return the array value.

PatchGap Warning

After analyzing Issue 1352549, we found that some software may have a PatchGap issue. It is worth noting that as of now, Skype has not yet fixed this vulnerability. In the x86 environment, the implementation of arbitrary read and write will vary, as there is no address compression, allowing operations to be performed directly relative to the entire process.

The recent PatchGap issue not only involves Issue 1352549, but the disclosure of a new bypass method has also significantly reduced the difficulty of exploiting vulnerabilities like Issue 1314616 and Issue 1216437. Hackers can almost complete a full exploitation of the previous uninitialized_oddball vulnerability without any research costs.

Summary

This article briefly discusses a method to achieve arbitrary read primitives by leaking uninitialized_Oddball in the Sentinel value. There are many other Sentinel values in V8 that may also lead to similar security issues. This gives us the following insights:

1. Can other uninitialized_Oddball leaks also easily achieve remote code execution in V8.

2. Whether such issues should be regarded as formal security issues remains controversial.

3. Consider adding Sentinel values such as %TheHole/uninitialized_Oddball as variables in the fuzzer to explore other uses of the primitive.

Whether these issues are officially regarded as security problems or not, they will significantly shorten the cycle for hackers to achieve full exploitation.