🔥Memory corruption due to accessing invalid context(Issue 1429197, CVE-2023-2133)
The function
ServiceWorkerGlobalScope::FetchHandlerType
calls
JSEventListener::GetEffectiveFunction
at line, and the latter may calls
v8::Object::Get
to retrieve the “handleEvent” property of the listener object . If “handleEvent” is an accessor, Invoke will be called to execute the getter. The problem is that the caller (
FetchHandlerType
) does not ensure a valid context exists at this time, resulting in memory corruption for accessing invalid context object at line.
How to reproduce:
1️⃣ Host
poc.html
&
worker.js
:
python -m http.server 8000
2️⃣
out\release\chrome.exe http://localhost:8000/poc.html
What do you think?
It is nice to know your opinion. Leave a comment.