- Topic
81k Popularity
36k Popularity
12k Popularity
12k Popularity
4k Popularity
4k Popularity
16k Popularity
22k Popularity
13k Popularity
3k Popularity
- Pin
- 🌟 Photo Sharing Tips: How to Stand Out and Win?
1.Highlight Gate Elements: Include Gate logo, app screens, merchandise or event collab products.
2.Keep it Clear: Use bright, focused photos with simple backgrounds. Show Gate moments in daily life, travel, sports, etc.
3.Add Creative Flair: Creative shots, vlogs, hand-drawn art, or DIY works will stand out! Try a special [You and Gate] pose.
4.Share Your Story: Sincere captions about your memories, growth, or wishes with Gate add an extra touch and impress the judges.
5.Share on Multiple Platforms: Posting on Twitter (X) boosts your exposure an
- 🎉 [Gate 30 Million Milestone] Share Your Gate Moment & Win Exclusive Gifts!
Gate has surpassed 30M users worldwide — not just a number, but a journey we've built together.
Remember the thrill of opening your first account, or the Gate merch that’s been part of your daily life?
📸 Join the #MyGateMoment# campaign!
Share your story on Gate Square, and embrace the next 30 million together!
✅ How to Participate:
1️⃣ Post a photo or video with Gate elements
2️⃣ Add #MyGateMoment# and share your story, wishes, or thoughts
3️⃣ Share your post on Twitter (X) — top 10 views will get extra rewards!
👉
In-depth analysis of the security risks of Chrome V8 engine Sentinel Value
In-depth Discussion on the Security Risks of Sentinel Value in the Chrome V8 Engine
A sentinel value is a special value in algorithms, often used as a termination condition in loops or recursive algorithms. The Chrome source code extensively uses sentinel values. Recently, security researchers discovered that arbitrary code execution within the Chrome sandbox could be achieved by leaking the TheHole object. The Google team quickly patched this vulnerability.
However, there are other native objects in V8 that should not be exposed to JavaScript. This article will focus on the Uninitialized Oddball object, whose exposure may lead to broader security risks. Currently, this method is still available in the latest version of V8, and Google has not yet addressed this issue.
It is worth noting that this method has strong versatility:
CVE-2021-30551 first introduced a PoC for leaking internal uninitialized oddball.
The poc of CVE-2022-1486 also directly leaked UninitializedOddball.
Issue 1352549( has not been assigned CVE ) which displays the complete exploit code.
These cases fully demonstrate the necessity of conducting a thorough examination of potentially affected software. As of now, Skype has not yet fixed the vulnerability.
Sentinel Value in V8
Most of the native objects of V8 are defined in the v8/src/roots/roots.h file, and these objects are arranged adjacently in memory. Once a native object that should not be leaked is exposed to JavaScript, arbitrary code execution within the sandbox may be achieved.
To verify the effectiveness of this method in the latest version of V8, we can modify V8's native functions to leak Uninitialized Oddball into JavaScript. The specific method is to modify the offset relative to the isolate in the %TheHole() function, so that it returns Uninitialized Oddball.
Bypass HardenType Protection
By simplifying the code provided in Issue 1352549, we can achieve relatively arbitrary reading in V8 version 11.0.0.
When %TheHole() returns UninitializedOddball, the optimized JavaScript read function will directly calculate the offset according to JavaScript semantics without checking the Value of obj.prop, leading to type confusion and enabling arbitrary reads.
Similar to TheHole objects, uninitialized_oddball is sorted earlier in V8 memory and is more primitive, making it easier to spoof. After the mitigation for TheHole was circumvented, this method became the preferred bypass.
The suggested fix is to add a check for the array map when returning array elements in the optimized function, to avoid directly calculating the offset to return array values.
PatchGap Warning
After analyzing Issue 1352549, we found that Skype has not yet fixed the vulnerability. In the x86 environment, arbitrary read and write operations differ slightly: due to the absence of address compression, arbitrary read and write operations are directly relative to the entire process.
Although Skype has enabled ASLR, due to the large file size, placing it directly in 4GB of memory allows attackers to read and write to specific addresses, significantly increasing the likelihood of accessing Skype file contents. Combining traditional methods such as PE parsing, completing the entire exploitation chain is not difficult.
This PatchGap not only involves Issue 1352549, but the disclosure of the new bypass method has significantly reduced the exploitation difficulty of similar CVE-2022-1486 and CVE-2021-30551. Attackers can exploit any leaked uninitialized_oddball vulnerability almost without additional research.
Summary
This article briefly discusses achieving arbitrary read primitives through the leakage of uninitialized_Oddball in Sentinel value. There are also other Sentinel values in V8, and crashes are often encountered during testing. Given that both Uninitialized_Oddball and TheHole can facilitate bypassing in V8, we have reason to suspect that other Sentinel values may also lead to similar issues.
This gives us the following insights:
Can other uninitialized_Oddball leaks also easily achieve RCE in V8.
Google quickly patched the TheHole bypass, but the long-standing issue of utilizing garbage collection to achieve ASLR bypass indicates that there remains a blurred boundary regarding whether such issues are considered formal security concerns.
If it is considered a formal security issue, is it necessary to include sentinel values such as %TheHole/uninitialized_Oddball as variables in the fuzzer to discover other exploit primitives?
In any case, such issues will significantly shorten the period for attackers to achieve full exploitation.