## https://sploitus.com/exploit?id=4032E979-9CD6-5DB4-AC6C-1FF17869C029
# Exploitation of CVE-2021-21220
## From Incorrect JIT Behavior to Remote Code Execution
## Overview
This presentation explains the exploitation of **CVE-2021-21220**, a vulnerability in Google Chrome’s **V8 JavaScript engine** caused by incorrect JIT compiler assumptions during optimization.
The presentation walks through:
- How V8 performs Just-In-Time (JIT) compilation
- How a signed/unsigned type confusion bug appears during optimization
- How the bug leads to an out-of-bounds (OOB) array primitive
- How attackers can leverage OOB access to leak addresses and achieve arbitrary memory writes
- How WebAssembly (Wasm) becomes a target for native code execution
- Existing mitigations and modern browser defenses
---
# Presentation Goals
The goal of this presentation is to demonstrate how a subtle optimization mistake inside a modern JavaScript engine can escalate into:
- Memory corruption
- Arbitrary read/write primitives
- Native code modification
- Potential Remote Code Execution (RCE)
The exploit chain highlights how JIT engines balance performance and security, and how incorrect optimization assumptions can become exploitable.
---
# Topics Covered
## 1. V8 Architecture
The presentation introduces the major V8 components:
### Ignition Interpreter
- Executes JavaScript bytecode
- Collects runtime feedback
- Stores type information in feedback vectors
### TurboFan Optimizer
- Builds optimized graphs from runtime feedback
- Inserts speculative assumptions and guards
- Performs aggressive optimization passes
### Machine Code Backend
- Emits native CPU instructions
- Produces optimized machine code for “hot” functions
The architecture diagram in the presentation illustrates how JavaScript moves from:
```text
Parsing → Bytecode → Optimization → Execution
````
---
## 2. Why JavaScript Is Difficult to Optimize
JavaScript is challenging for high-performance execution because:
* Variables change types dynamically
* Arrays change structure and element types
* Operators like `+` can have multiple meanings
* Runtime checks are expensive
V8 uses JIT compilation to optimize common execution patterns by speculating on runtime behavior.
---
## 3. Root Cause of CVE-2021-21220
The vulnerability originates from a **signed vs unsigned integer mismatch** during JIT optimization.
Key concepts demonstrated:
* `Uint32Array`
* `Word32Xor`
* Incorrect type propagation
* `ChangeInt32ToInt64`
* Wrong assembly instruction selection
The exploit abuses the value:
```js
0x80000000
```
which sets the sign bit of a 32-bit integer.
---
## 4. Optimization Mismatch
The vulnerability occurs because TurboFan optimizes:
```js
x ^ 0
```
away entirely.
During this optimization:
* The XOR operation disappears
* Type information is lost
* Signed values become interpreted as unsigned
* JIT behavior diverges from interpreter behavior
This results in incorrect machine code generation and attacker-controlled values.
---
## 5. Building an OOB Primitive
The exploit converts the incorrect JIT result into control over array behavior.
The presentation demonstrates:
1. Wrong optimized integer value
2. Conversion into control variable `i`
3. Mismatch between warmup and trigger execution
4. `Array.shift()` length underflow
5. Creation of an OOB-capable array
Important exploit concepts shown:
* Warmup optimization
* Speculative optimization
* Type confusion
* Array length corruption
---
## 6. Out-of-Bounds Access
Once the array length becomes `-1`, the attacker gains:
* Out-of-bounds reads
* Out-of-bounds writes
* Access to neighboring V8 heap objects
The exploit then demonstrates:
* Pointer leaks
* Object address discovery
* Overlapping arrays
* Raw V8 pointer extraction
---
## 7. WebAssembly Abuse
The presentation explains how attackers can target:
* WebAssembly compiled code pages
* Native executable memory generated by V8
Attack flow:
1. Create a Wasm function
2. Locate executable memory
3. Overwrite compiled machine code
4. Re-execute Wasm
5. Achieve arbitrary native execution
This demonstrates how a JavaScript engine bug can transition into process-level code execution.
---
# Defenses and Mitigations
The final section covers modern browser defenses:
## Compressed Pointers
Reduce direct pointer exposure and heap predictability.
## Pointer Indirection
Prevent direct access to raw memory addresses.
## Heap Sandboxing
Isolate memory regions and reduce exploit impact.
## W^X (Write XOR Execute)
Prevent pages from being writable and executable simultaneously.
The presentation also includes the actual V8 patch diff showing the fix for the signed-extension issue.
---
# Key Takeaways
This presentation demonstrates how:
* Small optimization mistakes can become critical vulnerabilities
* JIT compilers significantly increase attack surface complexity
* Runtime speculation can introduce dangerous inconsistencies
* WebAssembly changes the exploitation landscape
* Modern browsers require multiple layered defenses
---
# Technologies Discussed
* JavaScript
* Google V8 Engine
* TurboFan
* Ignition
* WebAssembly (Wasm)
* JIT Compilation
* Memory Corruption
* Out-of-Bounds Access
* Browser Exploitation
---
# Educational Purpose
This material is intended strictly for:
* Security research
* Educational demonstrations
* Browser internals learning
* Vulnerability analysis
Do not use this information against systems you do not own or have permission to test.
---
# Reference
* CVE-2021-21220
* Google Chrome V8 Engine
* TurboFan Compiler Internals
* WebAssembly Runtime Security
* https://www.zerodayinitiative.com/blog/2021/12/15/exploitation-of-cve-2021-21220-from-incorrect-jit-behavior-to-rce
* https://www.zerodayinitiative.com/blog/2021/12/8/understanding-the-root-cause-of-cve-2021-21220-a-chrome-bug-from-pwn2own-2021
* https://www.zerodayinitiative.com/blog/2021/12/8/understanding-the-root-cause-of-cve-2021-21220-a-chrome-bug-from-pwn2own-2021