Share
## https://sploitus.com/exploit?id=4032E979-9CD6-5DB4-AC6C-1FF17869C029
# Exploitation of CVE-2021-21220
## From Incorrect JIT Behavior to Remote Code Execution

## Overview

This presentation explains the exploitation of **CVE-2021-21220**, a vulnerability in Google Chrome’s **V8 JavaScript engine** caused by incorrect JIT compiler assumptions during optimization.

The presentation walks through:

- How V8 performs Just-In-Time (JIT) compilation
- How a signed/unsigned type confusion bug appears during optimization
- How the bug leads to an out-of-bounds (OOB) array primitive
- How attackers can leverage OOB access to leak addresses and achieve arbitrary memory writes
- How WebAssembly (Wasm) becomes a target for native code execution
- Existing mitigations and modern browser defenses

---

# Presentation Goals

The goal of this presentation is to demonstrate how a subtle optimization mistake inside a modern JavaScript engine can escalate into:

- Memory corruption
- Arbitrary read/write primitives
- Native code modification
- Potential Remote Code Execution (RCE)

The exploit chain highlights how JIT engines balance performance and security, and how incorrect optimization assumptions can become exploitable.

---

# Topics Covered

## 1. V8 Architecture

The presentation introduces the major V8 components:

### Ignition Interpreter
- Executes JavaScript bytecode
- Collects runtime feedback
- Stores type information in feedback vectors

### TurboFan Optimizer
- Builds optimized graphs from runtime feedback
- Inserts speculative assumptions and guards
- Performs aggressive optimization passes

### Machine Code Backend
- Emits native CPU instructions
- Produces optimized machine code for “hot” functions

The architecture diagram in the presentation illustrates how JavaScript moves from:

```text
Parsing → Bytecode → Optimization → Execution
````

---

## 2. Why JavaScript Is Difficult to Optimize

JavaScript is challenging for high-performance execution because:

* Variables change types dynamically
* Arrays change structure and element types
* Operators like `+` can have multiple meanings
* Runtime checks are expensive

V8 uses JIT compilation to optimize common execution patterns by speculating on runtime behavior.

---

## 3. Root Cause of CVE-2021-21220

The vulnerability originates from a **signed vs unsigned integer mismatch** during JIT optimization.

Key concepts demonstrated:

* `Uint32Array`
* `Word32Xor`
* Incorrect type propagation
* `ChangeInt32ToInt64`
* Wrong assembly instruction selection

The exploit abuses the value:

```js
0x80000000
```

which sets the sign bit of a 32-bit integer.

---

## 4. Optimization Mismatch

The vulnerability occurs because TurboFan optimizes:

```js
x ^ 0
```

away entirely.

During this optimization:

* The XOR operation disappears
* Type information is lost
* Signed values become interpreted as unsigned
* JIT behavior diverges from interpreter behavior

This results in incorrect machine code generation and attacker-controlled values.

---

## 5. Building an OOB Primitive

The exploit converts the incorrect JIT result into control over array behavior.

The presentation demonstrates:

1. Wrong optimized integer value
2. Conversion into control variable `i`
3. Mismatch between warmup and trigger execution
4. `Array.shift()` length underflow
5. Creation of an OOB-capable array

Important exploit concepts shown:

* Warmup optimization
* Speculative optimization
* Type confusion
* Array length corruption

---

## 6. Out-of-Bounds Access

Once the array length becomes `-1`, the attacker gains:

* Out-of-bounds reads
* Out-of-bounds writes
* Access to neighboring V8 heap objects

The exploit then demonstrates:

* Pointer leaks
* Object address discovery
* Overlapping arrays
* Raw V8 pointer extraction

---

## 7. WebAssembly Abuse

The presentation explains how attackers can target:

* WebAssembly compiled code pages
* Native executable memory generated by V8

Attack flow:

1. Create a Wasm function
2. Locate executable memory
3. Overwrite compiled machine code
4. Re-execute Wasm
5. Achieve arbitrary native execution

This demonstrates how a JavaScript engine bug can transition into process-level code execution.

---

# Defenses and Mitigations

The final section covers modern browser defenses:

## Compressed Pointers

Reduce direct pointer exposure and heap predictability.

## Pointer Indirection

Prevent direct access to raw memory addresses.

## Heap Sandboxing

Isolate memory regions and reduce exploit impact.

## W^X (Write XOR Execute)

Prevent pages from being writable and executable simultaneously.

The presentation also includes the actual V8 patch diff showing the fix for the signed-extension issue.

---

# Key Takeaways

This presentation demonstrates how:

* Small optimization mistakes can become critical vulnerabilities
* JIT compilers significantly increase attack surface complexity
* Runtime speculation can introduce dangerous inconsistencies
* WebAssembly changes the exploitation landscape
* Modern browsers require multiple layered defenses

---

# Technologies Discussed

* JavaScript
* Google V8 Engine
* TurboFan
* Ignition
* WebAssembly (Wasm)
* JIT Compilation
* Memory Corruption
* Out-of-Bounds Access
* Browser Exploitation

---

# Educational Purpose

This material is intended strictly for:

* Security research
* Educational demonstrations
* Browser internals learning
* Vulnerability analysis

Do not use this information against systems you do not own or have permission to test.

---

# Reference

* CVE-2021-21220
* Google Chrome V8 Engine
* TurboFan Compiler Internals
* WebAssembly Runtime Security
* https://www.zerodayinitiative.com/blog/2021/12/15/exploitation-of-cve-2021-21220-from-incorrect-jit-behavior-to-rce
* https://www.zerodayinitiative.com/blog/2021/12/8/understanding-the-root-cause-of-cve-2021-21220-a-chrome-bug-from-pwn2own-2021
* https://www.zerodayinitiative.com/blog/2021/12/8/understanding-the-root-cause-of-cve-2021-21220-a-chrome-bug-from-pwn2own-2021