
Exploiting Chrome V8: Krautflare - austincheney
https://www.jaybosamiya.com/blog/2019/01/02/krautflare/
======
saagarjha
Really interesting bug in TurboFan's optimizer; getting Math.expm1 handling -0
incorrectly to removing bounds checks by dancing around multiple optimization
passes was quite illuminating. Although, later in the exploit, it seems like
using WebAssembly creates a RWX page? Why is Chrome doing this for WebAssembly
when it stopped doing this for JavaScript, for obvious reasons?

~~~
kentonv
V8 WebAssembly TLM Ben Titzer explained in a previous HN comment:
[https://news.ycombinator.com/item?id=18812449](https://news.ycombinator.com/item?id=18812449)

------
kentonv
Andrea Biondo did a writeup of the same CTF which I liked a lot.
[https://abiondo.me/2019/01/02/exploiting-math-
expm1-v8/](https://abiondo.me/2019/01/02/exploiting-math-expm1-v8/)

EDIT: Previous HN discussion on Andrea's writeup:
[https://news.ycombinator.com/item?id=18808488](https://news.ycombinator.com/item?id=18808488)

------
css
The left sidebar covers about a third of the content for me.

~~~
saagarjha
You can click on the hamburger menu to hide it.

~~~
matt4077
Nope. Reader mode also doesn’t work, which is rather uncommon.

~~~
saagarjha
What browser are you using? On mobile Safari, I don't see the sidebar, and in
Safari on macOS I can hide the sidebar. Reader mode doesn't work on either.

~~~
jaybosamiya
Reader mode should be working now. Just tested on mobile Safari.

------
Karlax
Impressively, Shellphish solved this challenge in 3 hours. The CTF's
interactive leaderboard is fun to play with:
[https://archive.aachen.ccc.de/35c3ctf.ccc.ac/](https://archive.aachen.ccc.de/35c3ctf.ccc.ac/)

------
jtwaleson
Wow, I feel very dumb after reading this.

~~~
fwip
It shouldn't make you feel dumb - it should just make you aware of the
incredible breadth and depth of human knowledge out there.

For every single field, there is so much to learn and know. People often
underestimate how complex their sister-fields are. You know enough to be
dangerous, but not enough to know how much you don't know.

------
jaybosamiya
Hi! Author here. Happy to answer any questions.

------
brokenmachine
Can anyone explain the bug and how it was exploited in simpler terms?

------
aboutruby
And those Hacker News, Reddit and Twitter messages from Cloudflare employees
about their VM-less workers's security will be gold in the future.

