mistymntncop · January 14, 2025 06:26
diff --git a/CVE-2024-0519 notes b/CVE-2024-0519 notes
 //Preconditons
 //----------------------
 // (1) The receiver must be a regular object and the key a unique name.
 //        this excludes special objects such as globalThis, wasm object, etc
 // (2) The property to be deleted must be the last property.
 // (3) The property to be deleted must be deletable.
 //        this excludes non-configurable properties. So no frozen or sealed objects.
 // (4) The map must have a back pointer.
 //        this excludes prototype maps
 // (5) The last transition must have been caused by adding a property
 //        
 //are these checks sufficient / correct ?
 //
 //
 //receiver
 //----------------------
 // - Heap::NotifyObjectLayoutChange
 //     seems like a no-op as invalidate_recorded_slots == InvalidateRecordedSlots::kNo 
 //     and invalidate_external_pointer_slots == InvalidateExternalPointerSlots::kNo
 //     only performs diagnostic  HeapVerifier::SetPendingLayoutChangeObject when v8_flags.verify_heap == true
 // - JSReceiver::SetProperties
 //     only performed when last out of object property deleted - replacing the object's properties with 
 //     an empty fixed array.
 // - ClearField (similiar to JSObject::FastPropertyAtPut)
 //     - TaggedField<MapWord>::Release_Store - if in-object
 //     - object->property_array()->set - if out-object
 // - Heap::ClearRecordedSlot
 //     only performed on in-object property
 // - HeapObjectLayout::set_map
 // - JSObject::MigrateInstance (if parent map is deprecated)
 //
 //
 //receiver_map
 //----------------------
 // - Map::NotifyLeafMapLayoutChange (also called in slow deletion path)
 //
 //transition descriptor(s) from parent_map with key of last deleted property name
 //----------------------
 // - MapUpdater::GeneralizeField (must be PropertyKind::kData and PropertyConstness::kConst descriptor)
 //      only changes the PropertyConstness to kMutable 
 //
 //
 //Only known issue (so far):
 //"Property deletions can undo map transitions
 //while keeping the backing store around, meaning that even though the
 //map might believe that objects have no unused property fields, there
 //might actually be some."
 //
 //This does not seem useful for exploitation AFAIK
	//Preconditons
	//----------------------
	// (1) The receiver must be a regular object and the key a unique name.
	// this excludes special objects such as globalThis, wasm object, etc
	// (2) The property to be deleted must be the last property.
	// (3) The property to be deleted must be deletable.
	// this excludes non-configurable properties. So no frozen or sealed objects.
	// (4) The map must have a back pointer.
	// this excludes prototype maps
	// (5) The last transition must have been caused by adding a property
	//
	//are these checks sufficient / correct ?
	//
	//
	//receiver
	//----------------------
	// - Heap::NotifyObjectLayoutChange
	// seems like a no-op as invalidate_recorded_slots == InvalidateRecordedSlots::kNo
	// and invalidate_external_pointer_slots == InvalidateExternalPointerSlots::kNo
	// only performs diagnostic HeapVerifier::SetPendingLayoutChangeObject when v8_flags.verify_heap == true
	// - JSReceiver::SetProperties
	// only performed when last out of object property deleted - replacing the object's properties with
	// an empty fixed array.
	// - ClearField (similiar to JSObject::FastPropertyAtPut)
	// - TaggedField<MapWord>::Release_Store - if in-object
	// - object->property_array()->set - if out-object
	// - Heap::ClearRecordedSlot
	// only performed on in-object property
	// - HeapObjectLayout::set_map
	// - JSObject::MigrateInstance (if parent map is deprecated)
	//
	//
	//receiver_map
	//----------------------
	// - Map::NotifyLeafMapLayoutChange (also called in slow deletion path)
	//
	//transition descriptor(s) from parent_map with key of last deleted property name
	//----------------------
	// - MapUpdater::GeneralizeField (must be PropertyKind::kData and PropertyConstness::kConst descriptor)
	// only changes the PropertyConstness to kMutable
	//
	//
	//Only known issue (so far):
	//"Property deletions can undo map transitions
	//while keeping the backing store around, meaning that even though the
	//map might believe that objects have no unused property fields, there
	//might actually be some."
	//
	//This does not seem useful for exploitation AFAIK