Thanks to @coinbase I've had a chance to look at the in-the-wild exploit for the recent Firefox 0day (the RCE) that they caught. Tl;dr: it looks a lot like a bug collision between Fuzzilli and someone manually auditing for bugs. My notes:
-
-
yeah I attempted a short explanation at https://bugs.chromium.org/p/project-zero/issues/detail?id=1820#c5 … basically pop and push aren't marked as having side effects (as was slice), see their getAliasSet implementation. But due to unexpected access to the prototype you could get side-effects through getters/setters on it
-
The way I understand it the difference then is that for MArraySlice they changed the annotation (slice is now marked as having effects, the default: https://hg.mozilla.org/releases/mozilla-release/rev/e8e770918af7#l2.12 …) but for this one they changed the compiler so the MIR push/pop instructions really don't have side effects
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.