V8 Promise.allSettled Type Confusion Vulnerability Analysis

Here is the key information about the vulnerability: Vulnerability Type: Type confusion in Promise.allSettled Priority: P1 Severity: S1 Status: Fixed (Verified) Vulnerability Details Description: - Issue: A type confusion vulnerability exists in the Promise.allSettled function within the V8 engine. - Function Call Sequence: Promise.allSettled → GeneratePromiseAll → PerformPromiseAll - Function Description: In the Torque function PerformPromiseAll, it iterates over user-provided objects and calls PromiseResolve on each element. - Resolution: The functions resolveElementFun and rejectElementFun are generated in createResolveElementFunctor and createRejectElementFunctor, respectively, and ultimately invoke PromiseAllResolveElementClosure. Impact and Risk Potential Risk: Users can obtain resolveElementFun and rejectElementFun via user-defined JavaScript functions, causing remainingElementsCount to be decremented twice even though only one promise is processed. This may lead to an early return from Promise.allSettled. Attackers could exploit this vulnerability to trigger type confusion and execute arbitrary code. Reproduction Case Description: Running d8 v8_poc.js in debug mode causes d8 to crash due to a Torque assertion failure. - Error Message:

Goal Reached Thanks to every supporter — we hit 100%!

V8 Promise.allSettled Type Confusion Vulnerability Analysis