Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
WebAudio AudioWorklets run V8 with disabled denormalized floats
Samuel GroB - Project ZeroPosted 4 Months Ago- The JavaScript runtime supports compiling JS to native code for optimization. Of course, this is extremely sensitive and must be done correctly. The author found a difference between the code that was created and how the code is executed.
- The functionality in question deals with
denormals. These are floating-point numbers so small that they can be rounded down to zero. For WebAudio, this optimization is turned on. The V8 optimizer could analyze this code before this CPU setting is changed but execute it after. - The JavaScript runtime includes code that changes how floats are handled. In particular,
AvoidDenormals()can be used to change the semantics of how floats operate. By JITing code that handles floats and then calling this function, there is now a difference between checking and using effectively. - Using this bug can cause memory corruption in the V8 Sandbox. According to the finder of the vulnerability, this also affects other browsers.
