一前言Error Fold Allocations in VisitFindNonDefaultConstructorOrConstruct这个漏洞发生在MaglevGraphBuilder::VisitFindNonDefaultConstructorOrConstruct函数中,考虑之前分析的CVE-2023-4069也是发生在该函数中,所以打算把该漏洞也分析了。该漏洞主要发生在折叠分配时,未考虑内存空间分配与初始化之间的操作可能导致触发gc,从而导致UAF。二环境搭建git checkout d8fd81812d5a4c5c3449673b6a803279c4bdb2f2gclient sync -D三漏洞分析还是从patch(https://chromium.googlesource.com/v8/v8/+/78dd4b31847ab1f5b06ef3d8742a9f3835fb6919%5E%21/#F0)入手:diff --git a/src/maglev/maglev-graph-builder.cc b/src/maglev/maglev-graph-builder.ccindex ad7eccf..3dd3df5 100644--- a/src/maglev/maglev-graph-builder.cc+++ b/src/maglev/maglev-graph-builder.cc@@ -5597,6 +5597,7 @@ object = BuildAllocateFastObject( FastObject(new_target_function->AsJSFunction(), zone(), broker()), AllocationType::k
………………………………