Porting of a V8 nday to Tesla Model 3. The vuln is older (from 2020) and is a turbofan optimizer based bug. Jist of the bug is when it tries to get a “map” (or type) of an object used in a call, that type can be either reliable or unreliable. Unreliable is when the call has side-effects on the object. If that call has side-effects but it mistakenly is not marked as unreliable, there’s possibility for type confusion. By abusing such a path that gets taken with Reflect.construct, you can cause a targeted type confusion on an array, changing it from an array of integers to an array of doubles.

That then gets exploited to corrupt a float array to get OOB read/write. By then setting up adjacent objects they can get addrof and fakeobj primitives, which are the browser endgame prims. Author had some trouble getting the weaponized exploit to work out of the box on the tesla though. That’s because the original exploit from exodus abused the “pointer compresion” feature enabled in Chrome 80, where the upper 32-bits of JSObjects were stored in a register and combined with 32-bit pointers on the heap to form final pointers. Tesla’s browser was too outdated for that, so they had to change the strategy to leak using array.pop instead of inline slots for addrof, and to use array.push to corrupt the backing store on a uint32array.

The bug/exploit weren’t really new, but the porting aspect is interesting, especially to such a unique target.