Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 122337 [LangFuzz] Crash on heap with invalid write (32 bit only).
Starred by 1 user Reported by, Apr 6 2012 Back to list
Status: Fixed
Closed: Apr 2012
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Sign in to add a comment
The JavaScript code below crashes Chromium 19.0.1084.15 dev and d8 shell (trunk revision 11244) on heap with an invalid write to a strange address. The address is not fixed, I have multiple tests that crash at different addresses so I assume it can be controlled somehow. The issue seems to affect 32 bit only.

Chrome Version: 19.0.1084.15 dev
Operating System: Ubuntu 11.04 32 bit

"abel".replace(/b/g, function h() {});

Type of crash: tab
Crash State:
Program received signal SIGSEGV, Segmentation fault.
0x3453127f in ?? ()
(gdb) bt 8
#0  0x3453127f in ?? ()
#1  0x34531006 in ?? ()
#2  0x34521bf9 in ?? ()
#3  0x34512c2a in ?? ()
#4  0x00e8fe99 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) x /i $pc
=> 0x3453127f:  rep movsl %ds:(%esi),%es:(%edi)
(gdb) info reg ds esi es edi
ds             0x7b     123
esi            0x220d9099       571314329
es             0x7b     123
edi            0x57800000       1468006400

Trace from D8 with Valgrind:

==3194== Invalid write of size 4
==3194==    at 0x29337F3F: ???
==3194==    by 0x29337CC5: ???
==3194==    by 0x2930F438: ???
==3194==    by 0x2930A0A9: ???
==3194==    by 0x80B1D36: v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, bool*) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==3194==  Address 0x2d800000 is not stack'd, malloc'd or (recently) free'd

Labels: -Pri-0 -Area-Undefined Pri-1 OS-All SecImpacts-Beta Area-WebKit SecSeverity-High Mstone-19
Status: Available
I was able to reproduce this on Chrome 20 on Windows (which always runs in 32-bit mode; my Linux is 64-bit). Crash ID 182dac08c8f08139. It does not repro on 18.

danno, can you please take a look at this?
Comment 2 by, Apr 6 2012
Status: Assigned
Sure, will do. We'll take a look asap next week.
Labels: ReleaseBlock-Stable
Flagging all high and critical- and high-severity beta regressions as release blockers.
I can repro this. Fix coming up. 
The internal Substring function doesn't bounds check its inputs, because it is not callable with unchecked inputs.  Unfortunately the regexp code calls it on incorrect inputs, so we crash.  I don't know how one would go about exploiting this, but I would not be comfortable saying that it is not exploitable in some way.
Fix backported to the M16, M17, M18 and M19 branches.
Fix backported to M12 aka V8 3.2 for the sake of ICS.
Clarification: I backported it to 2.5, 3.2, 3.6, 3.7, 3.8 and 3.9 but it is only in 3.10 and 3.9 on IA32 that it is a crasher.  On other releases and on other architectures it is a non-security-related bug.

The crash is caused by memcpy on a negative length which gets interpreted as a high positive.
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
Labels: -Merge-Approved Merge-Merged reward-topanel
Labels: -reward-topanel reward-1000 reward-unpaid
Thanks!! etc.
Labels: -reward-unpaid
Labels: CVE-2011-3092
Comment 15 by, May 15 2012
Status: Fixed
Updating status to Fixed on security bugs which were fixed when m19 went to stable.
Project Member Comment 17 by, Mar 10 2013
Labels: -Type-Security -SecImpacts-Beta -Area-WebKit -SecSeverity-High -Mstone-19 Cr-Content Security-Impact-Beta Security-Severity-High M-19 Type-Bug-Security
Labels: -Restrict-View-SecurityNotify
Project Member Comment 19 by, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 20 by, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 21 by, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 22 by, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member Comment 23 by, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment