Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 122337 [LangFuzz] Crash on heap with invalid write (32 bit only).
Starred by 1 user Reported by decoder...@gmail.com, Apr 6 2012 Back to list
Status: Fixed
Owner:
Closed: Apr 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
VULNERABILITY DETAILS
The JavaScript code below crashes Chromium 19.0.1084.15 dev and d8 shell (trunk revision 11244) on heap with an invalid write to a strange address. The address is not fixed, I have multiple tests that crash at different addresses so I assume it can be controlled somehow. The issue seems to affect 32 bit only.


VERSION
Chrome Version: 19.0.1084.15 dev
Operating System: Ubuntu 11.04 32 bit


REPRODUCTION CASE
"abel".replace(/b/g, function h() {});
RegExp["$'"];


FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State:
Program received signal SIGSEGV, Segmentation fault.
0x3453127f in ?? ()
(gdb) bt 8
#0  0x3453127f in ?? ()
#1  0x34531006 in ?? ()
#2  0x34521bf9 in ?? ()
#3  0x34512c2a in ?? ()
#4  0x00e8fe99 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) x /i $pc
=> 0x3453127f:  rep movsl %ds:(%esi),%es:(%edi)
(gdb) info reg ds esi es edi
ds             0x7b     123
esi            0x220d9099       571314329
es             0x7b     123
edi            0x57800000       1468006400


Trace from D8 with Valgrind:

==3194== Invalid write of size 4
==3194==    at 0x29337F3F: ???
==3194==    by 0x29337CC5: ???
==3194==    by 0x2930F438: ???
==3194==    by 0x2930A0A9: ???
==3194==    by 0x80B1D36: v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, bool*) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==3194==  Address 0x2d800000 is not stack'd, malloc'd or (recently) free'd


 
Cc: danno@chromium.org
Labels: -Pri-0 -Area-Undefined Pri-1 OS-All SecImpacts-Beta Area-WebKit SecSeverity-High Mstone-19
Status: Available
I was able to reproduce this on Chrome 20 on Windows (which always runs in 32-bit mode; my Linux is 64-bit). Crash ID 182dac08c8f08139. It does not repro on 18.

danno, can you please take a look at this?
Comment 2 by danno@chromium.org, Apr 6 2012
Owner: erikcorry@google.com
Status: Assigned
Sure, will do. We'll take a look asap next week.
Labels: ReleaseBlock-Stable
Flagging all high and critical- and high-severity beta regressions as release blockers.
I can repro this. Fix coming up. 
Cc: mstarzinger@google.com
The internal Substring function doesn't bounds check its inputs, because it is not callable with unchecked inputs.  Unfortunately the regexp code calls it on incorrect inputs, so we crash.  I don't know how one would go about exploiting this, but I would not be comfortable saying that it is not exploitable in some way.
Cc: benm@google.com
Fix backported to the M16, M17, M18 and M19 branches.
Fix backported to M12 aka V8 3.2 for the sake of ICS.
Clarification: I backported it to 2.5, 3.2, 3.6, 3.7, 3.8 and 3.9 but it is only in 3.10 and 3.9 on IA32 that it is a crasher.  On other releases and on other architectures it is a non-security-related bug.

The crash is caused by memcpy on a negative length which gets interpreted as a high positive.
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
Labels: -Merge-Approved Merge-Merged reward-topanel
Labels: -reward-topanel reward-1000 reward-unpaid
Thanks!! etc.
$1000
Labels: -reward-unpaid
Labels: CVE-2011-3092
Comment 15 by cdn@chromium.org, May 15 2012
Status: Fixed
Updating status to Fixed on security bugs which were fixed when m19 went to stable.
Cc: holi...@gmail.com
Project Member Comment 17 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -SecImpacts-Beta -Area-WebKit -SecSeverity-High -Mstone-19 Cr-Content Security-Impact-Beta Security-Severity-High M-19 Type-Bug-Security
Labels: -Restrict-View-SecurityNotify
Project Member Comment 19 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 20 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 21 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 22 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 23 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment