New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

UNKNOWN in v8::internal::RootMarkingVisitor::MarkObjectByPointer

Reported by mstarzinger@google.com, Sep 18 2012

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=101851233

Fuzzer: Cris_inferno_crash_url

Crash Type: UNKNOWN
Crash Address: 0x0000beeddeac
Crash State:
  - crash stack -
  v8::internal::RootMarkingVisitor::MarkObjectByPointer
  v8::internal::RootMarkingVisitor::VisitPointers
  v8::internal::OptimizedFrame::Iterate
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=152720:152740

Minimized Testcase (0.06 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96Oo8eAJp0K1CRdqtJeCiHfDM1UDzugHxatqQO0VZW_PPN4sLRoXfC8af4Us4H3to9ym9XbLFLpSfD6tosWB6DCV5T6FUzr4kDAuS-mJdr22dPw3JYg1nusYlEfKXxji6t50nUiGO7n6EAtGsDFE8NnVbH4GRrm1nyujOuRXgSOFq-FfPo
<script>window.location='http://hashmapd.com/canvas/';</script>
 
Owner: mstarzinger@chromium.org
Status: Assigned
Cc: jkummerow@chromium.org danno@chromium.org
Fix is in flight.
Status: FixUnreleased
Fixed on V8 bleeding edge in v8:r12543. This will need to be merged back to Chrome M22 and M21 once we have Canary coverage.

https://code.google.com/p/v8/source/detail?r=12543
Labels: -Restrict-View-SecurityTeam -Mstone-21 Restrict-View-SecurityNotify Mstone-22 Merge-Approved SecImpacts-Beta
Thanks. We're through with M21, but merging to M22 would be awesome. I think there might be one final build before M22 final.

Regarding severity, the fix CL makes it sound like a possible stack / memory corruption issue?
OK, will merge to M22 only then.

Yes, if you cleverly orchestrate it you could write tagged values to the stack and the GC might dereference them. I am unsure whether those values can reach actual computation or whether this can be exploited.
Labels: -SecSeverity-None SecSeverity-High
Fixing severity based on c#5.
Project Member

Comment 7 by ClusterFuzz, Sep 22 2012

ClusterFuzz has detected this issue as fixed in range 157980:157999.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=101851233

Fuzzer: Cris_inferno_crash_url

Crash Type: UNKNOWN
Crash Address: 0x0000beeddeac
Crash State:
  - crash stack -
  v8::internal::RootMarkingVisitor::MarkObjectByPointer
  v8::internal::RootMarkingVisitor::VisitPointers
  v8::internal::OptimizedFrame::Iterate
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=152720:152740
Fixed: https://cluster-fuzz.appspot.com/revisions?range=157980:157999

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96Oo8eAJp0K1CRdqtJeCiHfDM1UDzugHxatqQO0VZW_PPN4sLRoXfC8af4Us4H3to9ym9XbLFLpSfD6tosWB6DCV5T6FUzr4kDAuS-mJdr22dPw3JYg1nusYlEfKXxji6t50nUiGO7n6EAtGsDFE8NnVbH4GRrm1nyujOuRXgSOFq-FfPo

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Comment 8 by k...@google.com, Sep 24 2012

If this is merged, please update the labels.
Unfortunately this doesn't apply cleanly because it depends on functionality introduced in v8:r12489, which is a highly non-trivial change. So back-merging both of them is not an option IMHO. Maybe we can scrape out only a small subset of the dependency, I would need to look into that.

http://code.google.com/p/v8/source/detail?r=12489
Labels: -Mstone-22 Mstone-23
Ok thanks @mstarzinger. Sounds like the least risky course of action, on aggregate, is to just merge to M23 which will be out in 6 weeks anyway. Ping the bug when it's merged?
Michael, can you please merge it to m23. Thanks!
Unfortunately comment #9 also applies when merging this back to M23. The fix depends on the same CL and I am very hesitant to work on a derivative fix, because that will essentially be a new CL that will not have any Canary coverage before it would go into M23.
Labels: -Mstone-23 Mstone-24
Sorry i didnt see c#9. Then let it roll into m24 since we have only one beta left for m23 and as you say, derivative fix is risky.
Yep agreed. It's already in M24, so that branch should be covered.
Labels: -Merge-Approved
Labels: Release-0
Status: Fixed
Labels: CVE-2013-0836
Cc: erikcorry@google.com
Project Member

Comment 20 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-WebKit -Type-Security -SecSeverity-High -SecImpacts-Stable -Mstone-24 -Stability-AddressSanitizer -SecImpacts-Beta Cr-Content Security-Impact-Stable Security-Impact-Beta Type-Bug-Security M-24 Security-Severity-High Performance-Memory-AddressSanitizer
Labels: -Restrict-View-SecurityNotify
Project Member

Comment 22 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 23 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 24 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 25 by bugdroid1@chromium.org, Apr 1 2013

Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member

Comment 26 by bugdroid1@chromium.org, Apr 5 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 27 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 28 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 29 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment