Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 3 users
Status: Fixed
Owner: ----
Closed: Aug 2009
Cc:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 0
Type: Bug-Security

Restricted
  • Only users with Commit permission may comment.



Sign in to add a comment
Crash [@ 0xffffffff]
Reported by nth1...@gmail.com, Aug 6 2009 Back to list
Open bang.html in Windows XP SP3 Google Chrome 3.0.195.4, which then
crashes (See screenshot). Chromium Mac build 3.0.198.0 crashes too.

On the Mac v8 js shell it crashes both opt and debug at 0xffffffff. Wanted
to file this in the v8 bug reports but it has no option to file as a
security bug, so filing here instead, just-in-case this is exploitable.

(Please attribute and acknowledge discovery of testcase to reporter)

 
Picture 1.png
71.0 KB View Download
bang.html
178 bytes View Download
Thanks for this report. This also sad-tabs my Linux 3.0.196.0 build.
I'll get this in the debugger later today :)

It's crashing in generated v8 code:

Dump of assembler code from 0xf4324504 to 0xf4324518:
0xf4324504:	cmpl   $0xf6c623d9,-0x1(%edx)

Where %edx is null and the operation is a read. Initial reaction is that there is no 
security consequence here.

Pretty awesome looking syntactic fuzzer, btw!
More info.  It crashes on all three platforms (ia32, x64, ARM) in the same place, the 
second instruction below:

kind = CALL_IC                                                                                                                                                    
ic_state = MONOMORPHIC                                                                                                                                            
ic_in_loop = 1                                                                                                                                                    
type = NORMAL                                                                                                                                                     
name = toString                                                                                                                                                   
Instructions (size = 57)                                                                                                                                          
0xf5d48120     0  8b542404       mov edx,[esp+0x4]                                                                                                                
0xf5d48124     4  817affe128cbf5 cmp [edx+0xff],0xf5cb28e1    ;; object: 
0xf5cb28e1 <Map>                                                                         
0xf5d4812b    11  0f8523000000   jnz 52  (0xf5d48154)                                                                                                             
0xf5d48131    17  bf710ac3f5     mov edi,0xf5c30a71          ;; object: 0xf5c30a71 Cell 
for 0xf70033e1 <JS Function toString>                                     
0xf5d48136    22  8b7f03         mov edi,[edi+0x3]                                                                                                                
0xf5d48139    25  81ffe13300f7   cmp edi,0xf70033e1          ;; object: 0xf70033e1 
<JS Function toString>                                                         
0xf5d4813f    31  0f850f000000   jnz 52  (0xf5d48154)                                                                                                             
0xf5d48145    37  8b5213         mov edx,[edx+0x13]                                                                                                               
0xf5d48148    40  89542404       mov [esp+0x4],edx                                                                                                                
0xf5d4814c    44  8b7713         mov esi,[edi+0x13]                                                                                                               
0xf5d4814f    47  e90cb8ffff     jmp 0xf5d43960              ;; code: FUNCTION                                                                                    
0xf5d48154    52  e9e7a8ffff     jmp 0xf5d42a40              ;; code:
Status: Started
Simplified test case:

toString = toString;
__defineGetter__("z", Number.prototype.toLocaleString);
z;
z;
((0).toLocaleString)();

This fix for this bug which caused a crash and probably also random memory read and 
bypassing of security checks has now been incorporated in V8 1.3 used for Chromium 
TOT,  V8 1.2 used for Chrome 3.0 beta and V8 1.1 used for Chrome 2.0 stable.

The precise V8 versions and SVN revisions are:

  1.3.2.1: r2645 (http://v8.googlecode.com/svn/trunk@2649)
  1.2.14.15: r2650 (http://v8.googlecode.com/svn//branches/1.2@2650)
  1.1.10.16: r2651 (http://v8.googlecode.com/svn//branches/1.1@2651)

In V8 1.1 used for Chrome 2.0 stable the bug is probably not there (in the form 
described in  bug 18639 ), but there might be other ways to exploit it.

The bug fix on the V8 side is done, but we still need to add the regression test case 
and attribute and acknowledge the discovery of test case to the reporter (thanks a lot 
by the way!).
To the entire v8 team: it always amazes me how fast you guys respond!

Soren, do you think we need to issue a security note / update for:
a) The Chrome v2 stable branch?
b) The Chrome v3 beta branch?

I'm struggling to determine impact and severity :)
@nth10sd: if we end up featuring this bug in a security update after our 
investigation, what credit text should we use? (Name or handle plus optional 
affiliation?)

Comment 10 by nth1...@gmail.com, Aug 8 2009
> @nth10sd: if we end up featuring this bug in a security update after our
investigation, what credit text should we use? (Name or handle plus optional
affiliation?)

Please hold (for a few days past the weekend, at least), I'm figuring this out.

Comment 11 by nth1...@gmail.com, Aug 12 2009
Please attribute to:

Mozilla Security

with no need of mention of any individual. Thanks!
@nth10sd: Thanks. The fix will feature as a security fix in a v2.0 update. We will 
credit "Mozilla Security".
We're not 100% sure of the full impact and possibilities (there is object confusion 
going on). Therefore we'll be conservative (in terms of tending to overstate rather 
than understate) and rate this as "High".
Labels: Security-High
Noting severity in label based on comment #12
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=23280 

------------------------------------------------------------------------
r23280 | mal@chromium.org | 2009-08-12 21:42:13 -0700 (Wed, 12 Aug 2009) | 4 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/172/src/DEPS?r1=23280&r2=23279

Update V8 1.1 to r2651.

BUG=  http://crbug.com/18639 

------------------------------------------------------------------------

Status: FixUnreleased
No crash seen in stable candidate Chrome 2.0.172.42 (Official Build).
Labels: -private
Status: Fixed
Labels: SecSeverity-High
Labels: Type-Security
Labels: SecImpacts-Stable
Batch update: fuzzily determined that this security bug affected a stable release.
Project Member Comment 21 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
Owner: ----
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 22 by bugdroid1@chromium.org, Mar 10 2013
Labels: -SecSeverity-High -Type-Security -SecImpacts-Stable Security-Impact-Stable Security-Severity-High Type-Bug-Security
Project Member Comment 23 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 24 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Labels: allpublic
Labels: reward-topanel
Sign in to add a comment