New issue
Advanced search Search tips
Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Apr 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 359525: CHECK failure in CHECK(size_in_bytes <= kMaxBlockSize) failed: ../src/spaces.cc(2378)

Reported by ClusterFuzz, Apr 3 2014 Project Member

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6417217637842944

Fuzzer: Mbarbella_js_mutation
Job Type: Linux_v8_d8_be

Crash Type: CHECK failure
Crash Address: 
Crash State:
  - crash stack -
  CHECK(size_in_bytes <= kMaxBlockSize) failed: ../src/spaces.cc(2378)
  

Minimized Testcase (5.63 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94BS8DRVd1xfIIFG5txX9AShpWnpDnz_9kFyO21FEiU5qTXxHsOlALT3C9XcgEkTwwWLtbodCZ7pX-ivfb6qgofdfhacW2yvS6sZG5h12V3sAmSyLNhCPo4eSBzWwe7LAmcJZwzpZuCOHFHe1UPfX95uR19AA
 

Comment 1 by danno@chromium.org, Apr 3 2014

Cc: jochen@chromium.org
Labels: M-33
Owner: hpayer@chromium.org
Status: Assigned

Comment 2 by hpayer@chromium.org, Apr 3 2014

I minified the testcase:
%SetFlags("--gc-interval=5 ");
function f() {
  var a;
  for (var i = 0; i < 100000; i++) {
    var x = 42 + a - {};
    a = ""; 
  }
}
f();

Comment 3 by hpayer@chromium.org, Apr 3 2014

%SetFlags("--gc-interval=5 ");
function f() {
  var a;
  for (var i = 0; i < 3; i++) {
    var x = 42 + a - {};
    a = ""; 
  }
}
f();

Comment 4 by hpayer@chromium.org, Apr 3 2014

Labels: -Type-Bug Type-Bug-Security

Comment 5 by hpayer@chromium.org, Apr 3 2014

Breaks binary op substract (gives you access to arbitrary memory behind the given object, security issue):
  var a;
  for (var i = 0; i < 2; i++) {
    var x = 42 + a - {};
    print(x);
    a = ""; 
  }

Breaks binary op add (results in wrong add semantics):
  var a = 1.4;
  var val = 0;
  var o = {valueOf:function() { val++; return 10; }};
  for (var i = 0; i < 2; i++) {
    var x = (a + i) + o;
    a = "";
  }
  assertEquals(val, 2);

Comment 6 by mbarbe...@chromium.org, Apr 3 2014

Labels: -Restrict-View-EditIssue Restrict-View-SecurityTeam Security_Severity-Medium
Does the affect the current beta and stable versions of Chrome? Also, is there any way that this could be used to write to this memory, or just read it? I'm setting severity to medium based on the assumption that this only allows the memory to be read.

Comment 7 by hpayer@chromium.org, Apr 3 2014

Effects beta and stable. It is just read access. Fix is in flight.

Comment 8 by ClusterFuzz, Apr 3 2014

Project Member
Labels: -Pri-2 -M-33 Security_Impact-Stable Pri-1 Security_Impact-Beta M-34

Comment 9 by hpayer@chromium.org, Apr 4 2014

Fix landed. I will wait for canary coverage before merging it back.

Comment 10 by infe...@chromium.org, Apr 7 2014

Status: Fixed

Comment 11 by ClusterFuzz, Apr 7 2014

Project Member
Labels: -Restrict-View-SecurityTeam Merge-Triage Restrict-View-SecurityNotify M-35
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz

Comment 12 by ClusterFuzz, Apr 9 2014

Project Member
ClusterFuzz has detected this issue as fixed in latest custom build.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6417217637842944

Fuzzer: Mbarbella_js_mutation
Job Type: Linux_v8_d8_be

Crash Type: CHECK failure
Crash Address: 
Crash State:
  - crash stack -
  CHECK(size_in_bytes <= kMaxBlockSize) failed: ../src/spaces.cc(2378)
  

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94BS8DRVd1xfIIFG5txX9AShpWnpDnz_9kFyO21FEiU5qTXxHsOlALT3C9XcgEkTwwWLtbodCZ7pX-ivfb6qgofdfhacW2yvS6sZG5h12V3sAmSyLNhCPo4eSBzWwe7LAmcJZwzpZuCOHFHe1UPfX95uR19AA

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Comment 13 by hpayer@chromium.org, Apr 9 2014

Merged back to M34 and M35

Comment 14 by infe...@chromium.org, Apr 9 2014

Labels: -Merge-Triage Release-1-M34

Comment 15 by ClusterFuzz, Jul 14 2014

Project Member
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.

Comment 16 by ClusterFuzz, Feb 2 2016

Project Member
Labels: -Security_Impact-Beta

Comment 17 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 18 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 19 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment