New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 529012 link

Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Oct 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Bad-cast to util from Document;JS_Define.h:165:13

Project Member Reported by ClusterFuzz, Sep 7 2015

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6109475780427776

Fuzzer: attekett_surku_fuzzer
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x7f4e3209f670
Crash State:
  Bad-cast to util from Document
  JS_Define.h:165:13
  

Minimized Testcase (15.39 Kb): https://cluster-fuzz.appspot.com/download/AMIfv974Yx0v8shdnwh4BusIILt-zrX1z3a5keHn5gOTaXAY6MTC9nJmGlg8XhN7JeI5ktbykJ27qj_gLAUYuwEHec-56TI91sbVFpo5Jk9idbfdqbqfOvhXM1UVa5xRzQoMEhuc7zEthb_cKSpnEfI1H7cwu3eOMQ

Filer: aarya

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by aarya@google.com, Sep 7 2015

Cc: p...@chromium.org
Labels: Cr-Internals-Plugins-PDF
Owner: jun_f...@foxitsoftware.com
Status: Assigned
Project Member

Comment 2 by ClusterFuzz, Sep 7 2015

Labels: Security_Impact-Stable Pri-1
Cc: tsepez@chromium.org
Project Member

Comment 4 by ClusterFuzz, Sep 7 2015

Labels: M-45
Owner: tsepez@chromium.org
Oh, joy. Looks like static methods are playing fast and loose with the type of the object they invoke methods against, relying instead that the object won't be touched in any manner.  

Let me see if I cant' clean this up.  There's gonna be a lot of these reports.

Comment 6 by kcc@chromium.org, Sep 9 2015

Cc: krasin@chromium.org
Ping. Don't forget about this one.

Comment 8 by tsepez@chromium.org, Sep 18 2015

Waiting on separate email thread about v8's |apply|.
Basically, this is 
  util.byteToChar.apply(this, ["bleen"]);

and we need to guard against v8 handing us arbitrary objects to these native methods.

Comment 9 by krasin@chromium.org, Sep 22 2015

tsepez: any updates?

This is one of two hard blockers for Control Flow Integrity launch on Linux.
https://codereview.chromium.org/1353193004/ is where the discussion is happening.
Project Member

Comment 11 by ClusterFuzz, Oct 2 2015

Labels: -M-45 M-46
Project Member

Comment 12 by ClusterFuzz, Oct 7 2015

Labels: Nag
tsepez@: Uh oh! This issue is still open and hasn't been updated in the last 14 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Should be fixed by 158e335.  Kicking off redo on CF to see if it still (intermittently) hits it.
Project Member

Comment 14 by ClusterFuzz, Oct 7 2015

ClusterFuzz has detected this issue as fixed in range 350936:350990.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6109475780427776

Fuzzer: attekett_surku_fuzzer
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x7f4e3209f670
Crash State:
  Bad-cast to util from Document
  JS_Define.h:165:13
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_cfi_chrome&range=350936:350990

Minimized Testcase (15.39 Kb): https://cluster-fuzz.appspot.com/download/AMIfv974Yx0v8shdnwh4BusIILt-zrX1z3a5keHn5gOTaXAY6MTC9nJmGlg8XhN7JeI5ktbykJ27qj_gLAUYuwEHec-56TI91sbVFpo5Jk9idbfdqbqfOvhXM1UVa5xRzQoMEhuc7zEthb_cKSpnEfI1H7cwu3eOMQ

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect,try re-doing that job on the test case report page.
Status: Fixed
Project Member

Comment 16 by ClusterFuzz, Oct 7 2015

ClusterFuzz has detected this issue as fixed in range 350936:350990.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6109475780427776

Fuzzer: attekett_surku_fuzzer
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x7f4e3209f670
Crash State:
  Bad-cast to util from Document
  JS_Define.h:165:13
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_cfi_chrome&range=350936:350990

Minimized Testcase (15.39 Kb): https://cluster-fuzz.appspot.com/download/AMIfv974Yx0v8shdnwh4BusIILt-zrX1z3a5keHn5gOTaXAY6MTC9nJmGlg8XhN7JeI5ktbykJ27qj_gLAUYuwEHec-56TI91sbVFpo5Jk9idbfdqbqfOvhXM1UVa5xRzQoMEhuc7zEthb_cKSpnEfI1H7cwu3eOMQ

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect,try re-doing that job on the test case report page.
Project Member

Comment 17 by ClusterFuzz, Oct 7 2015

Labels: -Restrict-View-SecurityTeam Merge-Triage M-47 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Once this bakes in M-47 beta for a while, please merge request to M-46 to see if we can ride a M-46 patch release.
tsepez: Do you want me to take care of the merge?
Yes, thanks!
Labels: Merge-Request-46
Looks like there's nothing to merge for M47. The fix landed before the M47 branch point. So merging to M46 only.
Actually, it requires a DEPS roll.
And ignore comment 22. I was looking at the wrong branch. @_@

Comment 24 by tin...@google.com, Oct 14 2015

Labels: -Merge-Request-46 Merge-Review-46 Hotlist-Merge-Review
[Automated comment] Request affecting a post-stable build (M46), manual review required.
M46 Stable has launched, and for post stable we only consider safe merges on critical Security/ Stability/ Critical regressions.
I'm concerned this requires a DEPS roll and how safe it is. Can you pls add user impact to help better understand the issue and the risk? Thanks.
git cherry-pick -x 158e335717efba9dce3aa6f6d1e31ed884e1f59e

onto the 2490 branch results in a lot of conflicts. I've not looked at how much work it will actually take to merge to M46. Tom, WDYT?
Labels: -Merge-Review-46 Merge-Rejected-46
given the merge isn't safe, we'll have to punt it.
Labels: Merge-Request-47
Labels: -Hotlist-Merge-Review -Merge-Request-47
Actually, this is already on the 2526 branch. We're all good here.
Cc: timwillis@chromium.org
Labels: -M-46 -Nag -Merge-Triage merge-merged-2526 Release-0-M47
Updating labels.
Labels: -reward-topanel reward-unpaid CVE-2015-6775 reward-3500
Hey Atte - $3500 for this report ($3000 + $500 Clusterfuzz bonus). Thanks as always - I'll start payment later this week.

Comment 32 by kcc@chromium.org, Dec 11 2015

Cc: pasko@chromium.org
Labels: -reward-unpaid reward-inprocess
Labels: -reward-inprocess
Project Member

Comment 35 by ClusterFuzz, Jan 13 2016

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 36 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 37 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment