New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 621111 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Jun 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Fatal error in v8::internal::List<T, P>::Add()

Project Member Reported by ClusterFuzz, Jun 17 2016

Issue description

Comment 1 by mmoroz@chromium.org, Jun 17 2016

Cc: mmoroz@chromium.org kcc@chromium.org aizatsky@chromium.org
Components: Blink>JavaScript>Language
Labels: Pri-1
Summary: Fatal error in v8::internal::List<T, P>::Add() (was: Fatal error in v8::Isolate::Dispose)
Running this input with ASan gives:

==55338==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000034 (pc 0x0000018bac07 bp 0x7fff88b127e0 sp 0x7fff88b12790 T0)

with the following stacktrace: https://paste.googleplex.com/5502136540463104

I guess that CF will find it soon with ASan build too, but I'm filing this one for now.

Comment 2 by mmoroz@chromium.org, Jun 17 2016

Owner: rossberg@chromium.org
rossberg@, could you please take a look and help to find an owner for this?
Project Member

Comment 3 by ClusterFuzz, Jun 17 2016

Status: Assigned (was: Available)

Comment 4 by est...@chromium.org, Jun 17 2016

Labels: M-53
Project Member

Comment 5 by ClusterFuzz, Jun 18 2016

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6661115622981632

Fuzzer: libfuzzer_v8_script_parser_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Fatal error
Crash Address: 
Crash State:
  v8::Isolate::Dispose
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=399229:399350

Minimized Testcase (0.63 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96jwb0p8vDGjghBfOd-dwDk0VHIq_vuaXnj1wtvXMHmrTzbGpsjO1YwMiW-AkwZWa_CIy0mzIMqYnDrmmzi_yObkCZfoB5tp-7Wbw1nvAEpJYcyfWDvkRyXi-J-BRyudpwk9cpvud8DcUGkhmxHZfUQ3WYrLg?testcase_id=6661115622981632

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by sheriffbot@chromium.org, Jun 18 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: rossberg@chromium.org
Owner: nikolaos@chromium.org
Nikos, this CL of yours,

https://chromium.googlesource.com/v8/v8/+/dfb8d3331e7cb2c3e67ef820cbcb6cfbae7159e5

is in the revision range of this regression, and looks like the most likely candidate considering the stack trace of the failure:

https://paste.googleplex.com/5502136540463104

Can you please investigate and/or roll back the change?
Status: Started (was: Assigned)
This is not easy to reproduce with JS source.  Neither d8 nor the parser fuzzer *with the following patch* complain about it.  The bug only shows if the script is scanned as a one byte string, not UTF-8 (as d8 and, I assume, chrome, would probably do).

I don't know what to make of it yet, it's probably something that needs to be fixed, whether it is related to my CL or not.  But I doubt that the given test could crash chrome, if injected in a JS script, because V8 would scan it as UTF-8.

I'm still looking at it.


diff --git a/test/fuzzer/parser.cc b/test/fuzzer/parser.cc
index 4035ade..b4385d8 100644
--- a/test/fuzzer/parser.cc
+++ b/test/fuzzer/parser.cc
@@ -27,8 +27,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
 
   if (size > INT_MAX) return 0;
   v8::internal::MaybeHandle<v8::internal::String> source =
-      factory->NewStringFromOneByte(
-          v8::internal::Vector<const uint8_t>(data, static_cast<int>(size)));
+      factory->NewStringFromUtf8(
+          v8::internal::Vector<const char>(reinterpret_cast<const char*>(data),
+                                           static_cast<int>(size)));
   if (source.is_null()) return 0;
 
   v8::internal::Handle<v8::internal::Script> script =
The following crashes d8 with a segfault.  It is a shrinked version of the script that was reported.  I'm investigating it.

  out/Debug/d8 -e '(y = 1[1, [...[]]]) => 1'
Status: Fixed (was: Started)
Project Member

Comment 12 by sheriffbot@chromium.org, Jun 22 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 13 by ClusterFuzz, Jun 22 2016

Labels: Merge-NA
Labels: -ReleaseBlock-Beta -ClusterFuzz -merge-na Clusterfuzz Merge-na
Fix already in M53, removing ReleaseBlock-Beta.
Project Member

Comment 15 by sheriffbot@chromium.org, Sep 28 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 16 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 17 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment