New issue
Advanced search Search tips

Issue 644048 link

Starred by 1 user

Issue metadata

Status: Archived
Owner:
Closed: Dec 27
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug



Sign in to add a comment

v8: inputs cause SIGILL/conditional jump or move depends on uninitialized value

Reported by lu...@princeton.edu, Sep 5 2016

Issue description

This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
Illegal instruction/conditional jump or move depends on uninitialised value(s) when running the attached js files against the v8 engine corresponding to dev/beta/stable releases, in addition to the tip of v8.

In v8, I built d8 with the tip, and used commit be716d37e38a982503370531ba8533987d6e7392 for dev and c668dfb3c38e0efcab923d8381e60f67a5cbb4c0 for beta/stable.

Running ./d8 crash1.js causes 

#
# Fatal error in ../../src/compiler/representation-change.cc, line 796
# RepresentationChangerError: node #66:NumberDivide of kRepWord32 (Number) cannot be changed to kRepTagged
#

==== C stack trace ===============================

    v8-dev/out/Release/d8() [0xb53fee]
    v8-dev/out/Release/d8() [0xb529e4]
    v8-dev/out/Release/d8() [0xa01129]
    v8-dev/out/Release/d8() [0x50557c]
    v8-dev/out/Release/d8() [0x50413d]
    v8-dev/out/Release/d8() [0x4f76fe]
    v8-dev/out/Release/d8() [0x4f7457]
    v8-dev/out/Release/d8() [0x4cd722]
    v8-dev/out/Release/d8() [0x4cc1c1]
    v8-dev/out/Release/d8() [0x4cba4f]
    v8-dev/out/Release/d8() [0x52a906]
    v8-dev/out/Release/d8() [0x52cfa2]
    v8-dev/out/Release/d8() [0x52c2a2]
    v8-dev/out/Release/d8() [0xa6b355]
    [0x2000238063a7]
Received signal 4 ILL_ILLOPN 000000b553df
Illegal instruction (core dumped)

in master and the dev builds. In the beta/stable build, the engine hangs, but running with valgrind returns a lot of "Conditional jump or move depends on uninitialised value(s)" errors. A snippet of valgrind errors is included:

==9786== Conditional jump or move depends on uninitialised value(s)
==9786==    at 0x52941C: v8::internal::compiler::Typer::Visitor::TypeLoadField(v8::internal::compiler::Node*) (in /root/v8-beta/out/Release/d8)
==9786==    by 0x5139C5: v8::internal::compiler::Typer::Decorator::Decorate(v8::internal::compiler::Node*) (in /root/v8-beta/out/Release/d8)
==9786==    by 0x4CB03B: v8::internal::compiler::Graph::NewNode(v8::internal::compiler::Operator const*, int, v8::internal::compiler::Node* const*, bool) (in /root/v8-beta/out/Release/d8)
==9786==    by 0x98018F: v8::internal::compiler::JSTypedLowering::ReduceJSToObject(v8::internal::compiler::Node*) (in /root/v8-beta/out/Release/d8)

Running ./d8 crash2.txt causes hangs/valgrind errors in all builds (master, beta, dev/stable).

VERSION
Chrome Version: [54.0.2840.6], beta
Chrome Version: [53.0.2785.87], dev, stable

Linux

REPRODUCTION CASE
crash1.js and crash2.js are attached. Run d8 with valgrind to observe the conditional jump errors in crash2.js; crash1.js should simply give an illegal instruction (ILL_ILLOPN) when run on dev/master.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: in v8 engine
Crash State: see above; SIGILL/valgrind error on Conditional jump or move depends on uninitialised value(s).

Let me know if this submission is eligible for a bug bounty. Thanks!

 
crash1.js
282 bytes View Download
crash2.js
280 bytes View Download
Just a quick note: the commit links are wrong; the hashes refer to the v8 repository: https://chromium.googlesource.com/v8/v8.git.

Also forgot to remove the template header info at the top of the message. Sorry!
Project Member

Comment 2 by ClusterFuzz, Sep 5 2016

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5166425964806144
Project Member

Comment 3 by ClusterFuzz, Sep 5 2016

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5739662532673536

Comment 4 by vakh@chromium.org, Sep 5 2016

Components: Infra>Client>V8
Labels: OS-Linux OS-Mac OS-Windows
Owner: bmeu...@chromium.org
bmeurer@ -- could you please take a look at this issue?

My guess is that it may be related to this CL: https://chromium.googlesource.com/v8/v8/+/8201579e031aee4118e7a98ac0991418d01fd06a%5E%21/src/compiler/typer.cc

If you are not the right owner, please help triage this bug and find the right owner asap. Thanks.
Cc: bmeu...@chromium.org jarin@chromium.org
Owner: mvstan...@chromium.org
Status: Assigned (was: Unconfirmed)
Simplified repro:

function foo(x) {
  (x
   ? (!0 / 0)
   : x) | 0
}

foo(1);
foo(2);
%OptimizeFunctionOnNextCall(foo);
foo(3);
Components: -Infra>Client>V8 Blink>JavaScript>Compiler
The problem here is that we have a truncation for the NumberDivide, which we take, but then need to produce a tagged value due to the ?: expression. But at that point we only have the original type on the NumberDivide, which is Number, and so we don't know whether we need to treat the truncated word32 value as signed or unsigned. This does actually apply to basically all the Number operations, i.e. we can probably create an example where this crashes for all Number operations that can be produce Numbers, and utilize truncations to decide to produce Word32 values.

The quick fix (which is back-mergable) is probably to just not propagate the truncation for Phi, Select and TypeGuard if the output representation is tagged. The better solution after this is quickfixed is likely to just use the restriction_type as well for truncations, i.e. when you take a truncation you also restrict the output type accordingly, so the lowering phase will have correct type information to make the decision.

I don't think this crash1 example is a security issue tho, because it will just run into V8_Fatal, which immediately turns into Aw Snap for the tab.

Not sure about crash2, but that seems unrelated.
Labels: Pri-1
Project Member

Comment 8 by bugdroid1@chromium.org, Sep 5 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/8af781ea8220f5fa70bef616e5779cee21064543

commit 8af781ea8220f5fa70bef616e5779cee21064543
Author: mvstanton <mvstanton@chromium.org>
Date: Mon Sep 05 20:54:27 2016

[turbofan] Don't propagate truncations if output is tagged.

Disable the propagation of truncations through Phi, Select or TypeGuard
if the output representation is tagged, because when the truncations are
taken we don't necessarily reflect this in the types and therefore we
might end up in a situation where we produce a word32 value, the type
says Number, and now we need to change that to tagged, which is not
possible since we don't know how to interpret the bits, i.e. whether the
value is Signed32 or Unsigned32.

BUG= chromium:644048 

Review-Url: https://codereview.chromium.org/2311903002
Cr-Commit-Position: refs/heads/master@{#39186}

[modify] https://crrev.com/8af781ea8220f5fa70bef616e5779cee21064543/src/compiler/simplified-lowering.cc
[add] https://crrev.com/8af781ea8220f5fa70bef616e5779cee21064543/test/mjsunit/compiler/regress-644048.js

Just want to note that the new tip of v8 no longer crashes on my input crash1.txt, but running: 

valgrind ./d8 crash1.txt

still yields a bunch of "Conditional jump or move depends on unitialised value(s)", and the shell hangs forever. This occurs in all builds when running valgrind ./d8 crash2.txt.

You mentioned this might be a separate issue, do you want to take a look or should I open up a separate bug? Are the valgrind errors/ the hanging anything to be concerned about?
I think it would be useful to track that in a separate bug.
Project Member

Comment 11 by bugdroid1@chromium.org, Sep 6 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/01cc19fa6f76511f3cc88e0af795620c913b8304

commit 01cc19fa6f76511f3cc88e0af795620c913b8304
Author: jarin <jarin@chromium.org>
Date: Tue Sep 06 20:57:30 2016

[turbofan] Handle word32 truncation in word32->tagged representation change.

Similarly to the word32->float64 case, we interpret word32 as uint32 if
the value is word32 truncated. This is fine because the users declared
they only care about mod 2^32 of the value (that's what word32
truncation means).

This CL also removes the ad-hoc handling of this situation
(https://codereview.chromium.org/2311903002).

BUG= chromium:644048 

Review-Url: https://codereview.chromium.org/2312003005
Cr-Commit-Position: refs/heads/master@{#39224}

[modify] https://crrev.com/01cc19fa6f76511f3cc88e0af795620c913b8304/src/compiler/representation-change.cc
[modify] https://crrev.com/01cc19fa6f76511f3cc88e0af795620c913b8304/src/compiler/representation-change.h
[modify] https://crrev.com/01cc19fa6f76511f3cc88e0af795620c913b8304/src/compiler/simplified-lowering.cc

Sorry for the bother, but will this bug be eligible for a security reward/a review from the panel?

Comment 13 by jarin@chromium.org, Sep 16 2016

I believe this is a stability bug, not a security bug. (We have an always-on assertion there, so we will do a controlled crash here.)

Why do you think it is a security bug?
no strong reason, just thought I'd ask since the label Bug-Security hasn't been removed yet :)
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Summary: v8: inputs cause SIGILL/conditional jump or move depends on uninitialized value (was: Security: v8: inputs cause SIGILL/conditional jump or move depends on uninitialized value)
Status: Archived (was: Assigned)

Sign in to add a comment