Security: ILL_ILLOPN/Segfault; crashes Chrome Dev/Beta/Stable
Reported by
lu...@princeton.edu,
Sep 6 2016
|
||||||||||||||||||||
Issue descriptionThis template is ONLY for reporting security bugs. If you are reporting a Download Protection Bypass bug, please use the "Security - Download Protection" template. For all other reports, please use a different template. Please see the following link for instructions on filing security bugs: http://www.chromium.org/Home/chromium-security/reporting-security-bugs NOTE: Security bugs are normally made public once a fix has been widely deployed. VULNERABILITY DETAILS Loading the attached index.html crashes Chrome dev/beta/stable for Mac. It causes an ILL_ILLOPN and then a segmentation fault when run on d8 built from tip and dev (v8 commit 3807927f46dda120dd7c5192e1313a1188cae83a), and only sigill when run on d8 built from v8 commit c668dfb3c38e0efcab923d8381e60f67a5cbb4c0. index.html crashes chrome tab in both dev (54.0.2840.8) and beta/stable (53.0.2785.89). This causes a different crash in d8 than https://bugs.chromium.org/p/chromium/issues/detail?id=644135 so I think it's a different bug; in addition this bug will crash Chrome. See the attached crash_error.txt for the full error message when run in d8. VERSION Chrome Version: 54.0.2840.6, dev 53.0.2785.87, beta/stable Operating System: Mac REPRODUCTION CASE Open up index.html in dev/stable/beta, or run ./d8 crash.js from tip or dev/stable/beta. FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: tab, v8. Crash State: SIGILL, segfault. Please let me know if this submission is eligible for a bug bounty. Thanks!
,
Sep 6 2016
,
Sep 6 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5000264417542144
,
Sep 6 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5697303954587648
,
Sep 6 2016
Strange... CF can't repro but it pops locally on 53.0.2785.89
0:011> g
Stacktrace (bbbbbbbb-bbbbbbbb) 000001EF024043E1 0000000000000000:
==== JS stack trace =========================================
Security context: 0000034B70BA1039 <a Window with map 000001966D418D09>#0#
1: s [file:///index.html:2] [pc=00000225529183CC](this=0000023B31D06F89 <JS Global Object>#1#,n=000001EF024043E1 <the hole>)
2: /* anonymous */ [file:///index.html:2] [pc=000002255291714B](this=0000023B31D06F89 <JS Global Object>#1#)
3: /* anonymous */ [file:///index.html:2] [pc=0000022552917511](this=0000023B31D06F89 <JS Global Object>#1#)
==== Details ================================================
[1]: s [file:///index.html:2] [pc=00000225529183CC](this=0000023B31D06F89 <JS Global Object>#1#,n=000001EF024043E1 <the hole>) {
// expression stack (top to bottom)
[03] : 0000034B70BC1F41 <FixedArray[3]>#2#
[02] : 1
[01] : 0
[00] : 000001EF024043E1 <the hole>
--------- s o u r c e c o d e ---------
function s(n){n[0]}
-----------------------------------------
}
[2]: /* anonymous */ [file:///index.html:2] [pc=000002255291714B](this=0000023B31D06F89 <JS Global Object>#1#) {
// stack-allocated locals
var .for = 000001EF024043E1 <the hole>
var .result = 000001EF024043E1 <the hole>
var .for = 000001EF024043E1 <the hole>
var .iterator = 0000023B31DA3CF1 <JS Array[1]>#3#
var .result = 000001EF02404399 <undefined>
var .iterator = 0000023B31DA3D51 <an ArrayIterator with map 000001966D422081>#4#
var .result = 0000023B31DA4019 <an Object with map 000001966D4178C1>#5#
var /* anonymous */ = 0000023B31DA40D9 <an ArrayIterator with map 000001966D422081>#6#
var /* anonymous */ = 0000023B31DA4131 <an Object with map 000001966D4178C1>#7#
var /* anonymous */ = 2
var /* anonymous */ = 000001EF02404399 <undefined>
var s = 000001EF02404399 <undefined>
// expression stack (top to bottom)
[19] : 000001EF024043E1 <the hole>
[18] : 0000023B31D06F89 <JS Global Object>#1#
[17] : 0000023B31DA3CA9 <JS Function s (SharedFunctionInfo 0000034B70BC0FC1)>#8#
[16] : 0000034B70B7C629 <FixedArray[183]>#9#
[15] : 0000034B70B7C629 <FixedArray[183]>#9#
[14] : 0000034B70B7C629 <FixedArray[183]>#9#
[13] : 0000023B31DA3CA9 <JS Function s (SharedFunctionInfo 0000034B70BC0FC1)>#8#
[12] : 000001EF02404399 <undefined>
--------- s o u r c e c o d e ---------
function (){function s(n){n[0]}for(let y of[...[],,]){try{s(y)}catch(e){}}}
-----------------------------------------
}
[3]: /* anonymous */ [file:///index.html:2] [pc=0000022552917511](this=0000023B31D06F89 <JS Global Object>#1#) {
// stack-allocated locals
var .result = 000001EF02404399 <undefined>
// expression stack (top to bottom)
[02] : 0000023B31D06F89 <JS Global Object>#1#
[01] : 0000023B31DA3C61 <JS Function (SharedFunctionInfo 0000034B70BC0E71)>#10#
--------- s o u r c e c o d e ---------
\x0a(function(){function s(n){n[0]}for(let y of[...[],,]){try{s(y)}catch(e){}}})()\x0a
-----------------------------------------
}
==== Key ============================================
#0# 0000034B70BA1039: 0000034B70BA1039 <a Window with map 000001966D418D09>
#1# 0000023B31D06F89: 0000023B31D06F89 <JS Global Object>
#2# 0000034B70BC1F41: 0000034B70BC1F41 <FixedArray[3]>
0: 0000034B70BC1E81 <FixedArray[3]>#11#
1: 000001EF02406089 <Symbol: megamorphic_symbol>#12#
2: 0
#3# 0000023B31DA3CF1: 0000023B31DA3CF1 <JS Array[1]>
#4# 0000023B31DA3D51: 0000023B31DA3D51 <an ArrayIterator with map 000001966D422081>
#5# 0000023B31DA4019: 0000023B31DA4019 <an Object with map 000001966D4178C1>
value: 000001EF02404399 <undefined>
done: 000001EF02404439 <true>
#6# 0000023B31DA40D9: 0000023B31DA40D9 <an ArrayIterator with map 000001966D422081>
#7# 0000023B31DA4131: 0000023B31DA4131 <an Object with map 000001966D4178C1>
value: 000001EF024043E1 (4220.61a4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
0:000> k
# Child-SP RetAddr Call Site
00 000000e0`24f74bf8 00007ffe`9b1d25f4 0x0
01 000000e0`24f74c00 00007ffe`9b1a5479 chrome_child!v8::base::OS::Abort+0x10 [c:\b\build\slave\win64-pgo\build\src\v8\src\base\platform\platform-win32.cc @ 836]
02 000000e0`24f74c30 00007ffe`9ab7fea7 chrome_child!v8::internal::Isolate::PushStackTraceAndDie+0x9d [c:\b\build\slave\win64-pgo\build\src\v8\src\isolate.cc @ 312]
03 (Inline Function) --------`-------- chrome_child!v8::internal::LookupIterator::GetRootForNonJSReceiver+0xac07e9 [c:\b\build\slave\win64-pgo\build\src\v8\src\lookup.cc @ 136]
04 000000e0`24f7ccb0 00007ffe`9a057082 chrome_child!v8::internal::LookupIterator::GetRoot+0xac0837 [c:\b\build\slave\win64-pgo\build\src\v8\src\lookup.h @ 346]
05 000000e0`24f7cd00 00007ffe`9a2b90be chrome_child!v8::internal::LookupIterator::LookupIterator+0x46 [c:\b\build\slave\win64-pgo\build\src\v8\src\lookup.h @ 92]
06 (Inline Function) --------`-------- chrome_child!v8::internal::LookupIterator::PropertyOrElement+0x101 [c:\b\build\slave\win64-pgo\build\src\v8\src\lookup.cc @ 26]
07 000000e0`24f7cd30 00007ffe`9a2beaf4 chrome_child!v8::internal::Runtime::GetObjectProperty+0x13a [c:\b\build\slave\win64-pgo\build\src\v8\src\runtime\runtime-object.cc @ 31]
08 000000e0`24f7ce50 00007ffe`9a2bddc4 chrome_child!v8::internal::KeyedLoadIC::Load+0x1a4 [c:\b\build\slave\win64-pgo\build\src\v8\src\ic\ic.cc @ 1387]
09 (Inline Function) --------`-------- chrome_child!v8::internal::__RT_impl_Runtime_KeyedLoadIC_Miss+0x1a4 [c:\b\build\slave\win64-pgo\build\src\v8\src\ic\ic.cc @ 2386]
0a 000000e0`24f7ced0 00000225`5280614b chrome_child!v8::internal::Runtime_KeyedLoadIC_Miss+0x1dc [c:\b\build\slave\win64-pgo\build\src\v8\src\ic\ic.cc @ 2372]
0b 000000e0`24f7d020 00007ffe`9a2bdbe7 0x00000225`5280614b
0c 000000e0`24f7d028 0000034b`70b7c629 chrome_child!v8::internal::Runtime_StoreIC_Slow+0x1f7
0d 000000e0`24f7d030 00000225`529183cc 0x0000034b`70b7c629
0e 000000e0`24f7d038 00000287`9368dea0 0x00000225`529183cc
0f 000000e0`24f7d040 00000287`9368df68 0x00000287`9368dea0
10 000000e0`24f7d048 00000000`beeddead 0x00000287`9368df68
11 000000e0`24f7d050 000000e0`24f7d0b0 0xbeeddead
12 000000e0`24f7d058 00000225`52806081 0x000000e0`24f7d0b0
13 000000e0`24f7d060 000000e0`24f7d020 0x00000225`52806081
14 000000e0`24f7d068 00000003`00000000 0x000000e0`24f7d020
15 000000e0`24f7d070 000000e0`24f7d0b0 0x00000003`00000000
16 000000e0`24f7d078 00000225`529183cc 0x000000e0`24f7d0b0
17 000000e0`24f7d080 0000034b`70bc1f41 0x00000225`529183cc
18 000000e0`24f7d088 00000001`00000000 0x0000034b`70bc1f41
19 000000e0`24f7d090 00000000`00000000 0x00000001`00000000
0xbbbbbbbb magic seems to be null root in isolate - https://cs.chromium.org/chromium/src/v8/src/lookup.cc?sq=package:chromium&dr=C&l=134
Don't think this results in any attacker control - cbruni@ WDYT?
,
Sep 7 2016
The stacktrace above is a controlled crash (note PushStacktraceAndDie) which would clearly exclude any security problem.
,
Sep 7 2016
Just a FYI that I've been able to reproduce the crash on 55.0.2852.0 downloaded from: https://commondatastorage.googleapis.com/chromium-browser-asan/index.html?prefix=linux-release/, commit position 416826. I'm attaching the exact specs of chrome 55 that I've been able to repro, for your benefit. Like I said before, I was also able to repro the crash on 54 as well as 53.
,
Sep 7 2016
,
Sep 7 2016
This looks like a straightforward bug with spread, nothing to do with the for loop. The following code also crashes: [...[],,][0][0]
,
Sep 7 2016
,
Sep 8 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/e4273007b613950845e92d479485ec737eb61185 commit e4273007b613950845e92d479485ec737eb61185 Author: adamk <adamk@chromium.org> Date: Thu Sep 08 18:50:17 2016 Properly handle holes following spreads in array literals Before this change, the spread desugaring would naively call `%AppendElement($R, the_hole)` and in some cases $R would have a non-holey elements kind, putting the array into the bad state of exposing holes to author code. This patch avoids calling %AppendElement with a hole, instead simply incrementing $R.length when it sees a hole in the literal (this is safe because $R is known to be an Array). The existing logic for elements transitions takes care of giving the array a holey ElementsKind. BUG= chromium:644215 Review-Url: https://codereview.chromium.org/2321533003 Cr-Commit-Position: refs/heads/master@{#39294} [modify] https://crrev.com/e4273007b613950845e92d479485ec737eb61185/src/ast/ast-value-factory.h [modify] https://crrev.com/e4273007b613950845e92d479485ec737eb61185/src/parsing/parser.cc [modify] https://crrev.com/e4273007b613950845e92d479485ec737eb61185/src/runtime/runtime-object.cc [add] https://crrev.com/e4273007b613950845e92d479485ec737eb61185/test/mjsunit/regress/regress-crbug-644215.js
,
Sep 8 2016
Re-marking as security; I'm not sure what the impact is, but this bug would allow the creation of an array with a non-holey backing store containing holes. It's also just a way to get ahold of a hole from author script. Adding bmeurer for thoughts on whether that makes this a security problem (in any case I think merging is appropriate).
,
Sep 8 2016
+ awhalley@ (Security TPM) Is this bug applicable to only Mac or all OS?
,
Sep 8 2016
Attached index.html also causes a crash on windows.
,
Sep 8 2016
This bug applies to all platforms.
,
Sep 9 2016
,
Sep 9 2016
[Automated comment] Request affecting a post-stable build (M53), manual review required.
,
Sep 9 2016
Your change meets the bar and is auto-approved for M54 (branch: 2840)
,
Sep 10 2016
+ awhalley@ , do we need to take this merge in for next week Stable release? If yes, merge has to happen before 3:00 PM PT on Monday (09/12). Thank you.
,
Sep 12 2016
,
Sep 12 2016
,
Sep 13 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 14 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/cd6253935451ca3c55661b8dd6d139bbf6efb75e commit cd6253935451ca3c55661b8dd6d139bbf6efb75e Author: adamk <adamk@chromium.org> Date: Wed Sep 14 23:05:46 2016 Merged: Properly handle holes following spreads in array literals Revision: e4273007b613950845e92d479485ec737eb61185 NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true BUG= chromium:644215 TBR=hablich@chromium.org Review-Url: https://codereview.chromium.org/2342703002 Cr-Commit-Position: refs/branch-heads/5.4@{#45} Cr-Branched-From: 5ce282769772d94937eb2cb88eb419a6890c8b2d-refs/heads/5.4.500@{#2} Cr-Branched-From: ad07b49d7b47b40a2d6f74d04d1b76ceae2a0253-refs/heads/master@{#38841} [modify] https://crrev.com/cd6253935451ca3c55661b8dd6d139bbf6efb75e/src/ast/ast-value-factory.h [modify] https://crrev.com/cd6253935451ca3c55661b8dd6d139bbf6efb75e/src/parsing/parser.cc [modify] https://crrev.com/cd6253935451ca3c55661b8dd6d139bbf6efb75e/src/runtime/runtime-object.cc [add] https://crrev.com/cd6253935451ca3c55661b8dd6d139bbf6efb75e/test/mjsunit/regress/regress-crbug-644215.js
,
Sep 15 2016
,
Sep 16 2016
,
Sep 16 2016
Sorry for the bother, but following up on https://bugs.chromium.org/p/chromium/issues/detail?id=644215#c12, will this bug be eligible for a security reward/a review from the panel?
,
Oct 10 2016
,
Oct 10 2016
,
Oct 10 2016
,
Oct 10 2016
After review with mbarbella@ we don't think this is exploitable.
,
Dec 16 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Sep 6 2016Status: Untriaged (was: Unconfirmed)