Security: js input crashes Chrome on FPE; seemingly non-deterministic in the v8 shell?
Reported by
lu...@princeton.edu,
Sep 9 2016
|
||||||||||||||||||||||||||
Issue descriptionThis template is ONLY for reporting security bugs. If you are reporting a Download Protection Bypass bug, please use the "Security - Download Protection" template. For all other reports, please use a different template. Please see the following link for instructions on filing security bugs: http://www.chromium.org/Home/chromium-security/reporting-security-bugs NOTE: Security bugs are normally made public once a fix has been widely deployed. VULNERABILITY DETAILS Opening up the attached index.html in Chrome crashes dev/stable/beta. Running ./d8 fpe-crash.js will cause a FPE error, the attached ASAN output is below. The exception is reproduced on d8 built from tip and commits 3807927f46dda120dd7c5192e1313a1188cae83a c668dfb3c38e0efcab923d8381e60f67a5cbb4c0 corresponding to dev/stable/beta v8 engines. index.html crashes chrome tab in both dev (54.0.2840.8) and beta/stable (53.0.2785.89). Strangely, the exception manifests non-deterministically (although a vast majority of the time when opening up index.html in the real browser). For example, when I tried running: while true; do ./d8 fpe-crash.js && echo "run"; done I noticed the exception happens more often when running a second while true; do echo "hi"; done process, so I'm not sure why this is happening. asan output follows: ASAN:DEADLYSIGNAL ================================================================= ==22142==ERROR: AddressSanitizer: FPE on unknown address 0x7ffe8a27d3f1 (pc 0x7ffe8a27d3f1 bp 0x7fffffffd620 sp 0x7fffffffd600 T0) #0 0x7ffe8a27d3f0 (<unknown module>) #1 0x7ffe8a27b6fa (<unknown module>) #2 0x7ffe8a27b039 (<unknown module>) #3 0x7ffe8a27b541 (<unknown module>) #4 0x7ffe8a24c742 (<unknown module>) #5 0x7ffe8a22a6a0 (<unknown module>) #6 0x55555687adc3 in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>) v8/src/execution.cc:139:13 #7 0x55555687a1f7 in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) v8/src/execution.cc:176:10 #8 0x555555b0987d in v8::Script::Run(v8::Local<v8::Context>) v8/src/api.cc:1843:23 #9 0x555555a8ba87 in v8::Shell::ExecuteString(v8::Isolate*, v8::Local<v8::String>, v8::Local<v8::Value>, bool, bool, v8::Shell::SourceType) v8/src/d8.cc:517:28 #10 0x555555a9e851 in v8::SourceGroup::Execute(v8::Isolate*) v8/src/d8.cc:1669:10 #11 0x555555aa445f in v8::Shell::RunMain(v8::Isolate*, int, char**, bool) v8/src/d8.cc:2177:34 #12 0x555555aa7551 in v8::Shell::Main(int, char**) v8/src/d8.cc:2677:16 #13 0x7ffff6bb1f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: FPE (<unknown module>) ==22142==ABORTING VERSION Chrome Version: 54.0.2840.6, dev 53.0.2785.87, beta/stable Operating System: Mac REPRODUCTION CASE Open up index.html in dev/stable/beta, or run ./d8 fpe-crash.js from tip or dev/stable/beta. I will try to minify the test case further tomorrow. FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: tab, v8. Crash State: FPE Please let me know if this submission is eligible for a bug bounty. Thanks!
,
Sep 9 2016
I can repro manually by loading index.html and pushing refresh on the page. I get a division by zero error somewhere in v8. I'll see if CF can detect it too. Leaving it at Low until I know more about the crash.
,
Sep 9 2016
I'm attaching a smaller/simpler version of index-min.html that produces the same crash. The javascript is as follows:
m=function(x){n(x,x>>0)};
n=function(x,y){((Math.fround(x)>>0)/(y-(0x80000000|0)|0))|m};
a=[,,,,,,-0x80000001,,0];
for(j=0;j<a.length*4;++j){
for(k=0;k<a.length;++k){
m(a[k]);
}
}
,
Sep 9 2016
hi mlippautz this seems to be a reliable FPE crash in v8 - I wonder if you could take a look and find an appropriate owner for this? Thanks.
,
Sep 9 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5572679908458496 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Floating-point-exception Crash Address: Crash State: v8::internal::Invoke v8::internal::Execution::Call v8::Script::Run Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=344607:344814 Minimized Testcase (0.45 Kb): https://cluster-fuzz.appspot.com/download/AMIfv956u85GuwDvdjBF7Tyygt4ULYhI77l8_1mOpXSSNOD1sbXhyDc6R1F7ywpOIgcHqZtrTfkhFR4Hbl_3gAeNwZJCum0XZwf4332qk9HUelfjc3r12gDycQMsQr-cBlZiFMECZ3JGnB1u721M8tmDuuFewNzQaA?testcase_id=5572679908458496 Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 10 2016
,
Sep 10 2016
,
Sep 12 2016
Mlippautz is on vacation. Titzer ptal.
,
Sep 13 2016
,
Sep 13 2016
,
Sep 23 2016
titzer: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 8 2016
titzer: Uh oh! This issue still open and hasn't been updated in the last 29 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 10 2016
Repros fine when one extracts the JS from #3 in D8. I suspect it is related to Crankshaft because it does not repro with the following flags: --turbo --no-crankshaft --ignition --always-opt --turbo Igor, PTAL or please assign to another suitable owner. This needs to be fixed.
,
Oct 11 2016
function n(x,y){
var z = (y-(0x80000000|0)|0);
return (x/z)|0;
};
var x = -0x80000000;
var y = 0x7fffffff;
n(x,y);
n(x,y);
%OptimizeFunctionOnNextCall(n);
print(n(x,y));
,
Oct 12 2016
,
Oct 12 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/9a0109d72e3dbbca282d39a5e401a3b61a2285e8 commit 9a0109d72e3dbbca282d39a5e401a3b61a2285e8 Author: ishell <ishell@chromium.org> Date: Wed Oct 12 09:06:01 2016 [crankshaft] Range analysis should not rely on overflowed ranges. BUG= chromium:645438 Review-Url: https://codereview.chromium.org/2412853002 Cr-Commit-Position: refs/heads/master@{#40202} [modify] https://crrev.com/9a0109d72e3dbbca282d39a5e401a3b61a2285e8/src/crankshaft/hydrogen-instructions.cc [modify] https://crrev.com/9a0109d72e3dbbca282d39a5e401a3b61a2285e8/src/crankshaft/hydrogen-instructions.h [add] https://crrev.com/9a0109d72e3dbbca282d39a5e401a3b61a2285e8/test/mjsunit/regress/regress-crbug-645438.js
,
Oct 12 2016
,
Oct 12 2016
,
Oct 12 2016
,
Oct 12 2016
,
Oct 12 2016
,
Oct 13 2016
[Automated comment] Less than 2 weeks to go before stable on M54, manual review required.
,
Oct 13 2016
Your change meets the bar and is auto-approved for M55 (branch: 2883)
,
Oct 13 2016
Merged to M55: https://codereview.chromium.org/2418863002/
,
Oct 13 2016
Per comment #25, this is already merged to M55. So applying "merge-merged-5.5" label and removing "Merge-Approved-55" label. Thank you.
,
Oct 14 2016
ClusterFuzz has detected this issue as fixed in range 424757:424939. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5572679908458496 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Floating-point-exception Crash Address: Crash State: v8::internal::Invoke v8::internal::Execution::Call v8::Script::Run Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=344607:344814 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=424757:424939 Minimized Testcase (0.45 Kb): https://cluster-fuzz.appspot.com/download/AMIfv956u85GuwDvdjBF7Tyygt4ULYhI77l8_1mOpXSSNOD1sbXhyDc6R1F7ywpOIgcHqZtrTfkhFR4Hbl_3gAeNwZJCum0XZwf4332qk9HUelfjc3r12gDycQMsQr-cBlZiFMECZ3JGnB1u721M8tmDuuFewNzQaA?testcase_id=5572679908458496 Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 16 2016
,
Oct 18 2016
This is too close to M54's full stable launch to merge.
,
Oct 19 2016
This reduces the amount of Invoke (generated code) crashers so we should merge it back to 5.4.
,
Oct 19 2016
,
Oct 19 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/495e5a0e8e486ce470040663256ddb9f35505ee2 commit 495e5a0e8e486ce470040663256ddb9f35505ee2 Author: ishell@chromium.org <ishell@chromium.org> Date: Wed Oct 19 15:49:47 2016 Merged: [crankshaft] Range analysis should not rely on overflowed ranges. Revision: 9a0109d72e3dbbca282d39a5e401a3b61a2285e8 BUG= chromium:645438 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true TBR=bmeurer@chromium.org Review URL: https://codereview.chromium.org/2436763002 . Cr-Commit-Position: refs/branch-heads/5.4@{#67} Cr-Branched-From: 5ce282769772d94937eb2cb88eb419a6890c8b2d-refs/heads/5.4.500@{#2} Cr-Branched-From: ad07b49d7b47b40a2d6f74d04d1b76ceae2a0253-refs/heads/master@{#38841} [modify] https://crrev.com/495e5a0e8e486ce470040663256ddb9f35505ee2/src/crankshaft/hydrogen-instructions.cc [modify] https://crrev.com/495e5a0e8e486ce470040663256ddb9f35505ee2/src/crankshaft/hydrogen-instructions.h [add] https://crrev.com/495e5a0e8e486ce470040663256ddb9f35505ee2/test/mjsunit/regress/regress-crbug-645438.js
,
Oct 21 2016
,
Dec 8 2016
,
Jan 18 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Sep 9 2016