New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 645438 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Oct 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug



Sign in to add a comment

Security: js input crashes Chrome on FPE; seemingly non-deterministic in the v8 shell?

Reported by lu...@princeton.edu, Sep 9 2016

Issue description

This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
Opening up the attached index.html in Chrome crashes dev/stable/beta. Running ./d8 fpe-crash.js will cause a FPE error, the attached ASAN output is below. The exception is reproduced on d8 built from tip and commits 3807927f46dda120dd7c5192e1313a1188cae83a c668dfb3c38e0efcab923d8381e60f67a5cbb4c0 corresponding to dev/stable/beta v8 engines. 

index.html crashes chrome tab in both dev (54.0.2840.8) and beta/stable (53.0.2785.89).

Strangely, the exception manifests non-deterministically (although a vast majority of the time when opening up index.html in the real browser). For example, when I tried running:

while true; do ./d8 fpe-crash.js && echo "run"; done

I noticed the exception happens more often when running a second 
while true; do echo "hi"; done
process, so I'm not sure why this is happening.

asan output follows:

ASAN:DEADLYSIGNAL
=================================================================
==22142==ERROR: AddressSanitizer: FPE on unknown address 0x7ffe8a27d3f1 (pc 0x7ffe8a27d3f1 bp 0x7fffffffd620 sp 0x7fffffffd600 T0)
    #0 0x7ffe8a27d3f0  (<unknown module>)
    #1 0x7ffe8a27b6fa  (<unknown module>)
    #2 0x7ffe8a27b039  (<unknown module>)
    #3 0x7ffe8a27b541  (<unknown module>)
    #4 0x7ffe8a24c742  (<unknown module>)
    #5 0x7ffe8a22a6a0  (<unknown module>)
    #6 0x55555687adc3 in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>) v8/src/execution.cc:139:13
    #7 0x55555687a1f7 in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) v8/src/execution.cc:176:10
    #8 0x555555b0987d in v8::Script::Run(v8::Local<v8::Context>) v8/src/api.cc:1843:23
    #9 0x555555a8ba87 in v8::Shell::ExecuteString(v8::Isolate*, v8::Local<v8::String>, v8::Local<v8::Value>, bool, bool, v8::Shell::SourceType) v8/src/d8.cc:517:28
    #10 0x555555a9e851 in v8::SourceGroup::Execute(v8::Isolate*) v8/src/d8.cc:1669:10
    #11 0x555555aa445f in v8::Shell::RunMain(v8::Isolate*, int, char**, bool) v8/src/d8.cc:2177:34
    #12 0x555555aa7551 in v8::Shell::Main(int, char**) v8/src/d8.cc:2677:16
    #13 0x7ffff6bb1f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE (<unknown module>) 
==22142==ABORTING

VERSION
Chrome Version: 54.0.2840.6, dev
                53.0.2785.87, beta/stable

Operating System: Mac

REPRODUCTION CASE
Open up index.html in dev/stable/beta, or run ./d8 fpe-crash.js from tip or dev/stable/beta.

I will try to minify the test case further tomorrow.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab, v8.
Crash State: FPE

Please let me know if this submission is eligible for a bug bounty. Thanks!

 
fpe-crash.js
416 bytes View Download
index.html
507 bytes View Download
Project Member

Comment 1 by ClusterFuzz, Sep 9 2016

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5572679908458496

Comment 2 by wfh@chromium.org, Sep 9 2016

Cc: jochen@chromium.org hablich@chromium.org
Components: Blink>JavaScript
Labels: Security_Severity-Low Security_Impact-Stable Pri-2
Status: Untriaged (was: Unconfirmed)
I can repro manually by loading index.html and pushing refresh on the page. I get a division by zero error somewhere in v8. I'll see if CF can detect it too. Leaving it at Low until I know more about the crash.
I'm attaching a smaller/simpler version of index-min.html that produces the same crash. The javascript is as follows:

m=function(x){n(x,x>>0)};
n=function(x,y){((Math.fround(x)>>0)/(y-(0x80000000|0)|0))|m};
a=[,,,,,,-0x80000001,,0];
for(j=0;j<a.length*4;++j){
    for(k=0;k<a.length;++k){
	m(a[k]);
    }
}
index-min.html
280 bytes View Download

Comment 4 by wfh@chromium.org, Sep 9 2016

Cc: mstarzinger@chromium.org jarin@chromium.org cbruni@chromium.org hpayer@chromium.org
Labels: -Security_Severity-Low Security_Severity-Medium
Owner: mlippautz@chromium.org
Status: Assigned (was: Untriaged)
hi mlippautz this seems to be a reliable FPE crash in v8 - I wonder if you could take a look and find an appropriate owner for this? Thanks.
Project Member

Comment 5 by ClusterFuzz, Sep 9 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5572679908458496

Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Floating-point-exception
Crash Address: 
Crash State:
  v8::internal::Invoke
  v8::internal::Execution::Call
  v8::Script::Run
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=344607:344814

Minimized Testcase (0.45 Kb): https://cluster-fuzz.appspot.com/download/AMIfv956u85GuwDvdjBF7Tyygt4ULYhI77l8_1mOpXSSNOD1sbXhyDc6R1F7ywpOIgcHqZtrTfkhFR4Hbl_3gAeNwZJCum0XZwf4332qk9HUelfjc3r12gDycQMsQr-cBlZiFMECZ3JGnB1u721M8tmDuuFewNzQaA?testcase_id=5572679908458496

Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 6 by sheriffbot@chromium.org, Sep 10 2016

Labels: M-54
Project Member

Comment 7 by sheriffbot@chromium.org, Sep 10 2016

Labels: -Pri-2 Pri-1
Cc: titzer@chromium.org
Owner: ----
Status: Available (was: Assigned)
Mlippautz is on vacation. Titzer ptal.

Comment 9 by wfh@chromium.org, Sep 13 2016

Cc: -titzer@chromium.org
Owner: titzer@chromium.org
Status: Assigned (was: Available)

Comment 10 by wfh@chromium.org, Sep 13 2016

Labels: OS-All
Project Member

Comment 11 by sheriffbot@chromium.org, Sep 23 2016

titzer: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 12 by sheriffbot@chromium.org, Oct 8 2016

titzer: Uh oh! This issue still open and hasn't been updated in the last 29 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: bmeu...@chromium.org titzer@chromium.org
Owner: ishell@chromium.org
Repros fine when one extracts the JS from #3 in D8. I suspect it is related to Crankshaft because it does not repro with the following flags:

--turbo
--no-crankshaft
--ignition
--always-opt --turbo

Igor, PTAL or please assign to another suitable owner. This needs to be fixed.

Comment 14 Deleted

function n(x,y){
  var z = (y-(0x80000000|0)|0);
  return (x/z)|0;
};
var x = -0x80000000;
var y = 0x7fffffff;
n(x,y);
n(x,y);
%OptimizeFunctionOnNextCall(n);
print(n(x,y));

Labels: M-55 M-53
Status: Fixed (was: Assigned)
Labels: Merge-Request-54 Merge-Request-55
Project Member

Comment 20 by sheriffbot@chromium.org, Oct 12 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Labels: -Type-Bug-Security -Security_Impact-Stable -Security_Severity-Medium Type-Bug

Comment 23 by dimu@chromium.org, Oct 13 2016

Labels: -Merge-Request-54 Merge-Review-54 Hotlist-Merge-Review
[Automated comment] Less than 2 weeks to go before stable on M54, manual review required.

Comment 24 by dimu@chromium.org, Oct 13 2016

Labels: -Merge-Request-55 Merge-Approved-55 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M55 (branch: 2883)
Labels: -Merge-Approved-55 merge-merged-5.5
Per comment #25, this is already merged to M55. So applying "merge-merged-5.5" label and removing "Merge-Approved-55" label. Thank you.
Project Member

Comment 27 by ClusterFuzz, Oct 14 2016

ClusterFuzz has detected this issue as fixed in range 424757:424939.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5572679908458496

Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Floating-point-exception
Crash Address: 
Crash State:
  v8::internal::Invoke
  v8::internal::Execution::Call
  v8::Script::Run
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=344607:344814
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=424757:424939

Minimized Testcase (0.45 Kb): https://cluster-fuzz.appspot.com/download/AMIfv956u85GuwDvdjBF7Tyygt4ULYhI77l8_1mOpXSSNOD1sbXhyDc6R1F7ywpOIgcHqZtrTfkhFR4Hbl_3gAeNwZJCum0XZwf4332qk9HUelfjc3r12gDycQMsQr-cBlZiFMECZ3JGnB1u721M8tmDuuFewNzQaA?testcase_id=5572679908458496

Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Labels: -reward-topanel
Labels: -Merge-Review-54 Merge-Rejected-54
This is too close to M54's full stable launch to merge.
Labels: -Merge-Rejected-54 Merge-Approved-54
This reduces the amount of Invoke (generated code) crashers so we should merge it back to 5.4.
Labels: Postmortem-Followup
Project Member

Comment 32 by bugdroid1@chromium.org, Oct 19 2016

Labels: merge-merged-5.4
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/495e5a0e8e486ce470040663256ddb9f35505ee2

commit 495e5a0e8e486ce470040663256ddb9f35505ee2
Author: ishell@chromium.org <ishell@chromium.org>
Date: Wed Oct 19 15:49:47 2016

Merged: [crankshaft] Range analysis should not rely on overflowed ranges.

Revision: 9a0109d72e3dbbca282d39a5e401a3b61a2285e8

BUG= chromium:645438 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
TBR=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/2436763002 .

Cr-Commit-Position: refs/branch-heads/5.4@{#67}
Cr-Branched-From: 5ce282769772d94937eb2cb88eb419a6890c8b2d-refs/heads/5.4.500@{#2}
Cr-Branched-From: ad07b49d7b47b40a2d6f74d04d1b76ceae2a0253-refs/heads/master@{#38841}

[modify] https://crrev.com/495e5a0e8e486ce470040663256ddb9f35505ee2/src/crankshaft/hydrogen-instructions.cc
[modify] https://crrev.com/495e5a0e8e486ce470040663256ddb9f35505ee2/src/crankshaft/hydrogen-instructions.h
[add] https://crrev.com/495e5a0e8e486ce470040663256ddb9f35505ee2/test/mjsunit/regress/regress-crbug-645438.js

Labels: -Merge-Approved-54
Labels: NodeJS-Backport-Done
Project Member

Comment 35 by sheriffbot@chromium.org, Jan 18 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment