New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 659561 link

Starred by 1 user
Status: Duplicate
Merged: issue 663402
Owner:
hpayer@chromium.org
Last visit > 30 days ago
Closed: Nov 2016
Cc:
mlippautz@chromium.org
jkummerow@chromium.org
hablich@chromium.org
infe...@chromium.org
hpayer@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Global-buffer-overflow in v8

Reported by hadeswi...@gmail.com, Oct 26 2016 
Steps to reproduce the problem:
1. build v8
2. adb push d8 /data/local/tmp/
3. chmod 775 d8
4. adb push case1.js /data/local/tmp/
5. ./d8 case1.js

What is the expected behavior?

What went wrong?
d8 crash SIGSEGV

Did this work before? N/A 

Chrome version: V8 version 5.5.0 (candidate)  Channel: stable
OS Version: 6.0.1
Flash Version: Shockwave Flash 18.0 r0
D8_case1.zip
9.7 KB Download
Project Member

Comment 1 by ClusterFuzz, Oct 27 2016 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5812391926562816
Project Member

Comment 2 by ClusterFuzz, Oct 27 2016 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5787321095159808
Project Member

Comment 3 by ClusterFuzz, Oct 28 2016 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5028970698637312
Project Member

Comment 4 by ClusterFuzz, Oct 28 2016 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5883837331800064

Comment 5 by ta...@google.com, Oct 28 2016

Components: Infra>Client>V8
Labels: -OS-Android OS-All
Status: Untriaged (was: Unconfirmed)
Clusterfuzz confirmed the crash (https://cluster-fuzz.appspot.com/v2/testcase-detail/5028970698637312).

Thank you, hadeswillj@ for reporting this!

Comment 6 by ta...@google.com, Oct 28 2016

Labels: Security_Severity-Medium
Owner: hpayer@chromium.org
Status: Assigned (was: Untriaged)
hpayer@, I wonder if you can take a look. Thanks.

Comment 7 by ta...@google.com, Oct 28 2016

Labels: Security_Impact-Stable
Project Member

Comment 8 by sheriffbot@chromium.org, Oct 28 2016

Labels: M-55
Project Member

Comment 9 by sheriffbot@chromium.org, Oct 28 2016

Labels: -Pri-2 Pri-1

Comment 10 by hpayer@chromium.org, Oct 28 2016

Cc: hablich@chromium.org
Status: Started (was: Assigned)

Comment 11 by hablich@chromium.org, Oct 28 2016

Cc: infe...@chromium.org
Components: -Infra>Client>V8 Blink>JavaScript>GC

Comment 12 by hpayer@chromium.org, Oct 28 2016

Cc: hpayer@chromium.org
Owner: mlippautz@chromium.org
Assigning to the current memory sheriff.

Comment 13 by mlippautz@chromium.org, Nov 2 2016

Cc: -hpayer@chromium.org mlippautz@chromium.org
Owner: hpayer@chromium.org
Alright, it's related to crankshaft allocation folding. Without folding (--nouse-allocation-folding) it doesn't crash. Also, I see some folding going on immediately before the crash. Another symptom is that top is already behind limit when we enter the runtime.

output (likely useless without inspecting using C1 visualizer):
  #21 (Allocate) cannot fold into #14 (StackCheck)
  #800 (Allocate) inserted for dominator #21 (Allocate)
  #31 (Allocate) folded into #21 (Allocate), new dominator size: 1080
  #21 (Allocate) cannot fold into #14 (StackCheck)

The symptom is that top overtakes limit, which a simple print confirms:
  EnsureAllocation: size: 552, old_top: 0xeff801e0 old_limit: 0xeff80000, high: 0xeff80000
                                        ^^^^^^^^^^            ^^^^^^^^^^

gn args:
is_component_build = true
is_debug = true
use_goma = true
is_asan = true
target_cpu = "x86"
v8_enable_backtrace = true
v8_enable_slow_dchecks = true
v8_target_cpu = "arm"

The old folding implementation (tried 2fe1ee4e0484119243ff32ecbb203335cb64045b) also crashes.

Comment 14 by mlippautz@chromium.org, Nov 2 2016 

+out log
folding.log
283 KB View Download

Comment 15 by mlippautz@chromium.org, Nov 8 2016

Cc: jkummerow@chromium.org
Seems to be the same issue Jakob is currently debugging/fixing. We allocate on the very end of page and access out of bounds above limit, which is a different (often unmapped) page.

Tested a fix locally and I am not able to reproduce the problem anymore.

Comment 16 by jkummerow@chromium.org, Nov 8 2016

Mergedinto: 663402
Status: Duplicate (was: Started)
Project Member

Comment 17 by sheriffbot@chromium.org, Feb 16 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment