New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 673297 link

Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Jan 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

[wasm] Illegal reuse of contexts

Project Member Reported by clemensh@chromium.org, Dec 12 2016

Issue description

We bake in the context in several location in wasm code:
1) boxing/unboxing in WASM_TO_JS and JS_TO_WASM
2) Throwing in stack checks
3) Throwing for traps

(1) is no issue since code for these stubs is recompiled on every instantiation.

For (2) and (3) the context is baked into the code of actual wasm functions, and is reused when instantiated in different contexts (via compilation cache for asm.js function, maybe also after deserialization). This gives access to foreign contexts.

We currently see two options to fix this:
1) Patch references to the context in all code objects during instantiation.
2) Don't directly include in the context in wasm code, instead call to stubs for throwing errors / triggering stack check errors.

Solution (2) has two advantages:
1) If we just recompile those stubs at instantiation, we never have to patch contexts anywhere.
2) We probably also reduce code size, since runtime calls are quite long (around 20 bytes on x64, where a raw call is just 5 bytes).
 
Repro (execute with --validate-asm --stress-opt):

function generateAsmJs() {
  'use asm';
  function fun() { fun(); }
  return fun;
}

assertThrows(generateAsmJs(), RangeError);

Symptom: Throws RangeError from wrong context, therefore the check in assertThrows fails.

Comment 2 by wfh@chromium.org, Dec 20 2016

Labels: Needs-Feedback
clemensh can you help us triage this bug? - is wasm enabled by default on any chrome channel and if so, which ones? Can this issue be triggered from the web or does it require local access? Do you know who could look at this? Do you know what an attacker would be able to do with "foreign contexts" - is this just an infoleak or would it allow arbitrary code execution?

Comment 3 by titzer@chromium.org, Dec 21 2016

This happens due to caching of asm.js code. What happens is that V8 keeps a shared function info cache which is isolate-wide. When we compile asm.js code, we store a stub and asm-wasm data on the module function of the asm.js code. That asm-wasm data has a compiled WebAssembly module. That WebAssembly module has code objects that embed the context corresponding to the context when the asm.js module was first verified and compiled. That means that subsequent invocations of the module from other contexts could, e.g. call a WASM function that throws an exception, giving the other context access to an WebAssembly.RuntimeError object from the original context; that's bad.

We should fix this by including the context in the WasmCompiledModule (soon to be called WasmSpecializedCode) and patching the context for each new instantiation of the WASM module.


Labels: -Needs-Feedback Security_Severity-Medium Security_Impact-Stable OS-Android OS-Chrome OS-Linux OS-Mac OS-Windows
Components: Blink>JavaScript>WebAssembly
Project Member

Comment 6 by sheriffbot@chromium.org, Dec 28 2016

Labels: M-56

Comment 7 by kenrb@chromium.org, Dec 29 2016

Owner: titzer@chromium.org
Status: Assigned (was: Available)
titzer@: Are you okay to own this, or else assign it to a better owner?
Project Member

Comment 8 by sheriffbot@chromium.org, Jan 4 2017

titzer: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Owner: clemensh@chromium.org
Status: Started (was: Assigned)
http://crrev.com/2623203003
Status: Fixed (was: Started)
Project Member

Comment 12 by sheriffbot@chromium.org, Jan 13 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: Release-0-M56
Project Member

Comment 14 by sheriffbot@chromium.org, Apr 21 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment