New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 683824 link

Starred by 1 user
Status: Verified
Owner:
bradnelson@chromium.org
Last visit > 30 days ago
Closed: Feb 2018
Cc:
mstarzinger@chromium.org
adamk@chromium.org
titzer@chromium.org
dschuff@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security


Participants' hotlists:
Hotlist-AsmJsParser


Sign in to add a comment

The browser and d8 crashed caused by segv

Reported by cdsrc2...@gmail.com, Jan 23 2017 
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

Steps to reproduce the problem:
1. launch chromium with these flags.> ./chrome --js-flags="--validate-asm" --no-sandbox ./crash.html

or,

launch d8 with these flags.> ./d8 --validate-asm ./crash.js

What is the expected behavior?

What went wrong?
The browser and d8 crashed caused by segv.And the u8v array index can affect the edx register value.

asn d8 crassh log:
=28027==ERROR: AddressSanitizer: SEGV on unknown address 0x00aa00000013 (pc 0x7f6e22a9669f bp 0x7fff61e85240 sp 0x7fff61e850a0 T0)
==28027==The signal is caused by a READ memory access.
    #0 0x7f6e22a9669e  (/home/jinzhe-s/jsfuzzer/x64_debug/d8+0xc7969e)
    #1 0x7f6e22a7779a  (/home/jinzhe-s/jsfuzzer/x64_debug/d8+0xc5a79a)
    #2 0x7f6e22426a7c  (/home/jinzhe-s/jsfuzzer/x64_debug/d8+0x609a7c)
    #3 0x7f6e22428311  (/home/jinzhe-s/jsfuzzer/x64_debug/d8+0x60b311)
    #4 0x7f6e224276d9  (/home/jinzhe-s/jsfuzzer/x64_debug/d8+0x60a6d9)
    #5 0x7f6e2242719c  (/home/jinzhe-s/jsfuzzer/x64_debug/d8+0x60a19c)
    #6 0x7f6e2243fa49  (/home/jinzhe-s/jsfuzzer/x64_debug/d8+0x622a49)
    #7 0x7f6e2243f5c2  (/home/jinzhe-s/jsfuzzer/x64_debug/d8+0x6225c2)
    #8 0x7f6e22421379  (/home/jinzhe-s/jsfuzzer/x64_debug/d8+0x604379)
    #9 0x7f6e225706d8  (/home/jinzhe-s/jsfuzzer/x64_debug/d8+0x7536d8)
    #10 0x7f6e225725ed  (/home/jinzhe-s/jsfuzzer/x64_debug/d8+0x7555ed)
    #11 0x7f6e22928f74  (/home/jinzhe-s/jsfuzzer/x64_debug/d8+0xb0bf74)

chrome windows log:
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll - 
eax=0018dec8 ebx=00000000 ecx=0018ddd8 edx=00000154 esi=0018ddd8 edi=00000154
eip=58ca6b91 esp=0018dd80 ebp=0018dd8c iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
chrome_child!ovly_debug_event+0x3256b1:
58ca6b91 8b7a07          mov     edi,dword ptr [edx+7] ds:002b:0000015b=????????

k
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
0018dd8c 58ca6aff chrome_child!ovly_debug_event+0x3256b1
0018dda0 58ca6ad7 chrome_child!ovly_debug_event+0x32561f
0018ddb8 58ca716d chrome_child!ovly_debug_event+0x3255f7
0018de80 58ca655e chrome_child!ovly_debug_event+0x325c8d
0018dea0 594e7402 chrome_child!ovly_debug_event+0x32507e
0018def4 594eb960 chrome_child!GetHandleVerifier+0x39351e
0018df24 594ec54a chrome_child!GetHandleVerifier+0x397a7c
0018dfa4 594e4dbc chrome_child!GetHandleVerifier+0x398666
0018e130 592630d9 chrome_child!GetHandleVerifier+0x390ed8
0018e148 58a34470 chrome_child!GetHandleVerifier+0x10f1f5
0018e2b8 58a340b3 chrome_child!ovly_debug_event+0xb2f90
0018e2ec 588eaf9c chrome_child!ovly_debug_event+0xb2bd3

Did this work before? N/A 

Chrome version: 55.0.2883.87  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: Shockwave Flash 23.0 r0
crash.zip
3.7 KB Download

Comment 1 by cdsrc2...@gmail.com, Jan 23 2017 

V8 version 5.7.339
chrome version:55.0.2883.87
Project Member

Comment 2 by ClusterFuzz, Jan 24 2017 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4996857903448064
Project Member

Comment 3 by ClusterFuzz, Jan 24 2017 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4987370186473472

Comment 4 by lgar...@chromium.org, Jan 24 2017

Owner: bradnelson@chromium.org
Status: Assigned (was: Unconfirmed)
Cashes for me on Chrome 57.0.2977.0 / OSX 10.12.2, but not the latest Canary.

bradnelson@: Another short repro for a WebAssembly crash. Could you triage?

Comment 5 by lgar...@chromium.org, Jan 24 2017

Components: Blink>JavaScript>WebAssembly
Labels: Security_Severity-Low Security_Impact-Stable
Affects stable (Chrome 55.0.2883.95) and Beta (Chrome 56.0.2924.67) but not Canary (58.0.2990.0).

bradnelson@: Could you help make sure that the fix for this (presumably in other other recent related issues) gets merged to 57?

Comment 6 by hablich@chromium.org, Jan 30 2017 

"--validate-asm" is not active on 55, 56 or 57. Good that it is fixed on 58 already. I think this bug can already be closed?

Comment 7 by aarya@google.com, May 25 2017

Cc: mstarzinger@chromium.org

Comment 8 by metzman@chromium.org, Feb 14 2018

Status: Verified (was: Assigned)
This no longer reproduces with d8. Closing as per that and #6.
Project Member

Comment 9 by sheriffbot@chromium.org, Feb 15 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 10 by awhalley@google.com, Feb 19 2018

Labels: reward-topanel

Comment 11 by awhalley@google.com, Feb 26 2018

Labels: -reward-topanel reward-0
I'm afraid the VRP panel declined to reward for this bug. Thanks for the report!
Project Member

Comment 12 by sheriffbot@chromium.org, May 24 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment