New issue
Advanced search Search tips

Issue 694566 link

Starred by 1 user
Status: Fixed
Owner:
neis@chromium.org
Closed: Feb 2017
Cc:
adamk@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security: Crash with es6 modules and unresolvable cyclic export with export*

Reported by andrebar...@googlemail.com, Feb 21 2017 
v8 git rev: 0b709628deb6cc2e1fe1dbbef9219fa10a5b208c
OS: Ubuntu x64 16.04

Steps to reproduce
1. Create the following two module script files m.js and q.js

m.js:
---
export {} from "./q.js"
export* from "./m.js"
---

q.js:
---
export {foo} from "./m.js"
---

2. Run with `d8 --module ./m.js`


Expected: Throws a SyntaxError because the export for "foo" cannot be resolved.
Actual: Crashes because of OOB access (?) in
---
0x000000000100d75c in v8::base::NoBarrier_Load (ptr=0xb9cbdd0a350) at .././src/base/atomicops_internals_portable.h:161
161	  return __atomic_load_n(ptr, __ATOMIC_RELAXED);
---

Stacktrace:
---
#0  0x000000000100d75c in v8::base::NoBarrier_Load (ptr=0xb9cbdd0a350) at .././src/base/atomicops_internals_portable.h:161
#1  0x0000000001064785 in v8::internal::FixedArray::get (this=0xb9c9d3822e9, index=605229067) at .././src/objects-inl.h:2356
#2  0x000000000156053f in v8::internal::HashTable<v8::internal::ObjectHashTable, v8::internal::ObjectHashTableShape, v8::internal::Handle<v8::internal::Object> >::KeyAt (this=0xb9c9d3822e9, 
    entry=302614532) at .././src/objects.h:3398
#3  0x00000000016854a8 in v8::internal::HashTable<v8::internal::ObjectHashTable, v8::internal::ObjectHashTableShape, v8::internal::Handle<v8::internal::Object> >::FindEntry (this=0xb9c9d3822e9, 
    isolate=0x2807330, key=..., hash=319522836) at .././src/objects-inl.h:3166
#4  0x00000000016f186a in v8::internal::ObjectHashTable::Lookup (this=0xb9c9d3822e9, isolate=0x2807330, key=..., hash=319522836) at ../src/objects.cc:18109
#5  0x00000000016f1a08 in v8::internal::ObjectHashTable::Lookup (this=0xb9c9d3822e9, key=...) at ../src/objects.cc:18126
#6  0x00000000016f7e0f in v8::internal::Module::ResolveExport (module=..., name=..., loc=..., must_resolve=false, resolve_set=0x7fffffffcb60) at ../src/objects.cc:19680
#7  0x00000000016f7d2d in v8::internal::Module::ResolveImport (module=..., name=..., module_request=1, loc=..., must_resolve=false, resolve_set=0x7fffffffcb60) at ../src/objects.cc:19671
#8  0x00000000016f8e19 in v8::internal::Module::ResolveExportUsingStarExports (module=..., name=..., loc=..., must_resolve=true, resolve_set=0x7fffffffcb60) at ../src/objects.cc:19764
#9  0x00000000016f8597 in v8::internal::Module::ResolveExport (module=..., name=..., loc=..., must_resolve=true, resolve_set=0x7fffffffcb60) at ../src/objects.cc:19737
#10 0x00000000016f7d2d in v8::internal::Module::ResolveImport (module=..., name=..., module_request=0, loc=..., must_resolve=true, resolve_set=0x7fffffffcb60) at ../src/objects.cc:19671
#11 0x00000000016f8273 in v8::internal::Module::ResolveExport (module=..., name=..., loc=..., must_resolve=true, resolve_set=0x7fffffffcb60) at ../src/objects.cc:19719
#12 0x00000000016f9d28 in v8::internal::Module::Instantiate (module=..., context=..., 
    callback=0xfee960 <v8::(anonymous namespace)::ResolveModuleCallback(v8::Local<v8::Context>, v8::Local<v8::String>, v8::Local<v8::Module>)>) at ../src/objects.cc:19893
#13 0x00000000016f97af in v8::internal::Module::Instantiate (module=..., context=..., 
    callback=0xfee960 <v8::(anonymous namespace)::ResolveModuleCallback(v8::Local<v8::Context>, v8::Local<v8::String>, v8::Local<v8::Module>)>) at ../src/objects.cc:19855
#14 0x000000000106db52 in v8::Module::Instantiate (this=0x28541f0, context=..., 
    callback=0xfee960 <v8::(anonymous namespace)::ResolveModuleCallback(v8::Local<v8::Context>, v8::Local<v8::String>, v8::Local<v8::Module>)>) at ../src/api.cc:2084
#15 0x0000000000fee5fa in v8::Shell::ExecuteModule (isolate=0x2807330, file_name=0x7fffffffde93 "./m.js") at ../src/d8.cc:741
#16 0x0000000000ff7832 in v8::SourceGroup::Execute (this=0x2804c68, isolate=0x2807330) at ../src/d8.cc:2085
#17 0x0000000000ffa30e in v8::Shell::RunMain (isolate=0x2807330, argc=3, argv=0x7fffffffd9e8, last_run=true) at ../src/d8.cc:2526
#18 0x0000000000ffb662 in v8::Shell::Main (argc=3, argv=0x7fffffffd9e8) at ../src/d8.cc:2978
#19 0x0000000001002fa2 in main (argc=3, argv=0x7fffffffd9e8) at ../src/d8.cc:3013
---

Comment 1 by kerrnel@chromium.org, Feb 21 2017

Components: Blink>JavaScript
Labels: OS-All
Status: Untriaged (was: Unconfirmed)
Setting this to be triaged by V8.

Comment 2 by jochen@chromium.org, Feb 22 2017

Cc: adamk@chromium.org
Labels: Pri-1
Owner: neis@chromium.org
Status: Assigned (was: Untriaged)

Comment 3 by hablich@chromium.org, Feb 22 2017

Labels: -Pri-1 Pri-2
Modules are not enabled by default -> lowering priority.

Comment 4 by neis@chromium.org, Feb 22 2017 

Thanks for the report!

Comment 5 by neis@chromium.org, Feb 22 2017

Status: Started (was: Assigned)

Comment 6 by kerrnel@chromium.org, Feb 22 2017

Labels: Security_Severity-Low
Marking as Low because the modules are not enabled by default, as mentioned. Does this affect anything other than HEAD? Thanks.

Comment 7 by neis@chromium.org, Feb 24 2017 

Yes, but the only way to experience this crash is by manually running d8.

Comment 8 by infe...@chromium.org, Feb 25 2017

Labels: Security_Impact-None
Project Member

Comment 9 by bugdroid1@chromium.org, Feb 28 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/59c9e6ff6915f844cc26821c590001226a399846

commit 59c9e6ff6915f844cc26821c590001226a399846
Author: Georg Neis <neis@chromium.org>
Date: Tue Feb 28 19:00:58 2017

[modules] Fix bug in Module::Instantiate.

The order in which things were done wasn't quite correct and lead
to wrong behaviour for certain circular module graphs.

BUG= v8:1569 , chromium:694566 

Change-Id: I291186e261268c853a30ad891ff362904e0b28ef
Reviewed-on: https://chromium-review.googlesource.com/447399
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43497}
[modify] https://crrev.com/59c9e6ff6915f844cc26821c590001226a399846/src/factory.cc
[modify] https://crrev.com/59c9e6ff6915f844cc26821c590001226a399846/src/objects-debug.cc
[modify] https://crrev.com/59c9e6ff6915f844cc26821c590001226a399846/src/objects-inl.h
[modify] https://crrev.com/59c9e6ff6915f844cc26821c590001226a399846/src/objects.cc
[modify] https://crrev.com/59c9e6ff6915f844cc26821c590001226a399846/src/objects.h
[add] https://crrev.com/59c9e6ff6915f844cc26821c590001226a399846/test/message/modules-cycle5.js
[add] https://crrev.com/59c9e6ff6915f844cc26821c590001226a399846/test/message/modules-cycle5.out
[add] https://crrev.com/59c9e6ff6915f844cc26821c590001226a399846/test/message/modules-cycle6.js
[add] https://crrev.com/59c9e6ff6915f844cc26821c590001226a399846/test/message/modules-cycle6.out
[add] https://crrev.com/59c9e6ff6915f844cc26821c590001226a399846/test/message/modules-skip-cycle5.js
[add] https://crrev.com/59c9e6ff6915f844cc26821c590001226a399846/test/message/modules-skip-cycle6.js
[add] https://crrev.com/59c9e6ff6915f844cc26821c590001226a399846/test/mjsunit/modules-cycle.js
[add] https://crrev.com/59c9e6ff6915f844cc26821c590001226a399846/test/mjsunit/modules-skip-cycle.js

Comment 10 by neis@chromium.org, Feb 28 2017

Status: Fixed (was: Started)
Project Member

Comment 11 by sheriffbot@chromium.org, Mar 1 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 12 by sheriffbot@chromium.org, Jun 7 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment