New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 716936 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: May 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Use-after-poison in v8::internal::wasm::ThreadImpl::Push

Project Member Reported by ClusterFuzz, Apr 30 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6733421956300800

Fuzzer: libfuzzer_v8_wasm_code_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Use-after-poison WRITE 4
Crash Address: 0x62500001e450
Crash State:
  v8::internal::wasm::ThreadImpl::Push
  v8::internal::wasm::ThreadImpl::Execute
  v8::internal::wasm::ThreadImpl::Run
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6733421956300800


Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 
Project Member

Comment 1 by sheriffbot@chromium.org, May 1 2017

Labels: M-58
Project Member

Comment 2 by sheriffbot@chromium.org, May 1 2017

Labels: Pri-1
Components: Blink>JavaScript
Cc: mtrofin@chromium.org
Components: Blink>JavaScript>WebAssembly
Labels: OS-Android OS-Chrome OS-Mac OS-Windows
Owner: bradnelson@chromium.org
Status: Assigned (was: Untriaged)
bradnelson, can you or someone in your crew please take a look?
Cc: -mtrofin@chromium.org bradnelson@chromium.org
Owner: mtrofin@chromium.org
Cc: mtrofin@chromium.org
Owner: clemensh@chromium.org
Running in v8_simple_wasm_code_fuzzer, I get:

:~/work/v8 (master) $ out/Debug/v8_simple_wasm_code_fuzzer ~/Downloads/clusterfuzz-testcase-minimized-6733421956300800 


#
# Fatal error in ../../src/wasm/wasm-interpreter.cc, line 770
# Check failed: stack_height >= stack_effect.first (1 vs. 2).
#

==== C stack trace ===============================

    /usr/local/google/home/mtrofin/work/v8/out/Debug/./libv8_libbase.so(v8::base::debug::StackTrace::StackTrace()+0x1e) [0x7f1a6818747e]
    /usr/local/google/home/mtrofin/work/v8/out/Debug/./libv8_libplatform.so(+0x175c7) [0x7f1a681405c7]
    /usr/local/google/home/mtrofin/work/v8/out/Debug/./libv8_libbase.so(V8_Fatal+0x1bd) [0x7f1a68180f7d]
    /usr/local/google/home/mtrofin/work/v8/out/Debug/./libv8.so(+0x12f44d0) [0x7f1a676064d0]
    /usr/local/google/home/mtrofin/work/v8/out/Debug/./libv8.so(+0x13057dc) [0x7f1a676177dc]
    /usr/local/google/home/mtrofin/work/v8/out/Debug/./libv8.so(+0x1300f8a) [0x7f1a67612f8a]
    /usr/local/google/home/mtrofin/work/v8/out/Debug/./libv8.so(+0x12f3990) [0x7f1a67605990]
    /usr/local/google/home/mtrofin/work/v8/out/Debug/./libv8.so(+0x12f2403) [0x7f1a67604403]
    /usr/local/google/home/mtrofin/work/v8/out/Debug/./libv8.so(v8::internal::wasm::WasmInterpreter::Thread::InitFrame(v8::internal::wasm::WasmFunction const*, v8::internal::wasm::WasmVal*)+0x2d) [0x7f1a6760434d]
    out/Debug/v8_simple_wasm_code_fuzzer(v8::internal::wasm::testing::InterpretWasmModule(v8::internal::Isolate*, v8::internal::wasm::ErrorThrower*, v8::internal::wasm::WasmModule const*, v8::internal::wasm::ModuleWireBytes const&, int, v8::internal::wasm::WasmVal*, bool*)+0x271) [0x557e6bdaade1]
    out/Debug/v8_simple_wasm_code_fuzzer(LLVMFuzzerTestOneInput+0x791) [0x557e6bda5141]
    out/Debug/v8_simple_wasm_code_fuzzer(main+0x1e1) [0x557e6bda4991]
    /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7f1a65c67f45]
    out/Debug/v8_simple_wasm_code_fuzzer(+0x66b9) [0x557e6bda46b9]
Received signal 4 ILL_ILLOPN 7f1a68185401
Illegal instruction (core dumped)

Cc: clemensh@chromium.org
 Issue 715990  has been merged into this issue.
Status: Started (was: Assigned)
Project Member

Comment 9 by bugdroid1@chromium.org, May 2 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/66f69540641f47c7078e77daf649788d6c50670f

commit 66f69540641f47c7078e77daf649788d6c50670f
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Tue May 02 17:03:02 2017

[wasm] [interpreter] Fix fall-through loop with value

Executing the |end| opcode of a loop assumed that the stack height was
being reset to the height at start of the loop. Hence we were ignoring
the arity of the loop.
During computation of the side table, the arity of the label associated
with the loop was explicitly set to 0, such that a |br| instruction to
that label would not transfer any values.
It turns out though that we need to remember the arity in order to
precompute the correct stack height when executing the |end| opcode of
a loop.
Also, add a regression test.

R=rossberg@chromium.org
BUG= chromium:716936 

Change-Id: Ib3a559998f1ce5f8fcd7b94af1426637b3e48f86
Reviewed-on: https://chromium-review.googlesource.com/493286
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Rossberg <rossberg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45041}
[modify] https://crrev.com/66f69540641f47c7078e77daf649788d6c50670f/src/wasm/wasm-interpreter.cc
[modify] https://crrev.com/66f69540641f47c7078e77daf649788d6c50670f/test/cctest/wasm/test-run-wasm.cc

Project Member

Comment 10 by bugdroid1@chromium.org, May 3 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/4423c9cc099d639e774023e9cb7aa90bccb0d364

commit 4423c9cc099d639e774023e9cb7aa90bccb0d364
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Wed May 03 11:35:09 2017

[wasm] [interpreter] Ignore stack effects after unreachable

During computation of the side table, ignore stack effects of
instructions following any unconditional jump in the same block
(|unreachable|, |br|, |br_table| or |return| jump out of the block).
Without this fix, the current stack height might underflow, or we compute an
unnecessarily large max_stack_height_. Note that those instruction will
never get executed anyway.
Hence, we don't need to store any side table information for such
unreachable code.

R=rossberg@chromium.org
BUG= chromium:716936 ,  chromium:715990 

Change-Id: I282f7f18ba1b972a112210e692f6cd05cf32308c
Reviewed-on: https://chromium-review.googlesource.com/493266
Reviewed-by: Andreas Rossberg <rossberg@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45059}
[modify] https://crrev.com/4423c9cc099d639e774023e9cb7aa90bccb0d364/src/wasm/wasm-interpreter.cc
[modify] https://crrev.com/4423c9cc099d639e774023e9cb7aa90bccb0d364/src/wasm/wasm-opcodes.cc
[modify] https://crrev.com/4423c9cc099d639e774023e9cb7aa90bccb0d364/src/wasm/wasm-opcodes.h
[modify] https://crrev.com/4423c9cc099d639e774023e9cb7aa90bccb0d364/test/cctest/wasm/test-run-wasm.cc
[modify] https://crrev.com/4423c9cc099d639e774023e9cb7aa90bccb0d364/test/unittests/wasm/control-transfer-unittest.cc

Status: Fixed (was: Started)
Project Member

Comment 12 by sheriffbot@chromium.org, May 3 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
 Issue 717908  has been merged into this issue.
Project Member

Comment 14 by ClusterFuzz, May 4 2017

ClusterFuzz has detected this issue as fixed in range 468951:468981.

Detailed report: https://clusterfuzz.com/testcase?key=6733421956300800

Fuzzer: libfuzzer_v8_wasm_code_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Use-after-poison WRITE 4
Crash Address: 0x62500001e450
Crash State:
  v8::internal::wasm::ThreadImpl::Push
  v8::internal::wasm::ThreadImpl::Execute
  v8::internal::wasm::ThreadImpl::Run
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=468951:468981

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6733421956300800


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 15 by sheriffbot@chromium.org, May 5 2017

Labels: Merge-Request-59
Project Member

Comment 16 by sheriffbot@chromium.org, May 5 2017

Labels: -Merge-Request-59 Hotlist-Merge-Approved Merge-Approved-59
Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -M-58 -Merge-Approved-59 M-60
Labels: Release-0-M60
Project Member

Comment 19 by sheriffbot@chromium.org, Aug 9 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment