New issue
Advanced search Search tips
Starred by 1 user
Status: Duplicate
Merged: issue v8:6436
Owner:
Closed: May 23
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux, Windows, Chrome, Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment
Security: Use after free in WebAssembly async compilation (race condition).
Project Member Reported by och...@chromium.org, May 18 Back to list
A queued asynchronous WebAssembly compilation job created by a web worker can later have its V8 Isolate freed when the worker is terminated. If the queued job is run after the worker thread's shutdown, there is a UaF on the Isolate.

The attached testcase consistently gives the following ASan report:

(This needs to be run under a HTTP server for the fetch() to work).

$ python -m SimpleHTTPServer

$ ./chrome http://localhost:8000/index.html

==12995==ERROR: AddressSanitizer: heap-use-after-free on address 0x62b00004d200 at pc 0x563d19348077 bp 0x7fae16a7e8f0 sp 0x7fae16a7e8e8
READ of size 8 at 0x62b00004d200 thread T11 (WorkerPool/1303)
    #0 0x563d19348076 in GetEmbedderData v8/include/v8.h:8847:12
    #1 0x563d19348076 in GetData v8/include/v8.h:9945
    #2 0x563d19348076 in gin::PerIsolateData::From(v8::Isolate*) gin/per_isolate_data.cc:42
    #3 0x563d19350004 in gin::V8Platform::CallOnForegroundThread(v8::Isolate*, v8::Task*) gin/v8_platform.cc:83:26
    #4 0x563d0fbf73af in DoSync<AsyncCompileJob::PrepareAndStartCompile, std::__1::unique_ptr<v8::internal::wasm::WasmModule, std::__1::default_delete<v8::internal::wasm::WasmModule> > > v8/src/wasm/wasm-module.cc:2716:31
    #5 0x563d0fbf73af in AsyncCompileJob::DecodeModule::Run() v8/src/wasm/wasm-module.cc:2750
    #6 0x563d11645b60 in Run base/callback.h:91:12
    #7 0x563d11645b60 in base::(anonymous namespace)::WorkerThread::ThreadMain() base/threading/worker_pool_posix.cc:102
    #8 0x563d1154670a in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:71:13
    #9 0x7fae51f96183 in start_thread /build/eglibc-MjiXCM/eglibc-2.19/nptl/pthread_create.c:312

0x62b00004d200 is located 0 bytes inside of 24184-byte region [0x62b00004d200,0x62b000053078)
freed by thread T21 (DedicatedWorker) here:
    #0 0x563d0aec1ca2 in operator delete(void*) (/usr/local/google/home/ochang/Downloads/asan-linux-release-472963/chrome+0x3165ca2)
    #1 0x563d0f210eb7 in v8::internal::Isolate::TearDown() v8/src/isolate.cc:2420:3
    #2 0x563d1933ab69 in gin::IsolateHolder::~IsolateHolder() gin/isolate_holder.cc:87:13
    #3 0x563d18f46101 in blink::V8PerIsolateData::~V8PerIsolateData() third_party/WebKit/Source/platform/bindings/V8PerIsolateData.cpp:74:40
    #4 0x563d18f46f3c in blink::V8PerIsolateData::Destroy(v8::Isolate*) third_party/WebKit/Source/platform/bindings/V8PerIsolateData.cpp:129:3
    #5 0x563d1a34590c in blink::WorkerBackingThread::Shutdown() third_party/WebKit/Source/core/workers/WorkerBackingThread.cpp:97:3


 
repro.zip
4.7 MB Download
asan.log
28.5 KB View Download
Cc: bmeu...@chromium.org
Components: Blink>JavaScript>WebAssembly
Labels: Security_Severity-High Security_Impact-Stable OS-Chrome OS-Linux OS-Mac OS-Windows Pri-1
Owner: neis@chromium.org
Status: Assigned
neis can you take a look at this issue please?
Project Member Comment 2 by clusterf...@chromium.org, May 18
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5961571477225472
Cc: neis@chromium.org ahaas@chromium.org
Owner: bradnelson@chromium.org
Assigning to someone working on wasm.
Cc: -bmeu...@chromium.org clemensh@chromium.org
Description: Show this description
Cc: mtrofin@chromium.org
Description: Show this description
(sorry, uploaded the wrong .wasm file in the repro.zip -- fixed this. larger .wasm files will likely make this more reliable to reproduce).
Project Member Comment 9 by sheriffbot@chromium.org, May 19
Labels: M-58
Description: Show this description
Mergedinto: v8:6436
Status: Duplicate
Project Member Comment 12 by sheriffbot@chromium.org, Aug 30
Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment