Issue 724299 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue v8:6436
Owner:	█ bradnelson@chromium.org Last visit > 30 days ago
Closed:	May 2017
Cc:	ahaas@chromium.org neis@chromium.org █ mtrofin@chromium.org clemensh@chromium.org adamk@chromium.org titzer@chromium.org dschuff@chromium.org
Components:	Blink>JavaScript>WebAssembly
EstimatedDays:	----
NextAction:	----
OS:	Linux , Windows , Chrome , Mac
Pri:	1
Type:	Bug-Security
Security_Impact-Stable Security_Severity-High allpublic M-58

Security: Use after free in WebAssembly async compilation (race condition).

Project Member Reported by och...@chromium.org, May 18 2017

Issue description

A queued asynchronous WebAssembly compilation job created by a web worker can later have its V8 Isolate freed when the worker is terminated. If the queued job is run after the worker thread's shutdown, there is a UaF on the Isolate.

The attached testcase consistently gives the following ASan report:

(This needs to be run under a HTTP server for the fetch() to work).

$ python -m SimpleHTTPServer

$ ./chrome http://localhost:8000/test.html

==1==AddressSanitizer: while reporting a bug found another one. Ignoring.
==1==ERROR: AddressSanitizer: heap-use-after-free on address 0x62b00001da68 at pc 0x55ea50bee01c bp 0x7f786c8fe870 sp 0x7f786c8fe868
READ of size 4 at 0x62b00001da68 thread T13 (WorkerPool/14)
==1==WARNING: invalid path to external symbolizer!
==1==WARNING: Failed to use and restart external symbolizer!
    #0 0x55ea50bee01b in v8::internal::Isolate::thread_id() const /mnt/ssd/chromium/src/out/Default/../../v8/src/isolate.h:595:3
    #1 0x55ea50bee01b in v8::internal::CompilationJob::CompilationJob(v8::internal::Isolate*, v8::internal::CompilationInfo*, char const*, v8::internal::CompilationJob::State) /mnt/ssd/chromium/src/out/Default/../../v8/src/compiler.cc:89:0
    #2 0x55ea50f4fe72 in v8::internal::compiler::PipelineWasmCompilationJob::PipelineWasmCompilationJob(v8::internal::CompilationInfo*, v8::internal::compiler::JSGraph*, v8::internal::compiler::CallDescriptor*, v8::internal::compiler::SourcePositionTable*, v8::internal::ZoneVector<v8::internal::trap_handler::ProtectedInstructionData>*, bool) /mnt/ssd/chromium/src/out/Default/../../v8/src/compiler/pipeline.cc:665:9
    #3 0x55ea50f4fe72 in v8::internal::compiler::Pipeline::NewWasmCompilationJob(v8::internal::CompilationInfo*, v8::internal::compiler::JSGraph*, v8::internal::compiler::CallDescriptor*, v8::internal::compiler::SourcePositionTable*, v8::internal::ZoneVector<v8::internal::trap_handler::ProtectedInstructionData>*, bool) /mnt/ssd/chromium/src/out/Default/../../v8/src/compiler/pipeline.cc:1811:0
    #4 0x55ea510c56d0 in v8::internal::compiler::WasmCompilationUnit::ExecuteCompilationInternal() /mnt/ssd/chromium/src/out/Default/../../v8/src/compiler/wasm-compiler.cc:4059:14
    #5 0x55ea52028d86 in (anonymous namespace)::CompilationHelper::FetchAndExecuteCompilationUnit() /mnt/ssd/chromium/src/out/Default/../../v8/src/wasm/wasm-module.cc:356:11
    #6 0x55ea52041a1c in AsyncCompileJob::ExecuteCompilationUnits::Run() /mnt/ssd/chromium/src/out/Default/../../v8/src/wasm/wasm-module.cc:2880:31
    #7 0x55ea536f42c7 in base::Callback<void (), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>::Run() && /mnt/ssd/chromium/src/out/Default/../../base/callback.h:91:12
    #8 0x55ea536f42c7 in base::(anonymous namespace)::WorkerThread::ThreadMain() /mnt/ssd/chromium/src/out/Default/../../base/threading/worker_pool_posix.cc:102:0
    #9 0x55ea5361b274 in base::(anonymous namespace)::ThreadFunc(void*) /mnt/ssd/chromium/src/out/Default/../../base/threading/platform_thread_posix.cc:71:13
    #10 0x7f78ca1bb183 in start_thread /build/eglibc-MjiXCM/eglibc-2.19/nptl/pthread_create.c:312:0

0x62b00001da68 is located 6248 bytes inside of 24184-byte region [0x62b00001c200,0x62b000022078)
freed by thread T12 (DedicatedWorker) here:
    #0 0x55ea4db62cd2 in operator delete(void*) ??:0:0
    #1 0x55ea5178c8c3 in v8::internal::Isolate::TearDown() /mnt/ssd/chromium/src/out/Default/../../v8/src/isolate.cc:2420:3
    #2 0x55ea5a69ab06 in gin::IsolateHolder::~IsolateHolder() /mnt/ssd/chromium/src/out/Default/../../gin/isolate_holder.cc:87:13
    #3 0x55ea5a32f87b in blink::V8PerIsolateData::~V8PerIsolateData() /mnt/ssd/chromium/src/out/Default/../../third_party/WebKit/Source/platform/bindings/V8PerIsolateData.cpp:74:40
    #4 0x55ea5a330483 in blink::V8PerIsolateData::Destroy(v8::Isolate*) /mnt/ssd/chromium/src/out/Default/../../third_party/WebKit/Source/platform/bindings/V8PerIsolateData.cpp:129:3
    #5 0x55ea5b45503b in blink::WorkerBackingThread::Shutdown() /mnt/ssd/chromium/src/out/Default/../../third_party/WebKit/Source/core/workers/WorkerBackingThread.cpp:97:3
    #6 0x55ea5b44a5e4 in blink::WorkerThread::PerformShutdownOnWorkerThread() /mnt/ssd/chromium/src/out/Default/../../third_party/WebKit/Source/core/workers/WorkerThread.cpp:553:30

repro.zip
767 bytes Download

asan_output.txt
31.3 KB View Download

A queued asynchronous WebAssembly compilation job created by a web worker can later have its V8 Isolate freed when the worker is terminated. If the queued job is run after the worker thread's shutdown, there is a UaF on the Isolate.

The attached testcase consistently gives the following ASan report:

(This needs to be run under a HTTP server for the fetch() to work).

$ python -m SimpleHTTPServer

$ ./chrome http://localhost:8000/test.html

==1==AddressSanitizer: while reporting a bug found another one. Ignoring.
==1==ERROR: AddressSanitizer: heap-use-after-free on address 0x62b00001da68 at pc 0x55ea50bee01c bp 0x7f786c8fe870 sp 0x7f786c8fe868
READ of size 4 at 0x62b00001da68 thread T13 (WorkerPool/14)
==1==WARNING: invalid path to external symbolizer!
==1==WARNING: Failed to use and restart external symbolizer!
    #0 0x55ea50bee01b in v8::internal::Isolate::thread_id() const /mnt/ssd/chromium/src/out/Default/../../v8/src/isolate.h:595:3
    #1 0x55ea50bee01b in v8::internal::CompilationJob::CompilationJob(v8::internal::Isolate*, v8::internal::CompilationInfo*, char const*, v8::internal::CompilationJob::State) /mnt/ssd/chromium/src/out/Default/../../v8/src/compiler.cc:89:0
    #2 0x55ea50f4fe72 in v8::internal::compiler::PipelineWasmCompilationJob::PipelineWasmCompilationJob(v8::internal::CompilationInfo*, v8::internal::compiler::JSGraph*, v8::internal::compiler::CallDescriptor*, v8::internal::compiler::SourcePositionTable*, v8::internal::ZoneVector<v8::internal::trap_handler::ProtectedInstructionData>*, bool) /mnt/ssd/chromium/src/out/Default/../../v8/src/compiler/pipeline.cc:665:9
    #3 0x55ea50f4fe72 in v8::internal::compiler::Pipeline::NewWasmCompilationJob(v8::internal::CompilationInfo*, v8::internal::compiler::JSGraph*, v8::internal::compiler::CallDescriptor*, v8::internal::compiler::SourcePositionTable*, v8::internal::ZoneVector<v8::internal::trap_handler::ProtectedInstructionData>*, bool) /mnt/ssd/chromium/src/out/Default/../../v8/src/compiler/pipeline.cc:1811:0
    #4 0x55ea510c56d0 in v8::internal::compiler::WasmCompilationUnit::ExecuteCompilationInternal() /mnt/ssd/chromium/src/out/Default/../../v8/src/compiler/wasm-compiler.cc:4059:14
    #5 0x55ea52028d86 in (anonymous namespace)::CompilationHelper::FetchAndExecuteCompilationUnit() /mnt/ssd/chromium/src/out/Default/../../v8/src/wasm/wasm-module.cc:356:11
    #6 0x55ea52041a1c in AsyncCompileJob::ExecuteCompilationUnits::Run() /mnt/ssd/chromium/src/out/Default/../../v8/src/wasm/wasm-module.cc:2880:31
    #7 0x55ea536f42c7 in base::Callback<void (), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>::Run() && /mnt/ssd/chromium/src/out/Default/../../base/callback.h:91:12
    #8 0x55ea536f42c7 in base::(anonymous namespace)::WorkerThread::ThreadMain() /mnt/ssd/chromium/src/out/Default/../../base/threading/worker_pool_posix.cc:102:0
    #9 0x55ea5361b274 in base::(anonymous namespace)::ThreadFunc(void*) /mnt/ssd/chromium/src/out/Default/../../base/threading/platform_thread_posix.cc:71:13
    #10 0x7f78ca1bb183 in start_thread /build/eglibc-MjiXCM/eglibc-2.19/nptl/pthread_create.c:312:0

0x62b00001da68 is located 6248 bytes inside of 24184-byte region [0x62b00001c200,0x62b000022078)
freed by thread T12 (DedicatedWorker) here:
    #0 0x55ea4db62cd2 in operator delete(void*) ??:0:0
    #1 0x55ea5178c8c3 in v8::internal::Isolate::TearDown() /mnt/ssd/chromium/src/out/Default/../../v8/src/isolate.cc:2420:3
    #2 0x55ea5a69ab06 in gin::IsolateHolder::~IsolateHolder() /mnt/ssd/chromium/src/out/Default/../../gin/isolate_holder.cc:87:13
    #3 0x55ea5a32f87b in blink::V8PerIsolateData::~V8PerIsolateData() /mnt/ssd/chromium/src/out/Default/../../third_party/WebKit/Source/platform/bindings/V8PerIsolateData.cpp:74:40
    #4 0x55ea5a330483 in blink::V8PerIsolateData::Destroy(v8::Isolate*) /mnt/ssd/chromium/src/out/Default/../../third_party/WebKit/Source/platform/bindings/V8PerIsolateData.cpp:129:3
    #5 0x55ea5b45503b in blink::WorkerBackingThread::Shutdown() /mnt/ssd/chromium/src/out/Default/../../third_party/WebKit/Source/core/workers/WorkerBackingThread.cpp:97:3
    #6 0x55ea5b44a5e4 in blink::WorkerThread::PerformShutdownOnWorkerThread() /mnt/ssd/chromium/src/out/Default/../../third_party/WebKit/Source/core/workers/WorkerThread.cpp:553:30

repro.zip
3.6 MB Download

asan_output.txt
31.3 KB View Download

A queued asynchronous WebAssembly compilation job created by a web worker can later have its V8 Isolate freed when the worker is terminated. If the queued job is run after the worker thread's shutdown, there is a UaF on the Isolate.

The attached testcase consistently gives the following ASan report:

(This needs to be run under a HTTP server for the fetch() to work).

$ python -m SimpleHTTPServer

$ ./chrome http://localhost:8000/test.html

==1==AddressSanitizer: while reporting a bug found another one. Ignoring.
==1==ERROR: AddressSanitizer: heap-use-after-free on address 0x62b00001da68 at pc 0x55ea50bee01c bp 0x7f786c8fe870 sp 0x7f786c8fe868
READ of size 4 at 0x62b00001da68 thread T13 (WorkerPool/14)
==1==WARNING: invalid path to external symbolizer!
==1==WARNING: Failed to use and restart external symbolizer!
    #0 0x55ea50bee01b in v8::internal::Isolate::thread_id() const /mnt/ssd/chromium/src/out/Default/../../v8/src/isolate.h:595:3
    #1 0x55ea50bee01b in v8::internal::CompilationJob::CompilationJob(v8::internal::Isolate*, v8::internal::CompilationInfo*, char const*, v8::internal::CompilationJob::State) /mnt/ssd/chromium/src/out/Default/../../v8/src/compiler.cc:89:0
    #2 0x55ea50f4fe72 in v8::internal::compiler::PipelineWasmCompilationJob::PipelineWasmCompilationJob(v8::internal::CompilationInfo*, v8::internal::compiler::JSGraph*, v8::internal::compiler::CallDescriptor*, v8::internal::compiler::SourcePositionTable*, v8::internal::ZoneVector<v8::internal::trap_handler::ProtectedInstructionData>*, bool) /mnt/ssd/chromium/src/out/Default/../../v8/src/compiler/pipeline.cc:665:9
    #3 0x55ea50f4fe72 in v8::internal::compiler::Pipeline::NewWasmCompilationJob(v8::internal::CompilationInfo*, v8::internal::compiler::JSGraph*, v8::internal::compiler::CallDescriptor*, v8::internal::compiler::SourcePositionTable*, v8::internal::ZoneVector<v8::internal::trap_handler::ProtectedInstructionData>*, bool) /mnt/ssd/chromium/src/out/Default/../../v8/src/compiler/pipeline.cc:1811:0
    #4 0x55ea510c56d0 in v8::internal::compiler::WasmCompilationUnit::ExecuteCompilationInternal() /mnt/ssd/chromium/src/out/Default/../../v8/src/compiler/wasm-compiler.cc:4059:14
    #5 0x55ea52028d86 in (anonymous namespace)::CompilationHelper::FetchAndExecuteCompilationUnit() /mnt/ssd/chromium/src/out/Default/../../v8/src/wasm/wasm-module.cc:356:11
    #6 0x55ea52041a1c in AsyncCompileJob::ExecuteCompilationUnits::Run() /mnt/ssd/chromium/src/out/Default/../../v8/src/wasm/wasm-module.cc:2880:31
    #7 0x55ea536f42c7 in base::Callback<void (), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>::Run() && /mnt/ssd/chromium/src/out/Default/../../base/callback.h:91:12
    #8 0x55ea536f42c7 in base::(anonymous namespace)::WorkerThread::ThreadMain() /mnt/ssd/chromium/src/out/Default/../../base/threading/worker_pool_posix.cc:102:0
    #9 0x55ea5361b274 in base::(anonymous namespace)::ThreadFunc(void*) /mnt/ssd/chromium/src/out/Default/../../base/threading/platform_thread_posix.cc:71:13
    #10 0x7f78ca1bb183 in start_thread /build/eglibc-MjiXCM/eglibc-2.19/nptl/pthread_create.c:312:0

0x62b00001da68 is located 6248 bytes inside of 24184-byte region [0x62b00001c200,0x62b000022078)
freed by thread T12 (DedicatedWorker) here:
    #0 0x55ea4db62cd2 in operator delete(void*) ??:0:0
    #1 0x55ea5178c8c3 in v8::internal::Isolate::TearDown() /mnt/ssd/chromium/src/out/Default/../../v8/src/isolate.cc:2420:3
    #2 0x55ea5a69ab06 in gin::IsolateHolder::~IsolateHolder() /mnt/ssd/chromium/src/out/Default/../../gin/isolate_holder.cc:87:13
    #3 0x55ea5a32f87b in blink::V8PerIsolateData::~V8PerIsolateData() /mnt/ssd/chromium/src/out/Default/../../third_party/WebKit/Source/platform/bindings/V8PerIsolateData.cpp:74:40
    #4 0x55ea5a330483 in blink::V8PerIsolateData::Destroy(v8::Isolate*) /mnt/ssd/chromium/src/out/Default/../../third_party/WebKit/Source/platform/bindings/V8PerIsolateData.cpp:129:3
    #5 0x55ea5b45503b in blink::WorkerBackingThread::Shutdown() /mnt/ssd/chromium/src/out/Default/../../third_party/WebKit/Source/core/workers/WorkerBackingThread.cpp:97:3
    #6 0x55ea5b44a5e4 in blink::WorkerThread::PerformShutdownOnWorkerThread() /mnt/ssd/chromium/src/out/Default/../../third_party/WebKit/Source/core/workers/WorkerThread.cpp:553:30

repro.zip
90.1 KB Download

asan_output.txt
31.3 KB View Download

A queued asynchronous WebAssembly compilation job created by a web worker can later have its V8 Isolate freed when the worker is terminated. If the queued job is run after the worker thread's shutdown, there is a UaF on the Isolate.

The attached testcase consistently gives the following ASan report:

(This needs to be run under a HTTP server for the fetch() to work).

$ python -m SimpleHTTPServer

$ ./chrome http://localhost:8000/index.html

==12995==ERROR: AddressSanitizer: heap-use-after-free on address 0x62b00004d200 at pc 0x563d19348077 bp 0x7fae16a7e8f0 sp 0x7fae16a7e8e8
READ of size 8 at 0x62b00004d200 thread T11 (WorkerPool/1303)
    #0 0x563d19348076 in GetEmbedderData v8/include/v8.h:8847:12
    #1 0x563d19348076 in GetData v8/include/v8.h:9945
    #2 0x563d19348076 in gin::PerIsolateData::From(v8::Isolate*) gin/per_isolate_data.cc:42
    #3 0x563d19350004 in gin::V8Platform::CallOnForegroundThread(v8::Isolate*, v8::Task*) gin/v8_platform.cc:83:26
    #4 0x563d0fbf73af in DoSync<AsyncCompileJob::PrepareAndStartCompile, std::__1::unique_ptr<v8::internal::wasm::WasmModule, std::__1::default_delete<v8::internal::wasm::WasmModule> > > v8/src/wasm/wasm-module.cc:2716:31
    #5 0x563d0fbf73af in AsyncCompileJob::DecodeModule::Run() v8/src/wasm/wasm-module.cc:2750
    #6 0x563d11645b60 in Run base/callback.h:91:12
    #7 0x563d11645b60 in base::(anonymous namespace)::WorkerThread::ThreadMain() base/threading/worker_pool_posix.cc:102
    #8 0x563d1154670a in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:71:13
    #9 0x7fae51f96183 in start_thread /build/eglibc-MjiXCM/eglibc-2.19/nptl/pthread_create.c:312

0x62b00004d200 is located 0 bytes inside of 24184-byte region [0x62b00004d200,0x62b000053078)
freed by thread T21 (DedicatedWorker) here:
    #0 0x563d0aec1ca2 in operator delete(void*) (/usr/local/google/home/ochang/Downloads/asan-linux-release-472963/chrome+0x3165ca2)
    #1 0x563d0f210eb7 in v8::internal::Isolate::TearDown() v8/src/isolate.cc:2420:3
    #2 0x563d1933ab69 in gin::IsolateHolder::~IsolateHolder() gin/isolate_holder.cc:87:13
    #3 0x563d18f46101 in blink::V8PerIsolateData::~V8PerIsolateData() third_party/WebKit/Source/platform/bindings/V8PerIsolateData.cpp:74:40
    #4 0x563d18f46f3c in blink::V8PerIsolateData::Destroy(v8::Isolate*) third_party/WebKit/Source/platform/bindings/V8PerIsolateData.cpp:129:3
    #5 0x563d1a34590c in blink::WorkerBackingThread::Shutdown() third_party/WebKit/Source/core/workers/WorkerBackingThread.cpp:97:3

repro.zip
4.7 MB Download

asan.log
28.5 KB View Download

Comment 1 by wfh@chromium.org, May 18 2017

Cc: bmeu...@chromium.org
Components: Blink>JavaScript>WebAssembly
Labels: Security_Severity-High Security_Impact-Stable OS-Chrome OS-Linux OS-Mac OS-Windows Pri-1
Owner: neis@chromium.org
Status: Assigned (was: Unconfirmed)

neis can you take a look at this issue please?

Project Member

Comment 2 by ClusterFuzz, May 18 2017

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5961571477225472

Comment 3 by neis@chromium.org, May 19 2017

Cc: neis@chromium.org ahaas@chromium.org
Owner: bradnelson@chromium.org

Assigning to someone working on wasm.

Comment 4 by bmeu...@chromium.org, May 19 2017

Cc: -bmeu...@chromium.org clemensh@chromium.org

Comment 5 by och...@chromium.org, May 19 2017

Description: Show this description

Comment 6 by clemensh@chromium.org, May 19 2017

Cc: mtrofin@chromium.org

Comment 7 by och...@chromium.org, May 19 2017

Description: Show this description

Comment 8 by och...@chromium.org, May 19 2017

(sorry, uploaded the wrong .wasm file in the repro.zip -- fixed this. larger .wasm files will likely make this more reliable to reproduce).

Project Member

Comment 9 by sheriffbot@chromium.org, May 19 2017

Labels: M-58

Comment 10 by och...@chromium.org, May 19 2017

Description: Show this description

Comment 11 by mtrofin@chromium.org, May 23 2017

Mergedinto: v8:6436
Status: Duplicate (was: Assigned)

Project Member

Comment 12 by sheriffbot@chromium.org, Aug 30 2017

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 724299 link

Issue metadata

Security: Use after free in WebAssembly async compilation (race condition).

Issue description

Comment 1 by wfh@chromium.org, May 18 2017

Comment 1 Deleted

Comment 2 by ClusterFuzz, May 18 2017

Comment 2 Deleted

Comment 3 by neis@chromium.org, May 19 2017

Comment 3 Deleted

Comment 4 by bmeu...@chromium.org, May 19 2017

Comment 4 Deleted

Comment 5 by och...@chromium.org, May 19 2017

Comment 5 Deleted

Comment 6 by clemensh@chromium.org, May 19 2017

Comment 6 Deleted

Comment 7 by och...@chromium.org, May 19 2017

Comment 7 Deleted

Comment 8 by och...@chromium.org, May 19 2017

Comment 8 Deleted

Comment 9 by sheriffbot@chromium.org, May 19 2017

Comment 9 Deleted

Comment 10 by och...@chromium.org, May 19 2017

Comment 10 Deleted

Comment 11 by mtrofin@chromium.org, May 23 2017

Comment 11 Deleted

Comment 12 by sheriffbot@chromium.org, Aug 30 2017

Comment 12 Deleted

Sign in to add a comment