New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 724877 link

Starred by 1 user
Status: WontFix
Owner:
hpayer@chromium.org
Last visit > 30 days ago
Closed: May 2017
Cc:
jochen@chromium.org
yangguo@chromium.org
haraken@chromium.org
mstarzinger@chromium.org
danno@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Global-buffer-overflow in v8::internal::ScavengingVisitor

Reported by chromium...@gmail.com, May 21 2017 

VERSION
Chrome Version: 60.0.3106.0 Canary
Operating System: All

REPRODUCTION CASE

- Run chrome with --js-flags="--allow-natives-syntax"

1. Open the test case.
2. Wait >> render crash.

Crash/28cdc84368000000.

==4708==ERROR: AddressSanitizer: global-buffer-overflow on address 0x21b42b94 at pc 0x1162cc05 bp 0x0022d15c sp 0x0022d150
READ of size 4 at 0x21b42b94 thread T0
    #0 0x1162cc04  (C:\Users\admin\Desktop\asan-win32-release-469824\chrome_child.dll+0x11b1cc04)
    #1 0x1162a415  (C:\Users\admin\Desktop\asan-win32-release-469824\chrome_child.dll+0x11b1a415)
    #2 0x1161ea9b  (C:\Users\admin\Desktop\asan-win32-release-469824\chrome_child.dll+0x11b0ea9b)
    #3 0x12ff8e26  (C:\Users\admin\Desktop\asan-win32-release-469824\chrome_child.dll+0x134e8e26)
    #4 0x16407275  (C:\Users\admin\Desktop\asan-win32-release-469824\chrome_child.dll+0x168f7275)
    #5 0x16402293  (C:\Users\admin\Desktop\asan-win32-release-469824\chrome_child.dll+0x168f2293)
    #6 0x14d925fc  (C:\Users\admin\Desktop\asan-win32-release-469824\chrome_child.dll+0x152825fc)
    #7 0x12ff8e26  (C:\Users\admin\Desktop\asan-win32-release-469824\chrome_child.dll+0x134e8e26)
    #8 0x12e9a780  (C:\Users\admin\Desktop\asan-win32-release-469824\chrome_child.dll+0x1338a780)
    #9 0x12e9b5e0  (C:\Users\admin\Desktop\asan-win32-release-469824\chrome_child.dll+0x1338b5e0)
    #10 0x12e9c2a6  (C:\Users\admin\Desktop\asan-win32-release-469824\chrome_child.dll+0x1338c2a6)
    #11 0x12fff3ea  (C:\Users\admin\Desktop\asan-win32-release-469824\chrome_child.dll+0x134ef3ea)
    #12 0x12e99781  (C:\Users\admin\Desktop\asan-win32-release-469824\chrome_child.dll+0x13389781)
    #13 0x12f35a18  (C:\Users\admin\Desktop\asan-win32-release-469824\chrome_child.dll+0x13425a18)
    #14 0x185cd234  (C:\Users\admin\Desktop\asan-win32-release-469824\chrome_child.dll+0x18abd234)
    #15 0x12d5b810  (C:\Users\admin\Desktop\asan-win32-release-469824\chrome_child.dll+0x1324b810)
    #16 0x12d5ce03  (C:\Users\admin\Desktop\asan-win32-release-469824\chrome_child.dll+0x1324ce03)
    #17 0x12d5ef6d  (C:\Users\admin\Desktop\asan-win32-release-469824\chrome_child.dll+0x1324ef6d)
    #18 0x12d5b4f4  (C:\Users\admin\Desktop\asan-win32-release-469824\chrome_child.dll+0x1324b4f4)
    #19 0xfb11232  (C:\Users\admin\Desktop\asan-win32-release-469824\chrome_child.dll+0x10001232)
    #20 0xf69db5  (C:\Users\admin\Desktop\asan-win32-release-469824\chrome.exe+0x409db5)
    #21 0xf61b84  (C:\Users\admin\Desktop\asan-win32-release-469824\chrome.exe+0x401b84)
    #22 0x11d352a  (C:\Users\admin\Desktop\asan-win32-release-469824\chrome.exe+0x67352a)
    #23 0x775c3676  (C:\Windows\syswow64\kernel32.dll+0x7dd73676)
    #24 0x77d19d71  (C:\Windows\SysWOW64\ntdll.dll+0x7dea9d71)
    #25 0x77d19d44  (C:\Windows\SysWOW64\ntdll.dll+0x7dea9d44)

0x21b42b94 is located 44 bytes to the left of global variable 'trace_event_unique_atomic951' defined in '../../v8/src/heap/mark-compact.cc:951:3' (0x21b42bc0) of size 4
0x21b42b94 is located 16 bytes to the right of global variable 'trace_event_unique_atomic925' defined in '../../v8/src/heap/mark-compact.cc:925:5' (0x21b42b80) of size 4
SUMMARY: AddressSanitizer: global-buffer-overflow (C:\Users\admin\Desktop\asan-win32-release-469824\chrome_child.dll+0x11b1cc04)
Shadow bytes around the buggy address:
  0x34368520: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x34368530: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x34368540: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x34368550: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x34368560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x34368570: 04 f9[f9]f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x34368580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x34368590: 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x343685a0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x343685b0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x343685c0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4708==ABORTING


rax=00000000f824748b rbx=000001e10812a641 rcx=000001e108180050
rdx=0000061dd2cd1cd3 rsi=000007fedadfc313 rdi=000001e10812a640
rip=000007fedafe3d91 rsp=000000000041e088 rbp=000000000041e109
 r8=ffffffffc123a448  r9=01ffffffff823c94 r10=000007fedadfc313
r11=000001e10812a640 r12=ffffffffc123a458 r13=000000718ff02251
r14=ffffffffc123a458 r15=00000000040ae6a0
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=0000  ds=0000  es=0000  fs=0053  gs=002b             efl=00010202
*** WARNING: Unable to verify checksum for chrome_child.dll
chrome_child!MoveSmall+0x1da:
000007fe`dafe3d91 0f2949b0        movaps  xmmword ptr [rcx-50h],xmm1 ds:000001e1`08180000=????????????????????????????????
0:000> k
  *** Stack trace for last set context - .thread/.cxr resets it
Child-SP          RetAddr           Call Site
00000000`0041e088 000007fe`dadfc6e3 chrome_child!MoveSmall+0x1da [f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 419]
00000000`0041e090 000007fe`dadfc397 chrome_child!v8::internal::ScavengingVisitor<0,1>::SemiSpaceCopyObject<1>+0xab [c:\b\c\b\win64_pgo\src\v8\src\heap\scavenger.cc @ 172]
00000000`0041e170 000007fe`da784d01 chrome_child!v8::internal::ScavengingVisitor<0,1>::EvacuateFixedDoubleArray+0x83 [c:\b\c\b\win64_pgo\src\v8\src\heap\scavenger.cc @ 277]
00000000`0041e1a0 000007fe`da7b655d chrome_child!v8::internal::IncrementalMarking::Step+0x241 [c:\b\c\b\win64_pgo\src\v8\src\heap\incremental-marking.cc @ 1178]
00000000`0041e360 000007fe`da7b9fce chrome_child!v8::internal::IncrementalMarking::AdvanceIncrementalMarking+0x169 [c:\b\c\b\win64_pgo\src\v8\src\heap\incremental-marking.cc @ 1077]
00000000`0041e530 000007fe`da80b32d chrome_child!v8::internal::IncrementalMarkingJob::Task::RunInternal+0x8a [c:\b\c\b\win64_pgo\src\v8\src\heap\incremental-marking-job.cc @ 62]
00000000`0041e5a0 000007fe`da7e6823 chrome_child!v8::internal::CancelableTask::Run+0x1d [c:\b\c\b\win64_pgo\src\v8\src\cancelable-task.h @ 171]
00000000`0041e5d0 000007fe`da7df7de chrome_child!base::debug::TaskAnnotator::RunTask+0x1bb [c:\b\c\b\win64_pgo\src\base\debug\task_annotator.cc @ 59]
00000000`0041e7b0 000007fe`da7f329f chrome_child!blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue+0x1d2 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\platform\scheduler\base\task_queue_manager.cc @ 534]
00000000`0041ea60 000007fe`da7f1d0f chrome_child!blink::scheduler::TaskQueueManager::DoWork+0x12f [c:\b\c\b\win64_pgo\src\third_party\webkit\source\platform\scheduler\base\task_queue_manager.cc @ 329]
00000000`0041ebd0 000007fe`da7e6823 chrome_child!base::internal::Invoker<base::internal::BindState<void (__cdecl blink::scheduler::TaskQueueManager::*)(bool) __ptr64,base::WeakPtr<blink::scheduler::TaskQueueManager>,bool>,void __cdecl(void)>::Run+0x4b [c:\b\c\b\win64_pgo\src\base\bind_internal.h @ 343]
00000000`0041ec10 000007fe`da7df523 chrome_child!base::debug::TaskAnnotator::RunTask+0x1bb [c:\b\c\b\win64_pgo\src\base\debug\task_annotator.cc @ 59]
00000000`0041edf0 000007fe`da7f410e chrome_child!base::MessageLoop::RunTask+0xbf [c:\b\c\b\win64_pgo\src\base\message_loop\message_loop.cc @ 410]
00000000`0041ef10 000007fe`da7f30ff chrome_child!base::MessageLoop::DoWork+0x1a6 [c:\b\c\b\win64_pgo\src\base\message_loop\message_loop.cc @ 508]
00000000`0041f0c0 000007fe`dabe5678 chrome_child!base::MessagePumpDefault::Run+0x23 [c:\b\c\b\win64_pgo\src\base\message_loop\message_pump_default.cc @ 34]
00000000`0041f0f0 000007fe`dac0ddf1 chrome_child!base::RunLoop::Run+0x9c [c:\b\c\b\win64_pgo\src\base\run_loop.cc @ 94]
00000000`0041f200 000007fe`dab2fd2e chrome_child!content::RendererMain+0x1bd [c:\b\c\b\win64_pgo\src\content\renderer\renderer_main.cc @ 215]
00000000`0041f310 000007fe`dab2fb2b chrome_child!content::RunNamedProcessTypeMain+0xb6 [c:\b\c\b\win64_pgo\src\content\app\content_main_runner.cc @ 429]
00000000`0041f460 000007fe`da9bcf94 chrome_child!content::ContentMainRunnerImpl::Run+0xcf [c:\b\c\b\win64_pgo\src\content\app\content_main_runner.cc @ 705]
00000000`0041f520 000007fe`da9bd3cb chrome_child!service_manager::Main+0x1b8 [c:\b\c\b\win64_pgo\src\services\service_manager\embedder\main.cc @ 458]
crash.html
515 bytes View Download

Comment 1 by wfh@chromium.org, May 22 2017

Cc: haraken@chromium.org jochen@chromium.org yangguo@chromium.org danno@chromium.org
Components: Blink>JavaScript
Status: Untriaged (was: Unconfirmed)
is this another crankshaft only bug?
Project Member

Comment 2 by ClusterFuzz, May 22 2017 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5210603559059456

Comment 3 by jochen@chromium.org, May 22 2017

Owner: hpayer@chromium.org
Status: Assigned (was: Untriaged)
since it's on M60 without flags, it can't be crankshaft
Project Member

Comment 4 by ClusterFuzz, May 22 2017 

Detailed report: https://clusterfuzz.com/testcase?key=5210603559059456

Job Type: linux_asan_chrome_mp
Crash Type: Global-buffer-overflow READ 8
Crash Address: 0x7f7311278108
Crash State:
  v8::internal::IncrementalMarking::Step
  v8::internal::IncrementalMarking::AdvanceIncrementalMarking
  v8::internal::IncrementalMarkingJob::Task::RunInternal
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=468977:469016

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5210603559059456


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 5 by hpayer@chromium.org, May 24 2017

Status: Started (was: Assigned)
Can reproduce. First glance, looks like a broken map (maybe a forwarding pointer) which goes out of bounds on the visitor table in
Callback VisitorDispatchTable<Callback>::GetVisitor(Map* map) in src/heap/objects-visiting-inl.h

Comment 6 by chromium...@gmail.com, May 25 2017 

Security flags?

Comment 7 by kenrb@chromium.org, May 25 2017

Labels: Security_Severity-Medium M-59 Security_Impact-Head OS-All Pri-1

Comment 8 by aarya@google.com, May 25 2017

Cc: mstarzinger@chromium.org
Project Member

Comment 9 by sheriffbot@chromium.org, May 26 2017

Labels: -Security_Impact-Head Security_Impact-Beta
Project Member

Comment 10 by sheriffbot@chromium.org, May 26 2017

Labels: ReleaseBlock-Stable

Comment 11 by awhalley@chromium.org, May 26 2017

Labels: -M-59 M-60

Comment 12 by hpayer@chromium.org, May 29 2017 

Does reproduce in d8:
=======================================
var f2880 = function () {
this[255]  = new Int32Array(new Array())

this[2]  = new Proxy(new Array(0x7ffa,0x00ff0000,2048,-0,65536),f3779)
this[0x7ffffffa]  = new Int8Array(new Array())
let ret = 0xfffe
this[0xfffffffc] = -5

}
var f3779 = () => {
};
//location.reload();
%NewFunctionContext(f3779,1)
JSON.parse("[1,3,2]", f2880)
=======================================

gn:
use_goma = true
is_debug = true
target_cpu = "x86"
v8_optimized_debug = false
symbol_level = 2

It crashes already earlier in:

#2  0xf6b4b2df in v8::internal::ScopeInfo::scope_type (this=0x47b04285)
    at ../../src/objects/scope-info.cc:404
404	  DCHECK_LT(0, length());

(gdb) bt
#0  v8::base::OS::Abort () at ../../src/base/platform/platform-posix.cc:261
#1  0xf50b9f61 in V8_Fatal (file=0xf72ec787 "../../src/objects/scope-info.cc", line=404, 
    format=0xf725c3ef "Check failed: %s.") at ../../src/base/logging.cc:74
#2  0xf6b4b2df in v8::internal::ScopeInfo::scope_type (this=0x47b04285)
    at ../../src/objects/scope-info.cc:404
#3  0xf677a0c3 in v8::internal::Factory::NewFunctionContext (this=0x5787ccf8, length=0, 
    function=..., scope_type=v8::internal::ScopeType::FUNCTION_SCOPE)
    at ../../src/factory.cc:994
#4  0xf6deaf2b in v8::internal::__RT_impl_Runtime_NewFunctionContext (args=..., 
    isolate=0x5787ccf8) at ../../src/runtime/runtime-scopes.cc:748
#5  0xf6dea9cd in v8::internal::Runtime_NewFunctionContext (args_length=2, 
    args_object=0xffa7c0c8, isolate=0x5787ccf8)
    at ../../src/runtime/runtime-scopes.cc:739

The scope info is the empty_scope_info.

Comment 13 by hpayer@chromium.org, May 29 2017

Status: WontFix (was: Started)
We are not allowed to call %NewFunctionContext(f3779,1)
Thanks Jochen and Michi for pointing this out. The crasher in the Scavenger is most likely a consequence of the wrong usage.
Project Member

Comment 14 by sheriffbot@chromium.org, Sep 4 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment