Bisects to 7662e0634c3a057fa5d746912ee5af76e285c274 (Enable SharedArrayBuffer by default in standalone v8).

Brad, can you take a look or reassign please?

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ping!

bradnelson: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Ben or Eric, could you look into this one?
Thanks!

I'll take a look.

I've attached a much smaller test case that shows the bug.

Run it with:

ASAN_OPTIONS='redzone=128:allow_user_segv_handler=0:symbolize=1:detect_stack_use_after_return=0:alloc_dealloc_mismatch=0:detect_leaks=0:print_scariness=1:check_malloc_usable_size=0:allocator_may_return_null=1:use_sigaltstack=1:handle_abort=1:strict_memcmp=0:detect_container_overflow=0:quarantine_size_mb=100:coverage=0:detect_odr_violation=0:fast_unwind_on_fatal=1:handle_sigill=1:handle_segv=1:malloc_context_size=128' ./out.gn/x64.asan/d8 --invoke-weak-callbacks 761710-minimized.js

It seems like the reference to `this.Realm` causes RunMain in d8 to destroy the Realm upon exiting (I don't really know anything about Realms; this is the first I've seen of them). However, the promise is holding a pointer to it so that it can do `Realm.current()`. Once the Wasm compilation completes asynchronously (after RunMain has exited), the promise completion callback looks up Realm.current, triggering the use-after-free.

Deleted: 761710-minimized.js 436 bytes

761710-minimized.js 436 bytes View Download

I have a fix out for review at https://chromium-review.googlesource.com/c/v8/v8/+/671923

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/e6defddc156efbd8d12f770b990dd51bbe3084ea

commit e6defddc156efbd8d12f770b990dd51bbe3084ea
Author: Eric Holk <eholk@chromium.org>
Date: Tue Sep 19 00:42:11 2017

[d8] zero realm_count_ on RealmScope teardown

Promises can sometimes be resolved after the RealmScope has been destroyed, such
as when a Wasm compile job finishes after the script main has finished. If the
Promise.then function refers to Realm.current, we were getting a use-after free
error when it would search for the list of realms. This change also zeros out
realm_count_ in addition to deleting the realms_ so that RealmFind will not
reference freed memory.

Bug:  chromium:761710 
Change-Id: I2d42997f363b284ccc5f4b225d3f59e0361e68d6
Reviewed-on: https://chromium-review.googlesource.com/671923
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48073}
[modify] https://crrev.com/e6defddc156efbd8d12f770b990dd51bbe3084ea/src/d8.cc

Thanks, Eric!

ClusterFuzz has detected this issue as fixed in range 502785:502793.

Detailed report: https://clusterfuzz.com/testcase?key=6013647578202112

Fuzzer: inferno_js_fuzzer
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x0b3053b4
Crash State:
  v8::Shell::RealmCurrent
  v8::internal::FunctionCallbackArguments::Call
  v8::internal::HandleApiCallHelper<0>
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=490630:490712
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=502785:502793

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6013647578202112

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6013647578202112 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: M62 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Approving merge to M62. Branch:3202

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/1083a6bfca2378bdf7fdc003a0c56cab7d3b2f5b

commit 1083a6bfca2378bdf7fdc003a0c56cab7d3b2f5b
Author: Eric Holk <eholk@chromium.org>
Date: Mon Sep 25 21:46:35 2017

[d8] zero realm_count_ on RealmScope teardown

Promises can sometimes be resolved after the RealmScope has been destroyed, such
as when a Wasm compile job finishes after the script main has finished. If the
Promise.then function refers to Realm.current, we were getting a use-after free
error when it would search for the list of realms. This change also zeros out
realm_count_ in addition to deleting the realms_ so that RealmFind will not
reference freed memory.

Bug:  chromium:761710 
Change-Id: I2d42997f363b284ccc5f4b225d3f59e0361e68d6
Reviewed-on: https://chromium-review.googlesource.com/671923
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#48073}(cherry picked from commit e6defddc156efbd8d12f770b990dd51bbe3084ea)
Reviewed-on: https://chromium-review.googlesource.com/683054
Cr-Commit-Position: refs/branch-heads/6.2@{#41}
Cr-Branched-From: efa2ac4129d30c7c72e84c16af3d20b44829f990-refs/heads/6.2.414@{#1}
Cr-Branched-From: a861ebb762a60bf5cc2a274faee3620abfb06311-refs/heads/master@{#47693}
[modify] https://crrev.com/1083a6bfca2378bdf7fdc003a0c56cab7d3b2f5b/src/d8.cc

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot