Security: WebAsm OOB ArrayBuffer |
||||||||||||||||||||||||||
Issue descriptionSplit from bug 766253 : """ WebAsm instance builder reads imports from an attacker-controlled object in v8/src/wasm/wasm-module.cc:1625 ProcessImports(). Imports can be getters, which run while the instance is being built and is not in a consistent state. If the getter builds another instance for the same module, then the instances will share a WasmCompiledModule, but will have different ArrayBuffers for memory. Compiled module will reference one memory buffer. If the second memory grows, then the compiled module gets confused and relocates to OOB memory. For trunk, the code has moved to wasm/module-compiler.cc. Exploit in wasm_xpl.js. """
,
Sep 18 2017
Eric, Mircea, Deepti, can you take a look at this.
,
Sep 18 2017
,
Sep 18 2017
Can we get access to the quoted 766253?
,
Sep 18 2017
Yes, I CCed you.
,
Sep 18 2017
,
Sep 18 2017
,
Sep 19 2017
I assume we want this backported to 60 and 61, as well as 62, correct?
,
Sep 19 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/1bc42ab44cd62b860153249e281e8d3b40314cc3 commit 1bc42ab44cd62b860153249e281e8d3b40314cc3 Author: Mircea Trofin <mtrofin@chromium.org> Date: Tue Sep 19 02:45:11 2017 [wasm] Sanitize imports Sanitize imports before we start the instance building process. This avoids the possibility of exiting to JS while building instances, and allowing JS to observe an inconsistent state of the wasm world - e.g. incomplete specialization chains. We now validate we never exit to JS during that process. Bug: chromium:766260 Change-Id: I34930c8b70bdac16af464b3f62a2b6a38107acb3 Reviewed-on: https://chromium-review.googlesource.com/671480 Commit-Queue: Mircea Trofin <mtrofin@chromium.org> Reviewed-by: Eric Holk <eholk@chromium.org> Cr-Commit-Position: refs/heads/master@{#48074} [modify] https://crrev.com/1bc42ab44cd62b860153249e281e8d3b40314cc3/src/wasm/module-compiler.cc [modify] https://crrev.com/1bc42ab44cd62b860153249e281e8d3b40314cc3/src/wasm/module-compiler.h [modify] https://crrev.com/1bc42ab44cd62b860153249e281e8d3b40314cc3/src/wasm/wasm-objects.cc [modify] https://crrev.com/1bc42ab44cd62b860153249e281e8d3b40314cc3/src/wasm/wasm-objects.h
,
Sep 19 2017
,
Sep 19 2017
Pls apply appropriate OSs label.
,
Sep 19 2017
,
Sep 19 2017
This bug requires manual review: Less than 24 days to go before AppStore submit on M62 Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 19 2017
+ awhalley@ for merge review
,
Sep 19 2017
,
Sep 19 2017
,
Sep 19 2017
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 19 2017
+ Release TPMs as FYI (awhalley@ is currently looking).
,
Sep 19 2017
Note that this (and the other bugs split from issue 766253 ) were responsibly disclosed, so while these should be picked up if we respin for other issues I don't consider them a driver for a respin.
,
Sep 19 2017
Approving this for M62 (branch: 3202)
,
Sep 19 2017
M62 merge done: https://chromium-review.googlesource.com/c/v8/v8/+/673549
,
Sep 20 2017
,
Sep 21 2017
Approving merge to M61.
,
Sep 21 2017
ketakid@ -
,
Sep 21 2017
ketakid@ - this has had very little bake time, I'd be very hesitant to take in 61, is there a particular driver? (and sorry if the reason was my (now deleted) comment 23, which was intended for a different bug)
,
Sep 25 2017
Folks, are we ready to merge this in M61?
,
Sep 25 2017
Removing request for M60 since there are no more M60 planned releases Ketaki to confirm on M61 merge timing/approval
,
Oct 6 2017
What is the business/urgent case to merge this? I'd prefer to target M-62 which is targeted few weeks from now Feel free to re request if there is a very strong reason that can't wait few weeks
,
Oct 6 2017
,
Oct 6 2017
The only source of urgency is the security aspect - a malicious program can access random data in the same process (renderer). M62 has it already, see #21.
,
Oct 6 2017
Let's target M62
,
Oct 9 2017
+hablich I don't understand why this was merge rejected from 61. This is a security vulnerability that I believe affects 61 as well.
,
Oct 12 2017
See https://bugs.chromium.org/p/chromium/issues/detail?id=766260#c19. Retrospectively I would also have preferred to merge this but not respin for it. We are branching for 6.3 today so 6.1 is obsolete.
,
Nov 6 2017
,
Nov 13 2017
,
Nov 13 2017
,
Mar 27 2018
,
Apr 25 2018
,
Jan 4
|
||||||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||||||
Comment 1 by mea...@chromium.org
, Sep 18 2017