Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in v8::internal::TextNode::GetQuickCheckDetails |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5092815569944576 Fuzzer: libFuzzer_v8_regexp_parser_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: v8::internal::TextNode::GetQuickCheckDetails v8::internal::TextNode::GetQuickCheckDetails v8::internal::RegExpNode::EmitQuickCheck Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=515946:515953 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5092815569944576 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Dec 9 2017
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/04f7d484db22b1526afa5414c06eda443c5b4fad (RegExp: Add the ability to switch flags on and off within the regexp.). If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
,
Dec 9 2017
,
Dec 9 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 9 2017
,
Dec 10 2017
,
Dec 10 2017
I'm trying to repro this, preferably without having to build the whole of Chromium. I have a gn build of V8 with args.gn:
is_debug=false
target_cpu="x64"
v8_target_cpu="x64"
use_goma=false
is_msan=true
v8_use_snapshot=false
This doesn't build because there's a missing file. It is not downloaded by gclient sync && gclient runhooks for some reason. I ended up downloading it manually with:
download_from_google_storage --bucket chromium-instrumented-libraries -s v8/third_party/instrumented_libraries/binaries/msan-chained-origins-trusty.tgz.sha1
The resulting d8 binary does not even start up under msan:
$ ./out.gn/asan/d8
==329==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x55806482e1f0 (/usr/local/google/home/erikcorry/V8/v8/out.gn/asan/d8+0x22f11f0)
#1 0x7fa49af840bc (<unknown module>)
Uninitialized value was created by an allocation of 'runtimeTimer252' in the stack frame of function '_ZN2v88internal8Compiler30GetSharedFunctionInfoForScriptENS0_6HandleINS0_6StringEEENS0_11MaybeHandleINS0_6ObjectEEEiiNS_19ScriptOriginOptionsES7_NS2_INS0_7ContextEEEPNS_9ExtensionEPPNS0_10ScriptDataENS_14ScriptCompiler14CompileOptionsENSG_13NoCacheReasonENS0_11NativesFlagENS5_INS0_10FixedArrayEEE'
#0 0x558062c7d410 (/usr/local/google/home/erikcorry/V8/v8/out.gn/asan/d8+0x740410)
SUMMARY: MemorySanitizer: use-of-uninitialized-value (/usr/local/google/home/erikcorry/V8/v8/out.gn/asan/d8+0x22f11f0)
Exiting
Am I missing some sort of whitelist file?
,
Dec 11 2017
MSAN works only when V8 is running in arm simulator, here arm64. You can get the instrumented libraries by setting the checkout_instrumented_libraries custom variable to True in your .gclient file. E.g. see: https://cs.chromium.org/chromium/src/v8/DEPS?type=cs&q=checkout_instrumented_libraries&sq=package:chromium&l=6 That's where it's specified in the DEPS file. You can overwrite the default by adding a custom_vars section side-by-side with custom_deps in your .gclient file. E.g.: solutions = [ { "managed": False, "name": "v8", "url": "https://chromium.googlesource.com/v8/v8.git", "custom_deps": { }, "custom_vars": { "checkout_instrumented_libraries": True }, "deps_file": "DEPS", "safesync_url": "", }, ] Then run gclient sync, it should download the libraries as part of the hooks. Sorry for our sparse documentation. The gn args should be like on our msan bot: https://logs.chromium.org/v/?s=chromium%2Fbb%2Fclient.v8%2FV8_Linux_-_arm64_-_sim_-_MSAN%2F18675%2F%2B%2Frecipes%2Fsteps%2Fgenerate_build_files%2F0%2Flogs%2Fcaptured_stdout%2F0 What you need from there will be: is_debug = false is_msan = true msan_track_origins = 2 target_cpu = "x64" use_goma = true use_prebuilt_instrumented_libraries = true v8_target_cpu = "arm64" Not sure if you need a chained or no-origins version. You can try with msan_track_origins = 0 or msan_track_origins = 2. Then also see environment, set here in the clusterfuzz case. You might need to set env variable: MSAN_OPTIONS = handle_sigfpe=1:handle_sigbus=1:handle_sigill=1:allocator_release_to_os_interval_ms=500:handle_segv=1:handle_abort=1:print_stats=1:coverage=0:symbolize=0:print_summary=1:use_sigaltstack=1 Possibly you might need to add the symbolizer as well as clusterfuzz sets it in some special way.
,
Dec 11 2017
Pretty sure this is not exploitable so I see no need to backport. https://chromium-review.googlesource.com/#/c/v8/v8/+/820471
,
Dec 11 2017
Moved code review to https://chromium-review.googlesource.com/c/v8/v8/+/820472
,
Dec 12 2017
This was auto-assigned to the wrong CL. Probably a side effect of 2feb99dc8ac75f20d2e5c9c1b343e923476851ea "Reland "Ship RegExp Unicode property escapes"" Reassigning to Yang. Repro: var re = /©?\P{Any}>>>>/u; re.test("©x>>>>");
,
Dec 12 2017
,
Dec 13 2017
,
Dec 13 2017
Erik, I can't repro with the code from #11. Is this for an msan build?
,
Dec 13 2017
Yes I reproed with an msan simarm64 build, release version. I think i had the re.test in a loop, but that should not matter.
,
Dec 13 2017
Finally caught this, turns out we don't even need an msan build.
A vanilla debug build on ToT [0]:
$ out/debug/v8_simple_regexp_fuzzer clusterfuzz-testcase-minimized-5092815569944576
#
# Fatal error in ../../src/zone/zone.h, line 189
# Debug check failed: static_cast<unsigned>(length_) > static_cast<unsigned>(i) (0 vs. 0).
#
(gdb) bt
#0 v8::base::OS::Abort () at ../../src/base/platform/platform-posix.cc:361
#1 0x00007ffff7fa6787 in V8_Fatal (file=0x7ffff5b05ba4 "../../src/zone/zone.h", line=189, format=0x7ffff7f7ba7b "Debug check failed: %s.")
at ../../src/base/logging.cc:138
#2 0x00007ffff7fa61ef in v8::base::(anonymous namespace)::DefaultDcheckHandler (file=0x7ffff5b05ba4 "../../src/zone/zone.h", line=189,
message=0x5555555c2570 "static_cast<unsigned>(length_) > static_cast<unsigned>(i) (0 vs. 0)") at ../../src/base/logging.cc:56
#3 0x00007ffff7fa67c2 in V8_Dcheck (file=0x7ffff5b05ba4 "../../src/zone/zone.h", line=189,
message=0x5555555c2570 "static_cast<unsigned>(length_) > static_cast<unsigned>(i) (0 vs. 0)") at ../../src/base/logging.cc:142
#4 0x00007ffff693cba3 in v8::internal::ZoneList<v8::internal::Statement*>::operator[] (this=0x5555555ce660, i=0)
at ../../src/zone/zone.h:189
#5 0x00007ffff693c8eb in v8::internal::ZoneList<v8::internal::Statement*>::at (this=0x5555555ce660, i=0) at ../../src/zone/zone.h:192
#6 0x00007ffff74c69bd in v8::internal::TextNode::GetQuickCheckDetails (this=0x5555555ce808, details=0x7fffffffa7bc,
compiler=0x7fffffffcd80, characters_filled_in=1, not_at_start=true) at ../../src/regexp/jsregexp.cc:2589
#7 0x00007ffff74c6dbc in v8::internal::TextNode::GetQuickCheckDetails (this=0x5555555ce8f8, details=0x7fffffffa7bc,
compiler=0x7fffffffcd80, characters_filled_in=1, not_at_start=false) at ../../src/regexp/jsregexp.cc:2644
#8 0x00007ffff74c6077 in v8::internal::RegExpNode::EmitQuickCheck (this=0x5555555ce8f8, compiler=0x7fffffffcd80,
bounds_check_trace=0x7fffffffada8, trace=0x7fffffffa5c0, preload_has_checked_bounds=false, on_possible_success=0x7fffffffa7a8,
details=0x7fffffffa7bc, fall_through_on_failure=true) at ../../src/regexp/jsregexp.cc:2419
#9 0x00007ffff74ce623 in v8::internal::ChoiceNode::EmitChoices (this=0x5555555ce858, compiler=0x7fffffffcd80, alt_gens=0x7fffffffa798,
first_choice=0, trace=0x7fffffffada8, preload=0x7fffffffaa70) at ../../src/regexp/jsregexp.cc:4132
#10 0x00007ffff74cc8e3 in v8::internal::ChoiceNode::Emit (this=0x5555555ce858, compiler=0x7fffffffcd80, trace=0x7fffffffada8)
at ../../src/regexp/jsregexp.cc:3963
#11 0x00007ffff74ced25 in v8::internal::ActionNode::Emit (this=0x5555555ce948, compiler=0x7fffffffcd80, trace=0x7fffffffaed0)
at ../../src/regexp/jsregexp.cc:4236
#12 0x00007ffff74cb50e in v8::internal::TextNode::Emit (this=0x5555555cea90, compiler=0x7fffffffcd80, trace=0x7fffffffb430)
at ../../src/regexp/jsregexp.cc:3347
#13 0x00007ffff74cf2a3 in v8::internal::ActionNode::Emit (this=0x5555555ceae0, compiler=0x7fffffffcd80, trace=0x7fffffffb430)
at ../../src/regexp/jsregexp.cc:4319
#14 0x00007ffff74c489c in v8::internal::Trace::Flush (this=0x7fffffffb8d0, compiler=0x7fffffffcd80, successor=0x5555555ceae0)
at ../../src/regexp/jsregexp.cc:1344
#15 0x00007ffff74cf20c in v8::internal::ActionNode::Emit (this=0x5555555ceae0, compiler=0x7fffffffcd80, trace=0x7fffffffb8d0)
at ../../src/regexp/jsregexp.cc:4310
#16 0x00007ffff74cb50e in v8::internal::TextNode::Emit (this=0x5555555ceb78, compiler=0x7fffffffcd80, trace=0x7fffffffbd78)
at ../../src/regexp/jsregexp.cc:3347
#17 0x00007ffff74cef77 in v8::internal::ActionNode::Emit (this=0x5555555cebc8, compiler=0x7fffffffcd80, trace=0x7fffffffbd78)
at ../../src/regexp/jsregexp.cc:4272
#18 0x00007ffff74c49e9 in v8::internal::Trace::Flush (this=0x7fffffffc2e0, compiler=0x7fffffffcd80, successor=0x5555555cebc8)
at ../../src/regexp/jsregexp.cc:1377
#19 0x00007ffff74cef13 in v8::internal::ActionNode::Emit (this=0x5555555cebc8, compiler=0x7fffffffcd80, trace=0x7fffffffc2e0)
at ../../src/regexp/jsregexp.cc:4266
#20 0x00007ffff74ce7fc in v8::internal::ChoiceNode::EmitChoices (this=0x5555555ce9d0, compiler=0x7fffffffcd80, alt_gens=0x7fffffffc4b8,
first_choice=0, trace=0x7fffffffc990, preload=0x7fffffffc790) at ../../src/regexp/jsregexp.cc:4172
#21 0x00007ffff74cc8e3 in v8::internal::ChoiceNode::Emit (this=0x5555555ce9d0, compiler=0x7fffffffcd80, trace=0x7fffffffc990)
at ../../src/regexp/jsregexp.cc:3963
#22 0x00007ffff74c2f28 in v8::internal::RegExpCompiler::Assemble (this=0x7fffffffcd80, macro_assembler=0x7fffffffd218,
start=0x5555555ce9d0, capture_count=0, pattern=...) at ../../src/regexp/jsregexp.cc:1092
#23 0x00007ffff74c155e in v8::internal::RegExpEngine::Compile (isolate=0x555555568df0, zone=0x7fffffffd550, data=0x7fffffffd630,
flags=..., pattern=..., sample_subject=..., is_one_byte=false) at ../../src/regexp/jsregexp.cc:6790
#24 0x00007ffff74c0aad in v8::internal::RegExpImpl::CompileIrregexp (re=..., sample_subject=..., is_one_byte=false)
at ../../src/regexp/jsregexp.cc:352
#25 0x00007ffff74dfadc in v8::internal::RegExpImpl::EnsureCompiledIrregexp (re=..., sample_subject=..., is_one_byte=false)
at ../../src/regexp/jsregexp.cc:318
#26 0x00007ffff74c181c in v8::internal::RegExpImpl::IrregexpPrepare (regexp=..., subject=...) at ../../src/regexp/jsregexp.cc:436
#27 0x00007ffff74bf7b0 in v8::internal::RegExpImpl::IrregexpExec (regexp=..., subject=..., previous_index=0, last_match_info=...)
at ../../src/regexp/jsregexp.cc:555
#28 0x00007ffff74bf270 in v8::internal::RegExpImpl::Exec (regexp=..., subject=..., index=0, last_match_info=...)
at ../../src/regexp/jsregexp.cc:196
#29 0x000055555555c393 in Test (isolate=0x555555568df0, regexp=..., subject=..., results_array=...) at ../../test/fuzzer/regexp.cc:22
#30 0x000055555555c9e9 in LLVMFuzzerTestOneInput (data=0x5555555c22e0 "\251?\\P{Any}>>>>\177", size=13) at ../../test/fuzzer/regexp.cc:81
#31 0x000055555555c311 in main (argc=2, argv=0x7fffffffddb8) at ../../test/fuzzer/fuzzer.cc:51
(gdb) job *regexp
0x28fa2d506b59: [JSRegExp]
- map = 0x3d704d883f11 [FastProperties]
- prototype = 0x44bc1a90881
- elements = 0x356b23f82251 <FixedArray[0]> [HOLEY_ELEMENTS]
- data = 0x28fa2d5083e1 <FixedArray[8]>
- source = 0x28fa2d506ab1 <String[13]\: \xa9?\\P{Any}>>>>>
- properties = 0x356b23f82251 <FixedArray[0]> {
#lastIndex: 0 (data field 0)
}
(gdb) job *subject
u"f\ud83d\udca9ba\u2603"
[0] 4b3043ef206d4fbd48b65a7347077ac7da2e3ed4
,
Dec 13 2017
Minimized d8 repro:
// Only triggers on a two-byte subject string. Note that \P{Any} is the empty set.
out/debug/d8 <<< '/a\P{Any}a/u.exec("\ud83d")'
,
Dec 14 2017
Fix in-flight: https://crrev.com/c/827010
,
Dec 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/52b4fb00b3ecb3c48e2c15a9007c712e0d0a707c commit 52b4fb00b3ecb3c48e2c15a9007c712e0d0a707c Author: jgruber <jgruber@chromium.org> Date: Mon Dec 18 08:50:39 2017 [regexp] Preserve invariant of non-empty character class The irregexp compiler expects RegExpCharacterClass instances to contain at least one range. This preserves that invariant when parsing the negated \P{Any} unicode property. Bug: chromium:793588 Change-Id: If71fdce014a7e64d8af559084ee88108303d694b Reviewed-on: https://chromium-review.googlesource.com/827010 Reviewed-by: Mathias Bynens <mathias@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Reviewed-by: Erik Corry <erikcorry@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#50146} [modify] https://crrev.com/52b4fb00b3ecb3c48e2c15a9007c712e0d0a707c/src/regexp/jsregexp.cc [modify] https://crrev.com/52b4fb00b3ecb3c48e2c15a9007c712e0d0a707c/src/regexp/regexp-ast.h [modify] https://crrev.com/52b4fb00b3ecb3c48e2c15a9007c712e0d0a707c/src/regexp/regexp-parser.cc [add] https://crrev.com/52b4fb00b3ecb3c48e2c15a9007c712e0d0a707c/test/mjsunit/regress/regress-793588.js
,
Dec 18 2017
,
Dec 18 2017
Concur with #9, no backmerge needed.
,
Dec 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/41e86190691066e619044c2ad0c7b7192405cdfe commit 41e86190691066e619044c2ad0c7b7192405cdfe Author: jgruber <jgruber@chromium.org> Date: Mon Dec 18 09:19:20 2017 [regexp] Mark regress-793588 as failing on no_i18n builds ICU is needed to parse unicode property names. NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true TBR=mths@chromium.org Bug: chromium:793588 Change-Id: I7a4cd2885713c490fbc53867079fba69a26cba75 Reviewed-on: https://chromium-review.googlesource.com/831515 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#50147} [modify] https://crrev.com/41e86190691066e619044c2ad0c7b7192405cdfe/test/mjsunit/mjsunit.status
,
Dec 18 2017
,
Dec 19 2017
ClusterFuzz testcase 5985437415112704 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Dec 19 2017
ClusterFuzz has detected this issue as fixed in range 524693:524701. Detailed report: https://clusterfuzz.com/testcase?key=5092815569944576 Fuzzer: libFuzzer_v8_regexp_parser_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: v8::internal::TextNode::GetQuickCheckDetails v8::internal::TextNode::GetQuickCheckDetails v8::internal::RegExpNode::EmitQuickCheck Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=515946:515953 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=524693:524701 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5092815569944576 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 26 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 27 2018
,
Mar 31 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Dec 9 2017Labels: Test-Predator-Auto-Components