Security: V8 Integer overflow in object allocation size |
||||||||||||||||||||||||
Issue description
This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.
Please READ THIS FAQ before filing a bug: https://chromium.googlesource.com
/chromium/src/+/master/docs/security/faq.md
Please see the following link for instructions on filing security bugs:
https://www.chromium.org/Home/chromium-security/reporting-security-bugs
NOTE: Security bugs are normally made public once a fix has been widely
deployed.
VULNERABILITY DETAILS
There's an integer overflow in computing the required allocation size when instantiating a new javascript object.
See the following code in objects.cc
// static
bool JSFunction::CalculateInstanceSizeForDerivedClass(
Handle<JSFunction> function, InstanceType instance_type,
int requested_embedder_fields, int* instance_size,
int* in_object_properties) {
Isolate* isolate = function->GetIsolate();
int expected_nof_properties = 0;
bool result = true;
for (PrototypeIterator iter(isolate, function, kStartAtReceiver);
!iter.IsAtEnd(); iter.Advance()) {
Handle<JSReceiver> current =
PrototypeIterator::GetCurrent<JSReceiver>(iter);
if (!current->IsJSFunction()) break;
Handle<JSFunction> func(Handle<JSFunction>::cast(current));
// The super constructor should be compiled for the number of expected
// properties to be available.
Handle<SharedFunctionInfo> shared(func->shared());
if (shared->is_compiled() ||
Compiler::Compile(func, Compiler::CLEAR_EXCEPTION)) {
DCHECK(shared->is_compiled());
expected_nof_properties += shared->expected_nof_properties(); // <--- overflow here!
} else if (!shared->is_compiled()) {
// In case there was a compilation error for the constructor we will
// throw an error during instantiation. Hence we directly return 0;
result = false;
break;
}
if (!IsDerivedConstructor(shared->kind())) {
break;
}
}
CalculateInstanceSizeHelper(instance_type, true, requested_embedder_fields,
expected_nof_properties, instance_size,
in_object_properties);
return result;
}
By supplying a long prototype chain of objects with a large expected_nof_properties we can control the resulting value of instance_size by causing (requested_embedder_fields + requested_in_object_properties) << kPointerSizeLog2 to be overflown to a small negative value, resulting in an allocation smaller than header_size, which is the minimum required size for the base object class being allocated. This results in memory corruption when the object is initialised/used.
void JSFunction::CalculateInstanceSizeHelper(InstanceType instance_type,
bool has_prototype_slot,
int requested_embedder_fields,
int requested_in_object_properties,
int* instance_size,
int* in_object_properties) {
int header_size = JSObject::GetHeaderSize(instance_type, has_prototype_slot);
DCHECK_LE(requested_embedder_fields,
(JSObject::kMaxInstanceSize - header_size) >> kPointerSizeLog2);
*instance_size =
Min(header_size +
((requested_embedder_fields + requested_in_object_properties)
<< kPointerSizeLog2),
JSObject::kMaxInstanceSize);
*in_object_properties = ((*instance_size - header_size) >> kPointerSizeLog2) -
requested_embedder_fields;
}
The attached PoC crashes current stable on linux.
See crash report ID: 307546648ba8a84a
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
VERSION
Chrome Version: Version 64.0.3282.119 (Official Build) (64-bit)
Operating System: Linux
REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: renderer
Crash State: crash id 307546648ba8a84a
Client ID (if relevant): [see link above]
,
Feb 2 2018
,
Feb 2 2018
,
Feb 2 2018
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=4864701755031552.
,
Feb 2 2018
Calling it M64 since maybe the fix will be simple enough to make it into a maybe-respin of Stable. Otherwise 65.
,
Feb 5 2018
,
Feb 5 2018
,
Feb 5 2018
Wow, nice catch, thanks for the repro! The CL mentioned in issue 806388 essentially prevents an exploit by now since it hard crashes on most invalid values for Map properties. But I presume if you construct the right allocation_size that is valid again but still too small you'd end up in the same situation.
,
Feb 5 2018
WIP patch https://chromium-review.googlesource.com/c/v8/v8/+/902103 It's already late here and I won't make it today I think, what's the deadline for M64? We'd need to bake the proper fix for a while I think, but I could write at least a minimal fix that crashes and prevents an exploit which could be easily backmerged (again this would happen tomorrow).
,
Feb 5 2018
,
Feb 12 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/7b27040e66c8a83006aebc90fe97d21bb42156a7 commit 7b27040e66c8a83006aebc90fe97d21bb42156a7 Author: Camillo Bruni <cbruni@chromium.org> Date: Mon Feb 12 20:54:29 2018 [runtime] Harden JSFunction::CalculateInstanceSizeHelper(...) Bug: chromium:808192 Change-Id: I80136d291d5c21c311903bffc96d86d109f5cdc9 Reviewed-on: https://chromium-review.googlesource.com/902103 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#51255} [modify] https://crrev.com/7b27040e66c8a83006aebc90fe97d21bb42156a7/src/objects.cc [modify] https://crrev.com/7b27040e66c8a83006aebc90fe97d21bb42156a7/src/objects.h [modify] https://crrev.com/7b27040e66c8a83006aebc90fe97d21bb42156a7/test/cctest/test-inobject-slack-tracking.cc [modify] https://crrev.com/7b27040e66c8a83006aebc90fe97d21bb42156a7/test/mjsunit/es6/destructuring-assignment.js [modify] https://crrev.com/7b27040e66c8a83006aebc90fe97d21bb42156a7/test/mjsunit/mjsunit.status [add] https://crrev.com/7b27040e66c8a83006aebc90fe97d21bb42156a7/test/mjsunit/regress/regress-crbug-808192.js
,
Feb 13 2018
,
Feb 13 2018
This bug requires manual review: M65 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 13 2018
+ awhalley@ for (Security TPM) for merge review.
,
Feb 13 2018
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 14 2018
,
Feb 15 2018
awhalley@ are you reviewing this merge?
,
Feb 16 2018
govind@ - good for 65 cmasso@ - I was waiting on it obtaining sufficient canary/dev coverage.
,
Feb 16 2018
Approving merge to M65 branch 3325 based on comment #19. Please merge ASAP so we can pick it up for next beta release. Thank you.
,
Feb 16 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/ee33671594496a600147d5878855a0ec16da80be commit ee33671594496a600147d5878855a0ec16da80be Author: Camillo Bruni <cbruni@chromium.org> Date: Fri Feb 16 16:46:28 2018 Merged: [runtime] Harden JSFunction::CalculateInstanceSizeHelper(...) Revision: 7b27040e66c8a83006aebc90fe97d21bb42156a7 BUG= chromium:808192 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=ishell@chromium.org Change-Id: I85db90cca8a76045664b5777df33502dec799ad7 Reviewed-on: https://chromium-review.googlesource.com/924126 Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/branch-heads/6.5@{#47} Cr-Branched-From: 73c55f57fe8506011ff854b15026ca765b669700-refs/heads/6.5.254@{#1} Cr-Branched-From: 594a1a0b6e551397cfdf50870f6230da34db2dc8-refs/heads/master@{#50664} [modify] https://crrev.com/ee33671594496a600147d5878855a0ec16da80be/src/objects.cc [modify] https://crrev.com/ee33671594496a600147d5878855a0ec16da80be/src/objects.h [modify] https://crrev.com/ee33671594496a600147d5878855a0ec16da80be/test/cctest/test-inobject-slack-tracking.cc [modify] https://crrev.com/ee33671594496a600147d5878855a0ec16da80be/test/mjsunit/es6/destructuring-assignment.js [modify] https://crrev.com/ee33671594496a600147d5878855a0ec16da80be/test/mjsunit/mjsunit.status [add] https://crrev.com/ee33671594496a600147d5878855a0ec16da80be/test/mjsunit/regress/regress-crbug-808192.js
,
Feb 16 2018
This is already merged at #21.
,
Feb 21 2018
We're fairly close to M65 stable, let's wait for that.
,
Feb 21 2018
,
Feb 21 2018
,
Feb 23 2018
This is causing crashes on M65 Beta (as well as Canary), see issue 813492.
,
Feb 23 2018
It is best to revert this change from M65 if it is a safe revert as it causing stability issue on M65. awhalley@, are you ok with it? adamk@, will it be safe to revert this change from M65?
,
Feb 23 2018
,
Feb 23 2018
jkummerow is investigating what we should do next. It's not clear if reverting the change on M65 is actually safe (it's a CHECK failure, and removing it might lead to worse problems).
,
Feb 23 2018
Turns out this crash was already found by clusterfuzz and fixed, see issue 813427 .
,
Mar 6 2018
,
Mar 6 2018
,
Apr 25 2018
,
May 23 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 14
|
||||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Feb 1 2018