Issue metadata
Sign in to add a comment
|
Security: Memory corruption in wasm module
Reported by
june901...@gmail.com,
Mar 21 2018
|
||||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
I am not sure, but there might be the memory corruption when wasm code instantiates.
when I used '--no-wasm-jit-to-native' with poc, it normally worked.
VERSION
Chrome Version: current v8 stable [6.5.254.41]
Operating System: ubuntu 16.04 LTS
REPRODUCTION CASE
Starting program: $ /v8/out/asan/d8 poc.js
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff3140700 (LWP 17365)]
[New Thread 0x7ffff1e36700 (LWP 17366)]
[New Thread 0x7ffff0b2c700 (LWP 17367)]
[New Thread 0x7fffef822700 (LWP 17368)]
[New Thread 0x7fffee518700 (LWP 17369)]
Thread 1 "d8" received signal SIGSEGV, Segmentation fault.
__memmove_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:2389
2389 ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S: No such file or directory.
(gdb) bt
#0 __memmove_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:2389
#1 0x0000555555ebe543 in __asan_memcpy ()
at /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23
#2 0x000055555745fb60 in AddOwnedCode () at ../../src/wasm/wasm-code-manager.cc:328
#3 0x00005555574644ca in CreateTrampolineTo () at ../../src/wasm/wasm-code-manager.cc:491
#4 0x0000555557466992 in CloneTrampolinesAndStubs ()
at ../../src/wasm/wasm-code-manager.cc:670
#5 0x0000555557469054 in Clone () at ../../src/wasm/wasm-code-manager.cc:896
#6 0x00005555574e729e in Clone () at ../../src/wasm/wasm-objects.cc:1342
#7 0x00005555573f6f30 in Build () at ../../src/wasm/module-compiler.cc:2282
#8 0x00005555573f4702 in SyncInstantiate () at ../../src/wasm/module-compiler.cc:577
#9 0x0000555555fc2e14 in InstantiateAsmWasm () at ../../src/asmjs/asm-js.cc:392
#10 0x00005555570bc350 in __RT_impl_Runtime_InstantiateAsmJs ()
at ../../src/runtime/runtime-compiler.cc:126
#11 Runtime_InstantiateAsmJs () at ../../src/runtime/runtime-compiler.cc:106
#12 0x00007e8c3b88431d in ?? ()
#13 0x00007e8c3b884261 in ?? ()
#14 0x00007fffffffda40 in ?? ()
#15 0x0000000000000006 in ?? ()
#16 0x00007fffffffdab0 in ?? ()
#17 0x00007e8c3b8948f3 in ?? ()
#18 0x00007ead53d822e1 in ?? ()
#19 0x00007ead53d822e1 in ?? ()
#20 0x00007ead53d822e1 in ?? ()
#21 0x00007ef77db29e71 in ?? ()
#22 0x00007ef77db29e71 in ?? ()
#23 0x00007ef77db29e71 in ?? ()
#24 0x0000000000000000 in ?? ()
,
Mar 21 2018
Issue 824033 has been merged into this issue.
,
Mar 21 2018
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5110289671127040.
,
Mar 21 2018
,
Mar 21 2018
,
Mar 21 2018
Thanks for the report! This seems to be a duplicate of issue 822266 , we were not handling an OOM condition correctly. A fix for this already landed in https://crrev.com/c/966501 and might get merged to branches eventually.
,
Mar 21 2018
,
Jun 28 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by june901...@gmail.com
, Mar 21 2018