New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: May 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 826434: Security: Concern about WebAssembly table mutability

Reported by natashenka@google.com, Mar 27 2018 Project Member

Issue description

The following change implements a check that can be bypassed https://chromium-review.googlesource.com/c/v8/v8/+/837646 (bug: https://bugs.chromium.org/p/v8/issues/detail?id=7232)

This fix appears to fix a use-after-free by not allowing WebAssembly tables to be changed during a WebAssembly call, but it is still possible to do this by creating a new WebAssembly Instance importing the table with a element section during a call to an import. I haven't been able to reproduce the original issue in  bug 7232  (and I don't have permissions to view the bug), so I am filing this issue for the WebAssembly team to investigate.
 

Comment 1 by mmoroz@chromium.org, Mar 27 2018

Cc: tzik@chromium.org hablich@chromium.org
Components: Blink>JavaScript>WebAssembly
Labels: Security_Severity-High M-67 Security_Impact-Stable
Owner: mtrofin@chromium.org

Comment 2 by mtrofin@chromium.org, Mar 27 2018

Owner: bradnelson@chromium.org

Comment 3 by hablich@chromium.org, Mar 28 2018

Labels: Pri-1
Status: Assigned (was: Unconfirmed)

Comment 4 by titzer@chromium.org, Mar 28 2018

Cc: titzer@chromium.org

Comment 5 by titzer@chromium.org, Mar 28 2018

We should be able to remove the API change once https://chromium-review.googlesource.com/c/v8/v8/+/958520 lands, since it will root the instance from the stack.

Comment 6 by mmoroz@chromium.org, Mar 28 2018

Labels: OS-All

Comment 7 by sheriffbot@chromium.org, Apr 11 2018

Project Member
bradnelson: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 8 by carlosil@chromium.org, Apr 16 2018

Friendly Security Sheriff Ping: Are there any updates on this issue? This is a high severity security bug, and there haven't been any updates in a while (and it looks like the CL referenced as blocking in #5 has already landed).

Comment 9 by titzer@chromium.org, Apr 16 2018

Status: Fixed (was: Assigned)
This should now be fixed with https://chromium-review.googlesource.com/c/v8/v8/+/1007004

Comment 10 by sheriffbot@chromium.org, Apr 17 2018

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 11 by sheriffbot@chromium.org, Apr 27 2018

Project Member
Labels: Merge-Request-67

Comment 12 by sheriffbot@chromium.org, Apr 27 2018

Project Member
Labels: -Merge-Request-67 Merge-Review-67 Hotlist-Merge-Review
This bug requires manual review: M67 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 13 by gov...@chromium.org, Apr 27 2018

Cc: awhalley@chromium.org
+awhalley@ for M67 merge review.

Comment 14 by awhalley@google.com, Apr 27 2018

govind@ - good for 67

Comment 15 by gov...@chromium.org, Apr 27 2018

Labels: -Merge-Review-67 Merge-Approved-67
Approving merge to M67 branch 3396 based on comment #14. Please merge ASAP. Thank you.

Comment 16 by bradnelson@chromium.org, Apr 27 2018

Merged to 6.7 v8 branch.

Comment 17 by bradnelson@chromium.org, Apr 27 2018

Labels: -Merge-Approved-67 merge-merged-6.7 67

Comment 18 by bradnelson@chromium.org, Apr 30 2018

Cc: -tzik@chromium.org -hablich@chromium.org -bradnelson@chromium.org clemensh@chromium.org ahaas@chromium.org mstarzinger@chromium.org
Labels: -M-67 -67 -merge-merged-6.7
Status: Assigned (was: Fixed)
Actually just realized this merge is incorrect (looks like titzer's comment  got misinterpreted), reverted.

natashenka@ 's concern that the old work-around remains.

Dropping the merge tags.
Will see if I can repro.

Comment 19 by bradnelson@chromium.org, Apr 30 2018

Note, the correct original bug link above should be:
https://bugs.chromium.org/p/v8/issues/detail?id=7232

Comment 20 by sheriffbot@chromium.org, Apr 30 2018

Project Member
Status: Fixed (was: Assigned)
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 21 by gov...@chromium.org, Apr 30 2018

Just to make sure, incorrect CL has been reverted from M67 and no additional merge is needed, right?

Comment 22 by bradnelson@chromium.org, Apr 30 2018

Status: Assigned (was: Fixed)
To clarify, this issue tracks concern from natashenka@ that the workaround for this issue: https://bugs.chromium.org/p/v8/issues/detail?id=7232
is not fully general.
We don't (I think) have anything demonstrating this, but it looks possible on the face of it in the code.
If is an issue, it would affect M63-M67.

The issue is fixed for good by way of a large (hard to merge) refactor starting in M68 (which is why the workaround CL that I mistakenly cherrypicked went in).

Comment 23 by bradnelson@chromium.org, Apr 30 2018

Owner: titzer@chromium.org
The attached fail.js does indeed show that you can mutate the table while inside a call frame using table element init.
Note it prints 'bad' before returning which suggests confused control flow (i.e. returning to a different function then you called through).

Run with:
./out.gn/x64.debug/d8 --enable-slow-asserts --expose-gc --allow-natives-syntax test/mjsunit/mjsunit.js test/mjsunit/wasm/wasm-constants.js test/mjsunit/wasm/wasm-module-builder.js fail.js
(Built off branch-heads/6.7)

Ben, is there a good way to trace this?
I'm surprised I can't get it to crash.
fail.js
2.0 KB View Download

Comment 24 by bradnelson@chromium.org, Apr 30 2018

Cc: bradnelson@chromium.org

Comment 25 by elawrence@chromium.org, Apr 30 2018

Labels: FoundIn-63 M-66

Comment 26 by sheriffbot@chromium.org, May 1 2018

Project Member
titzer: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 27 by titzer@chromium.org, May 2 2018

Re: c22.

The big refactor did go in, but one of mstarzinger@'s follow-up changes didn't make it in yet. An option is to merge both back. I'll ask mstarzinger@ offline.

Comment 28 by est...@chromium.org, May 16 2018

It looks like this should be marked Fixed, if I'm understanding correctly? If the bug is fixed on trunk and the only question is about whether it can be merged back, then it should be marked Fixed.

Re #27, do you have an update or a decision on whether the follow-up can be merged back?

Comment 29 by titzer@chromium.org, May 17 2018

Status: Fixed (was: Assigned)
Marking as fixed. Discussion with mstarzinger@ led us to conclude that the stackwalking change necessary to merge back the CL that fixed this bug is too risky, so we won't merge this change back.

Comment 30 by awhalley@chromium.org, May 29 2018

Labels: -M-66 Release-0-M67 M-67

Comment 31 by awhalley@chromium.org, May 29 2018

Labels: CVE-2018-6131 CVE_description-missing

Comment 32 by sheriffbot@chromium.org, Aug 23

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment