Issue metadata
Sign in to add a comment
|
Security: Fatal signal 11 (SIGSEGV) on Android7.1.1 |
||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS **THIS REPORT WAS ORIGINALLY FILED VIA ANDROID SECURITY EXTERNAL REPORTS** Issue was inadvertently orphaned for a year and may no longer be reproducible. Original issue is @ b/37125371. Original reporter is cdsrc2016@gmail.com. Contact mikelogan@google.com with questions about this issue. ASDL ISE has requested this issue be forwarded to the Chrome Security team. Fatal signal 11 (SIGSEGV) on Android7.1.1 VERSION Chrome Version: 53.0.2785.134 Operating System: Android 7.1.1(Google APIs Intel x86 Atom System Image(API:25 Rev.2)) REPRODUCTION CASE See below This is a V8 JavaScript Engine crash bug. We found it in the Android(7.1.1) Chrome Browser. //////////////////////////////////////////////////////////// Android Virtual Devices Android 7.1.1(Google APIs Intel x86 Atom System Image(API:25 Rev.2)) /////////////////////////////// google-breakpad: ### ### ### ### ### ### ### ### ### ### ### ### ### google-breakpad: Chrome build fingerprint: google-breakpad: 53.0.2785.134 google-breakpad: 278513412 google-breakpad: ### ### ### ### ### ### ### ### ### ### ### ### ### libc : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x8 in tid 17418 (WorkerPool/1741) : debuggerd: handling request: pid=17389 uid=99255 gid=99255 tid=17418 DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** DEBUG : Build fingerprint: 'Android/sdk_google_phone_x86/generic_x86:7.1.1/NPF10D/3354678 DEBUG : Revision: '0' DEBUG : ABI: 'x86' DEBUG : pid: 17389, tid: 17418, name: WorkerPool/1741 >>> com.android.chrome:sandboxed_p DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x8 DEBUG : eax 00000012 ebx 8c5e9a7c ecx 00000000 edx 00000001 DEBUG : esi 858f1c10 edi 865015c4 DEBUG : xcs 00000073 xds 0000007b xes 0000007b xfs 0000003b xss 0000007b DEBUG : eip 893aa8c2 ebp 00000012 esp 86501440 flags 00210202 DEBUG : DEBUG : backtrace: DEBUG : #00 pc 00cc48c2 /system/app/Chrome/Chrome.apk (offset 0xaa1000) The HTML that caused the crash /////////////////////////////// <html> <body> <script> EvalTest("math0 = (function(x, y) { return Math.asinh((math1(1, 1))); });"); testMathArray(math0, [1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]); function testMathArray(functions, inputs) { var results = []; if (functions) { for (var j = 0; j < inputs.length; ++j) { for (var k = 0; k < inputs.length; ++k) { results.push(functions(inputs[j], inputs[k])); } } } } function EvalTest(code){eval(code);} function math1(x, y){return (Math.max((Math.abs((Math.hypot(1, (Math.tan((x)))) >>> 0)) | 0), Math.fround(1))); } </script> </body> </html>
,
May 23 2018
This is a pretty ancient version of Chrome. I've uploaded the case to Clusterfuzz to see if it triggers anything but I wouldn't be surprised if this doesn't repro any more.
,
May 23 2018
Clusterfuzz can't reproduce this crash at the moment.
,
May 23 2018
Thanks, I suspected as much too. Leaving to the security sheriff to triage.
,
May 23 2018
Looks like this isn't an issue any more - if you can get an updated repro case that works with the current stable or canary version of Chrome, please send that along. Thanks.
,
May 23 2018
Ack for ASDL - will check w/ researcher. Thanks!
,
Aug 29
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by ClusterFuzz
, May 23 2018