ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5139411625574400.

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6572697476399104.

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5926303690391552.

ishell: Just wondering if you had a chance to look at this?

Minimal repro:

let o = {
  length: Infinity
};
Array.prototype.reduceRight.call(o, ()=>{});

From what I see this is not a security issue and just a correctness bug since we don't convert the input back to a string anymore.

I'm not yet sure it's not a security issue. The minimal repro worked for me, and in addition to the JS stacktrace, I got this native stack trace:

Received signal 4 ILL_ILLOPN 7f7c6faa7932
#0 0x7f7c96e81bcd base::debug::StackTrace::StackTrace()
#1 0x7f7c96bca4bc base::debug::StackTrace::StackTrace()
#2 0x7f7c96e81624 base::debug::(anonymous namespace)::StackDumpSignalHandler()
#3 0x7f7c7837f0c0 <unknown>
#4 0x7f7c6faa7932 v8::base::OS::Abort()
#5 0x7f7c8193d2be v8::internal::__RT_impl_Runtime_AbortJS()
#6 0x7f7c8193cd28 v8::internal::Runtime_AbortJS()
#7 0x326c9bfb4284 <unknown>
  r8: 00007ffd675311e8  r9: 0000000000000400 r10: 0000000000000073 r11: 00007f7c74254e00
 r12: 00003333d1697271 r13: 00002052af219001 r14: 00007ffd67531900 r15: 0000000000000001
  di: 00002052aef1a098  si: 0000000000001e1f  bp: 00007ffd675317e0  bx: 00002052af219020
  dx: 00002052b00ad600  ax: 0000000000000001  cx: 00000000000001e1  sp: 00007ffd67531788
  ip: 00007f7c6faa7932 efl: 0000000000010202 cgf: 002b000000000033 erf: 0000000000000000
 trp: 0000000000000006 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]

`SIGILL` suggests to me that the program tried to execute junk (`rip` is clobbered or corrupted), which sounds like a security concern. I could be wrong, but.

I'm currently rewriting the checks and adding some more detailed check to see whether lookup happens properly.

In the submitted poc.js we most definitely run out of stackspace in optdebug, wasn't patient enough yet to see what it does in release.

I will check in detail again, here's the current finding:

The index (k in the CSA stub) is used for a lookup, the failing check was ensuring that we don't have to do ToString conversion. k is guaranteed to be a Number from the get-go, so the ToString conversion is non-observable.

k is then used to check (HasProperty) and to get the value (GetProperty) from the receiver which both to TryToName [1] internally. The fast-path avoids the conversion for ArrayIndices and uses k directly on an elements-only lookup. In all other cases we convert k to a String and do a normal property lookup.


[1] https://cs.chromium.org/chromium/src/v8/src/code-stub-assembler.cc?type=cs&q=TryToName&sq=package:chromium&g=0&l=6944

#12: Thanks. What's the worst outcome? out-of-bounds read/read of an invalid property or array index?

Sorry for the late reply, was OOO.
From my current assessment there is no negative outcome security-wise. 

This was just a overzealous check.
Even if the check failed, the input number would be properly converted for a lookup since we rely on the generic HasProperty helper [1] which falls back to the HasProperty runtime function [2] which does proper string conversion for all inputs.

[1] https://cs.chromium.org/chromium/src/v8/src/code-stub-assembler.cc?type=cs&q=HasProperty&g=0&l=10868
[2] https://cs.chromium.org/chromium/src/v8/src/runtime/runtime-object.cc?type=cs&q=Runtime_HasProperty&g=0&l=647

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/9718d079e930bc3880c9ca8f2fc3807de3d98f68

commit 9718d079e930bc3880c9ca8f2fc3807de3d98f68
Author: Camillo Bruni <cbruni@chromium.org>
Date: Wed Jun 13 15:38:01 2018

[CSA] Fix Array.prototype.reduceRight CAS_ASSERT

- Add typed IsHeapNumberPositive, IsNumberNonNegativeSafeInteger, IsInteger,
  IsSafeInteger and IsHeapNumberUint32 helpers on CodeStubAssembler
- Type NumberIsInteger and NumberIsSafeInteger builtin

Bug:  chromium:847204 , v8:6949
Change-Id: I27d3ab79bd17312c223209ed0b221c174024126e
Reviewed-on: https://chromium-review.googlesource.com/1087961
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53707}
[modify] https://crrev.com/9718d079e930bc3880c9ca8f2fc3807de3d98f68/src/builtins/builtins-array-gen.cc
[modify] https://crrev.com/9718d079e930bc3880c9ca8f2fc3807de3d98f68/src/builtins/builtins-array-gen.h
[modify] https://crrev.com/9718d079e930bc3880c9ca8f2fc3807de3d98f68/src/builtins/builtins-number-gen.cc
[modify] https://crrev.com/9718d079e930bc3880c9ca8f2fc3807de3d98f68/src/code-stub-assembler.cc
[modify] https://crrev.com/9718d079e930bc3880c9ca8f2fc3807de3d98f68/src/code-stub-assembler.h
[modify] https://crrev.com/9718d079e930bc3880c9ca8f2fc3807de3d98f68/test/cctest/test-code-stub-assembler.cc

Given #14 I'm tempted to just turn this into a normal type=bug or security-impact-none. cbruni, can you confirm, and do that, or I'll re-triage tomorrow. Thanks.

Changed to type=bug according to #14 and #16 since there is no security impact.

The NextAction date has arrived: 2018-06-15

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot