New issue
Advanced search Search tips

Issue 862179 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 854066
Owner:
Closed: Jul 12
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

OOB Using Float64Array

Reported by zanywh...@gmail.com, Jul 10

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36

Steps to reproduce the problem:
1. Just execute the attachment.

What is the expected behavior?
Out of Bound Access

What went wrong?
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x7ffff5740000 --> 0x19ef16c02469 --> 0x6000019ef16c022
RCX: 0x0
RDX: 0x81b5
RSI: 0x40da0
RDI: 0x40da0
RBP: 0x7fffffffd720 --> 0x7fffffffd7d0 --> 0x7fffffffd810 --> 0x7fffffffd840 --> 0x7fffffffd8d8 --> 0x7fffffffd948 (--> ...)
RSP: 0x7fffffffd6b0 --> 0x340edd683eb1 --> 0x19ef16c02d
RIP: 0x555555aa1439 (<_ZN2v88internal12_GLOBAL__N_121TypedElementsAccessorILNS0_12ElementsKindE18EdE25TryCopyElementsFastNumberEPNS0_7ContextEPNS0_7JSArrayEPNS0_12JSTypedArrayEmj+505>:        mov    rdi,QWORD PTR [r8+rdi*1+0xf])
R8 : 0x19250bf02251 --> 0x19ef16c023
R9 : 0x186a0
R10: 0x555556113838 --> 0x555555dbe030 (<_ZN2v88internal30Runtime_TypedArrayCopyElementsEiPPNS0_6ObjectEPNS0_7IsolateE>:        push   rbp)
R11: 0x297
R12: 0x7fffffffd804 --> 0xffffd86000000000
R13: 0x55555610dfb0 --> 0x7fffffffdf78 (0x000055555610dfb0)
R14: 0x2bc493c657d1 --> 0x19ef16c043
R15: 0x1
EFLAGS: 0x10287 (CARRY PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555555aa142c <_ZN2v88internal12_GLOBAL__N_121TypedElementsAccessorILNS0_12ElementsKindE18EdE25TryCopyElementsFastNumberEPNS0_7ContextEPNS0_7JSArrayEPNS0_12JSTypedArrayEmj+492>:   cmp    edi,DWORD PTR [r14+0xb]
   0x555555aa1430 <_ZN2v88internal12_GLOBAL__N_121TypedElementsAccessorILNS0_12ElementsKindE18EdE25TryCopyElementsFastNumberEPNS0_7ContextEPNS0_7JSArrayEPNS0_12JSTypedArrayEmj+496>:
    jge    0x555555aa172b <_ZN2v88internal12_GLOBAL__N_121TypedElementsAccessorILNS0_12ElementsKindE18EdE25TryCopyElementsFastNumberEPNS0_7ContextEPNS0_7JSArrayEPNS0_12JSTypedArrayEmj+1259>
   0x555555aa1436 <_ZN2v88internal12_GLOBAL__N_121TypedElementsAccessorILNS0_12ElementsKindE18EdE25TryCopyElementsFastNumberEPNS0_7ContextEPNS0_7JSArrayEPNS0_12JSTypedArrayEmj+502>:   movsxd rdi,esi
=> 0x555555aa1439 <_ZN2v88internal12_GLOBAL__N_121TypedElementsAccessorILNS0_12ElementsKindE18EdE25TryCopyElementsFastNumberEPNS0_7ContextEPNS0_7JSArrayEPNS0_12JSTypedArrayEmj+505>:   mov    rdi,QWORD PTR [r8+rdi*1+0xf]
   0x555555aa143e <_ZN2v88internal12_GLOBAL__N_121TypedElementsAccessorILNS0_12ElementsKindE18EdE25TryCopyElementsFastNumberEPNS0_7ContextEPNS0_7JSArrayEPNS0_12JSTypedArrayEmj+510>:   mov    rbx,QWORD PTR [r14+0x17]
   0x555555aa1442 <_ZN2v88internal12_GLOBAL__N_121TypedElementsAccessorILNS0_12ElementsKindE18EdE25TryCopyElementsFastNumberEPNS0_7ContextEPNS0_7JSArrayEPNS0_12JSTypedArrayEmj+514>:   add    rbx,QWORD PTR [r14+0xf]
   0x555555aa1446 <_ZN2v88internal12_GLOBAL__N_121TypedElementsAccessorILNS0_12ElementsKindE18EdE25TryCopyElementsFastNumberEPNS0_7ContextEPNS0_7JSArrayEPNS0_12JSTypedArrayEmj+518>:   add    rbx,rcx
   0x555555aa1449 <_ZN2v88internal12_GLOBAL__N_121TypedElementsAccessorILNS0_12ElementsKindE18EdE25TryCopyElementsFastNumberEPNS0_7ContextEPNS0_7JSArrayEPNS0_12JSTypedArrayEmj+521>:   mov    QWORD PTR [rsi+rbx*1],rdi
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd6b0 --> 0x340edd683eb1 --> 0x19ef16c02d
0008| 0x7fffffffd6b8 --> 0x55555610dfb0 --> 0x7fffffffdf78 (0x000055555610dfb0)
0016| 0x7fffffffd6c0 --> 0x186a0
0024| 0x7fffffffd6c8 --> 0x0
0032| 0x7fffffffd6d0 --> 0x55555610dfb0 --> 0x7fffffffdf78 (0x000055555610dfb0)
0040| 0x7fffffffd6d8 --> 0xffffffff
0048| 0x7fffffffd6e0 --> 0x55555610dfb0 --> 0x7fffffffdf78 (0x000055555610dfb0)
0056| 0x7fffffffd6e8 --> 0x5555fffffffe
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555555aa1439 in v8::internal::(anonymous namespace)::TypedElementsAccessor<(v8::internal::ElementsKind)18, double>::TryCopyElementsFastNumber(v8::internal::Context*, v8::internal::JSArray*, v8::internal::JSTypedArray*, unsigned long, unsigned int) ()

Did this work before? N/A 

Chrome version: 67.0.3396.99  Channel: stable
OS Version: 10.0
Flash Version:
 
poc.js
237 bytes View Download
Project Member

Comment 1 by ClusterFuzz, Jul 10

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5457319316684800.
Components: Blink>JavaScript
Owner: titzer@chromium.org
Status: Assigned (was: Unconfirmed)
Doesn't look like ClusterFuzz can reproduce this. titzer, could you take a look please?
Cc: petermarshall@chromium.org jgruber@chromium.org
Peter/Jakob, PTAL
Please set impact and severity labels if you can reproduce the bug. (Should be Security_Impact-Stable and Medium, I think?) Thanks!
Mergedinto: 854066
Status: Duplicate (was: Assigned)
Thanks for the report. This has been previously reported, and fixed on tip-of-tree (probably why clusterfuzz can't reproduce). 
But it works latest stable chrome version(67.0.3396.99) now.
Even if you have patched the latest version as you said, there is still an OOB available latest stable version of Chrome.

You can check just paste it into the chrome javascript console and you'll see it BOOM.
And also you can see the segmentation fault on d8 version 6.7.288.46(stable).
Unfortunately we found this late in the release cycle of 67, so the fix did not make it into any of the 67 releases. The fix is already in 68, which will be the next stable release
Ok I got it. Thank you!
Can I grant permission for duplicate issues?
I want to see the original issue.
Project Member

Comment 11 by sheriffbot@chromium.org, Oct 18

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment