Issue metadata
Sign in to add a comment
|
OOB Using Float64Array
Reported by
zanywh...@gmail.com,
Jul 10
|
||||||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Steps to reproduce the problem:
1. Just execute the attachment.
What is the expected behavior?
Out of Bound Access
What went wrong?
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x7ffff5740000 --> 0x19ef16c02469 --> 0x6000019ef16c022
RCX: 0x0
RDX: 0x81b5
RSI: 0x40da0
RDI: 0x40da0
RBP: 0x7fffffffd720 --> 0x7fffffffd7d0 --> 0x7fffffffd810 --> 0x7fffffffd840 --> 0x7fffffffd8d8 --> 0x7fffffffd948 (--> ...)
RSP: 0x7fffffffd6b0 --> 0x340edd683eb1 --> 0x19ef16c02d
RIP: 0x555555aa1439 (<_ZN2v88internal12_GLOBAL__N_121TypedElementsAccessorILNS0_12ElementsKindE18EdE25TryCopyElementsFastNumberEPNS0_7ContextEPNS0_7JSArrayEPNS0_12JSTypedArrayEmj+505>: mov rdi,QWORD PTR [r8+rdi*1+0xf])
R8 : 0x19250bf02251 --> 0x19ef16c023
R9 : 0x186a0
R10: 0x555556113838 --> 0x555555dbe030 (<_ZN2v88internal30Runtime_TypedArrayCopyElementsEiPPNS0_6ObjectEPNS0_7IsolateE>: push rbp)
R11: 0x297
R12: 0x7fffffffd804 --> 0xffffd86000000000
R13: 0x55555610dfb0 --> 0x7fffffffdf78 (0x000055555610dfb0)
R14: 0x2bc493c657d1 --> 0x19ef16c043
R15: 0x1
EFLAGS: 0x10287 (CARRY PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x555555aa142c <_ZN2v88internal12_GLOBAL__N_121TypedElementsAccessorILNS0_12ElementsKindE18EdE25TryCopyElementsFastNumberEPNS0_7ContextEPNS0_7JSArrayEPNS0_12JSTypedArrayEmj+492>: cmp edi,DWORD PTR [r14+0xb]
0x555555aa1430 <_ZN2v88internal12_GLOBAL__N_121TypedElementsAccessorILNS0_12ElementsKindE18EdE25TryCopyElementsFastNumberEPNS0_7ContextEPNS0_7JSArrayEPNS0_12JSTypedArrayEmj+496>:
jge 0x555555aa172b <_ZN2v88internal12_GLOBAL__N_121TypedElementsAccessorILNS0_12ElementsKindE18EdE25TryCopyElementsFastNumberEPNS0_7ContextEPNS0_7JSArrayEPNS0_12JSTypedArrayEmj+1259>
0x555555aa1436 <_ZN2v88internal12_GLOBAL__N_121TypedElementsAccessorILNS0_12ElementsKindE18EdE25TryCopyElementsFastNumberEPNS0_7ContextEPNS0_7JSArrayEPNS0_12JSTypedArrayEmj+502>: movsxd rdi,esi
=> 0x555555aa1439 <_ZN2v88internal12_GLOBAL__N_121TypedElementsAccessorILNS0_12ElementsKindE18EdE25TryCopyElementsFastNumberEPNS0_7ContextEPNS0_7JSArrayEPNS0_12JSTypedArrayEmj+505>: mov rdi,QWORD PTR [r8+rdi*1+0xf]
0x555555aa143e <_ZN2v88internal12_GLOBAL__N_121TypedElementsAccessorILNS0_12ElementsKindE18EdE25TryCopyElementsFastNumberEPNS0_7ContextEPNS0_7JSArrayEPNS0_12JSTypedArrayEmj+510>: mov rbx,QWORD PTR [r14+0x17]
0x555555aa1442 <_ZN2v88internal12_GLOBAL__N_121TypedElementsAccessorILNS0_12ElementsKindE18EdE25TryCopyElementsFastNumberEPNS0_7ContextEPNS0_7JSArrayEPNS0_12JSTypedArrayEmj+514>: add rbx,QWORD PTR [r14+0xf]
0x555555aa1446 <_ZN2v88internal12_GLOBAL__N_121TypedElementsAccessorILNS0_12ElementsKindE18EdE25TryCopyElementsFastNumberEPNS0_7ContextEPNS0_7JSArrayEPNS0_12JSTypedArrayEmj+518>: add rbx,rcx
0x555555aa1449 <_ZN2v88internal12_GLOBAL__N_121TypedElementsAccessorILNS0_12ElementsKindE18EdE25TryCopyElementsFastNumberEPNS0_7ContextEPNS0_7JSArrayEPNS0_12JSTypedArrayEmj+521>: mov QWORD PTR [rsi+rbx*1],rdi
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd6b0 --> 0x340edd683eb1 --> 0x19ef16c02d
0008| 0x7fffffffd6b8 --> 0x55555610dfb0 --> 0x7fffffffdf78 (0x000055555610dfb0)
0016| 0x7fffffffd6c0 --> 0x186a0
0024| 0x7fffffffd6c8 --> 0x0
0032| 0x7fffffffd6d0 --> 0x55555610dfb0 --> 0x7fffffffdf78 (0x000055555610dfb0)
0040| 0x7fffffffd6d8 --> 0xffffffff
0048| 0x7fffffffd6e0 --> 0x55555610dfb0 --> 0x7fffffffdf78 (0x000055555610dfb0)
0056| 0x7fffffffd6e8 --> 0x5555fffffffe
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555555aa1439 in v8::internal::(anonymous namespace)::TypedElementsAccessor<(v8::internal::ElementsKind)18, double>::TryCopyElementsFastNumber(v8::internal::Context*, v8::internal::JSArray*, v8::internal::JSTypedArray*, unsigned long, unsigned int) ()
Did this work before? N/A
Chrome version: 67.0.3396.99 Channel: stable
OS Version: 10.0
Flash Version:
,
Jul 10
Doesn't look like ClusterFuzz can reproduce this. titzer, could you take a look please?
,
Jul 11
Peter/Jakob, PTAL
,
Jul 11
Please set impact and severity labels if you can reproduce the bug. (Should be Security_Impact-Stable and Medium, I think?) Thanks!
,
Jul 12
Thanks for the report. This has been previously reported, and fixed on tip-of-tree (probably why clusterfuzz can't reproduce).
,
Jul 16
But it works latest stable chrome version(67.0.3396.99) now. Even if you have patched the latest version as you said, there is still an OOB available latest stable version of Chrome. You can check just paste it into the chrome javascript console and you'll see it BOOM. And also you can see the segmentation fault on d8 version 6.7.288.46(stable).
,
Jul 16
Unfortunately we found this late in the release cycle of 67, so the fix did not make it into any of the 67 releases. The fix is already in 68, which will be the next stable release
,
Jul 16
Ok I got it. Thank you!
,
Aug 17
Can I grant permission for duplicate issues? I want to see the original issue.
,
Aug 20
Hi zanywhale@gmail.com, Issue 854066 will be made public via Chromium's standard procedure as outlined in https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#TOC-Can-you-please-un-hide-old-security-bugs-.
,
Oct 18
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jul 10