New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Jul 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

[LangFuzz] CHECK(!value->IsTheHole()) failed // Crash with invalid read in shell

Reported by decoder...@gmail.com, Jul 6 2011 Back to list

Issue description

VULNERABILITY DETAILS

The following code crashes an optimized v8 shell (version as in Chrome 14.0.813.0 which is v8-trunk r8431) or asserts in a debug shell. The same code does not crash in Chromium, I suspect it could be that the memory layout is different there and the specific test case therefore fails on Chromium. Please check if this really does not affect Chromium as well.

Debug builds abort with:

#
# Fatal error in src/objects.cc, line 1797
# CHECK(!value->IsTheHole()) failed
#

VERSION
V8 Version: http://v8.googlecode.com/svn/trunk@8431 (as in Chrome Version 14.0.813.0).
Operating System: Ubuntu Linux 11.04

REPRODUCTION CASE

(function () {
  function classOf(object) { typeof(value); };
})();
function F() {}
Object.prototype.__defineSetter__('x', function(value) { result_x = value; });
this.__proto__ = { x: 42 };
try {
  fail;
} catch (e) {
  eval('const x = 7');
}


FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: Shell
Crash Trace:

==26391== Use of uninitialised value of size 8
==26391==    at 0x4E3490: v8::internal::JSObject::GetNormalizedProperty(v8::internal::LookupResult*) (in /scratch/holler/LangFuzz/v8-trunk/shell)
==26391==    by 0x5502A2: v8::internal::Runtime_InitializeConstContextSlot(v8::internal::Arguments, v8::internal::Isolate*) (in /scratch/holler/LangFuzz/v8-trunk/shell)
==26391==    by 0x9F48341: ???
==26391==    by 0x9F6C0DD: ???
==26391==    by 0x9F48C2D: ???
==26391==    by 0x9F6B08E: ???
==26391==    by 0x9F493E6: ???
==26391==    by 0x9F48127: ???
==26391==    by 0x447FA8: v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Object***, bool*) (in /scratch/holler/LangFuzz/v8-trunk/shell)
==26391==    by 0x448468: v8::internal::Execution::Call(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Object***, bool*) (in /scratch/holler/LangFuzz/v8-trunk/shell)
==26391==    by 0x414477: v8::Script::Run() (in /scratch/holler/LangFuzz/v8-trunk/shell)
==26391==    by 0x402F73: ExecuteString(v8::Handle<v8::String>, v8::Handle<v8::Value>, bool, bool) (in /scratch/holler/LangFuzz/v8-trunk/shell)
==26391== 
==26391== Invalid read of size 8
==26391==    at 0x4E3490: v8::internal::JSObject::GetNormalizedProperty(v8::internal::LookupResult*) (in /scratch/holler/LangFuzz/v8-trunk/shell)
==26391==    by 0x5502A2: v8::internal::Runtime_InitializeConstContextSlot(v8::internal::Arguments, v8::internal::Isolate*) (in /scratch/holler/LangFuzz/v8-trunk/shell)
==26391==    by 0x9F48341: ???
==26391==    by 0x9F6C0DD: ???
==26391==    by 0x9F48C2D: ???
==26391==    by 0x9F6B08E: ???
==26391==    by 0x9F493E6: ???
==26391==    by 0x9F48127: ???
==26391==    by 0x447FA8: v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Object***, bool*) (in /scratch/holler/LangFuzz/v8-trunk/shell)
==26391==    by 0x448468: v8::internal::Execution::Call(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Object***, bool*) (in /scratch/holler/LangFuzz/v8-trunk/shell)
==26391==    by 0x414477: v8::Script::Run() (in /scratch/holler/LangFuzz/v8-trunk/shell)
==26391==    by 0x402F73: ExecuteString(v8::Handle<v8::String>, v8::Handle<v8::Value>, bool, bool) (in /scratch/holler/LangFuzz/v8-trunk/shell)
==26391==  Address 0xffffffff96781a20 is not stack'd, malloc'd or (recently) free'd
==26391== 
==26391== 
==26391== Process terminating with default action of signal 11 (SIGSEGV)
==26391==  Access not within mapped region at address 0xFFFFFFFF96781A20


 
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecSeverity-Medium OS-All Mstone-13 WebKit-JavaScript
Owner: ager@chromium.org
Status: Assigned
Mads, can you please help to triage.
Cc: erik.co...@gmail.com sgjesse@chromium.org
(Add Erik "fixing machine" Corry and Soren to cc: as well)
Cc: ricow@chromium.org
Owner: vegorov@chromium.org
I sending this on to Vyacheslav because I am on my way out of the door for a vacation.
Happy vacation :)
Labels: -SecSeverity-Medium SecSeverity-High

Comment 6 by ricow@chromium.org, Jul 10 2011

Cc: kmillikin@chromium.org
Kevin, could this be related to r8496?

Comment 7 by ricow@chromium.org, Jul 10 2011

Never mind, I did a revert of 8496 and the failure is still there.
A bisect shows r8224 as the revision introducing this, but given the log text, I'm not sure that's accurate.
@inferno: is this marked Mstone-13 because the test case also crashes M13?

Comment 10 by ricow@chromium.org, Jul 11 2011

decoder: r8224 actually makes good sense, since this is only crashing with try-catch. 
Owner: kmillikin@chromium.org
I'll take a look.
Status: Fixed
This was previously reported as http://code.google.com/p/v8/issues/detail?id=1528.

Bug was introduced in http://code.google.com/p/v8/source/detail?r=8224, fixed in http://code.google.com/p/v8/source/detail?r=8523.  It affects V8 trunk versions in the range 3.4.4 to 3.4.8, inclusive.
Status: Assigned
I spoke too soon, this bug is still present in v8 bleeding_edge.  I'm working on a fix.
Status: Fixed
I did speak too soon.  Though it has a very similar reproduction, this is a different issue than http://code.google.com/p/v8/issues/detail?id=1528.

This bug has nothing essential to do with try/catch.  The assertion can also be triggered by:

Object.prototype.__defineSetter__('x', function (x) {});
this.__proto__ = { x: 42 };
with ({}) { eval('const x = 7'); }

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Status: FixUnreleased
Kevin has pushed the fix to m13 and m12 branches.
Labels: reward-topanel
Labels: -reward-topanel reward-1000 reward-unpaid
@decoder.oh: thanks for your continued help in catching these very interesting corner-case v8 issues! It's a fairly easy panel decision to offer you a $1000 Chromium Security Reward for your help.

----
Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
----
Labels: CVE-2011-2802
Labels: -reward-unpaid
Labels: SecImpacts-Stable
Batch update.

Comment 22 by cdn@chromium.org, May 15 2012

Status: Fixed
Marking old security bugs Fixed.. 
Project Member

Comment 23 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 24 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-WebKit -SecSeverity-High -Mstone-13 -WebKit-JavaScript -SecImpacts-Stable Cr-Content Security-Impact-Stable Cr-Content-JavaScript Security-Severity-High M-13 Type-Bug-Security
Project Member

Comment 25 by bugdroid1@chromium.org, Mar 13 2013

Labels: Restrict-View-EditIssue
Project Member

Comment 26 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member

Comment 28 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 29 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 30 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 31 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content-JavaScript Cr-Blink-JavaScript
Project Member

Comment 32 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 33 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment