New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Last visit > 30 days ago
Closed: Aug 2011
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security

  • Only users with EditIssue permission may comment.

Sign in to add a comment

Issue 91120: [LangFuzz] Crash at Runtime_QuoteJSONString with invalid write

Reported by, Jul 31 2011

Issue description

The JavaScript code attached crashes Chromium 15.0.838.0 at function "Runtime_QuoteJSONString" with an invalid write. This test is very fragile, even adding comments(!) to the JS code changes the address of write and maybe even the crash function. I attached only a semi-minimized testcase due to this instability and even this code crashes differently in the shell and Chromium. In my shell I get this:

==3901== Process terminating with default action of signal 11 (SIGSEGV)
==3901==  Access not within mapped region at address 0xB012C20
==3901==    at 0x80B090D: v8::internal::SetElement(v8::internal::Handle<v8::internal::JSObject>, unsigned int, v8::internal::Handle<v8::internal::Object>, v8::internal::StrictModeFlag) (in /scratch/holler/LangFuzz/v8_bleeding_edge/shell)

while in the browser, it crashes differently (see below). This was tested on 32 bit.

Chrome Version: 15.0.838.0 (Developer Build 94616 Linux) dev
Operating System: Ubuntu 11.04, tested on 32 bit

See attachment, too large to inline here.

Type of crash: tab
Crash State:

Program received signal SIGSEGV, Segmentation fault.
length (args=..., isolate=0x3581000) at v8/src/objects-inl.h:2102
2102    v8/src/objects-inl.h: No such file or directory.
        in v8/src/objects-inl.h
(gdb) bt
#0  length (args=..., isolate=0x3581000) at v8/src/objects-inl.h:2102
#1  IsFlat (args=..., isolate=0x3581000) at v8/src/objects-inl.h:2183
#2  v8::internal::Runtime_QuoteJSONString (args=..., isolate=0x3581000)
    at v8/src/
#3  0x422360b6 in ?? ()
#4  0x5e5b0185 in ?? ()
#5  0x5e5af82e in ?? ()
#6  0x42237481 in ?? ()
#7  0x42252d43 in ?? ()
#8  0x422531da in ?? ()
#9  0x42253c6c in ?? ()
#10 0x42237481 in ?? ()
#11 0x422529f4 in ?? ()
#12 0x422494fa in ?? ()
#13 0x42239deb in ?? ()
#14 0x00f63433 in v8::internal::Invoke (construct=<value optimized out>, 
    func=..., receiver=..., argc=0, args=0x0, has_pending_exception=0xbfffd9af)
    at v8/src/
#15 0x00f63b15 in v8::internal::Execution::Call (callable=..., receiver=..., 
    argc=0, args=0x0, pending_exception=0xbfffd9af) at v8/src/
#16 0x00f2eff6 in v8::Script::Run (this=0x3723bdc) at v8/src/
#17 0x017c7dd8 in WebCore::V8Proxy::runScript (this=0x35e6b80, script=..., 

(gdb) x /4i $pc
=> 0x1063193 <v8::internal::Runtime_QuoteJSONString(v8::internal::Arguments, v8::internal::Isolate*)+323>:      mov    0x3(%edx),%edx
   0x1063196 <v8::internal::Runtime_QuoteJSONString(v8::internal::Arguments, v8::internal::Isolate*)+326>:      shr    %edx
   0x1063198 <v8::internal::Runtime_QuoteJSONString(v8::internal::Arguments, v8::internal::Isolate*)+328>:
    je     0x10630aa <v8::internal::Runtime_QuoteJSONString(v8::internal::Arguments, v8::internal::Isolate*)+90>
   0x106319e <v8::internal::Runtime_QuoteJSONString(v8::internal::Arguments, v8::internal::Isolate*)+334>:      mov    %esi,(%esp)

(gdb) info registers
eax            0x31     49
ecx            0x5e5b0158       1583022424
edx            0x6      6
ebx            0x347de8c        55041676
esp            0xbfffd5c0       0xbfffd5c0
ebp            0x3581000        0x3581000
esi            0x3705da61       923130465
edi            0x1      1
eip            0x1063193        0x1063193 <v8::internal::Runtime_QuoteJSONString(v8::internal::Arguments, v8::internal::Isolate*)+323>
eflags         0x210246 [ PF ZF IF RF ID ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
21.8 KB View Download

Comment 1 by, Aug 1 2011


Comment 2 by, Aug 2 2011


Comment 3 by, Aug 2 2011

Status: Assigned
Reproed with top of tree. Lasse has offered to take a look.

Comment 4 by, Aug 2 2011


Comment 5 by, Aug 2 2011

Status: Fixed
Yuck (and thanks for the report).  The bug is triggered by the code:

function f() {
  try {
    throw 0;
  } catch (e) {
    function g() { return e; }

Ignore that it's not obvious what the programmer intends here.  We hoist the declaration of function g to function f's scope, but since we compile g's body as if it's inside the catch.

The resulting off by one (in the length of the context chain) enables out of bounds writes (if a context is too short) and trashing the global context (by forcing a context write to overshoot by one).

Fixed in

Comment 6 by, Aug 2 2011

Status: Assigned
I've temporarily reverted the fix because it led to test failures.  Will reapply ASAP (tomorrow).

Comment 7 by, Aug 2 2011

Labels: SecSeverity-High Mstone-14 ReleaseBlock-Beta
Definitely a High severity based on description :)

Comment 8 by, Aug 2 2011

Labels: Merge-Approved

Comment 9 by, Aug 2 2011

Labels: reward-topanel

Comment 10 by, Aug 3 2011

Status: Fixed
I've reapplied the fix to bleeding edge in  I've merged it to the 3.4 branch (it does not affect 3.3 and earlier).

Comment 11 by, Aug 3 2011

Labels: -Merge-Approved Merge-Merged

Comment 12 by, Aug 3 2011

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Status: FixUnreleased

Comment 13 by, Aug 24 2011

Labels: -reward-topanel reward-500 reward-unpaid
@decoder.oh: Thanks, good regression catch. Repro is kind of ugly, but definitely good for a $500 reward.

Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.

Comment 14 by, Sep 9 2011

Labels: CVE-2011-2852

Comment 15 by, Sep 23 2011

Labels: -reward-unpaid
Payment in system.

Comment 16 by, Oct 5 2011

Labels: SecImpacts-Stable
Batch update.

Comment 17 by, May 15 2012

Status: Fixed
Marking old security bugs Fixed..

Comment 18 by, Oct 13 2012

Project Member
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

Comment 19 by, Jan 18 2013

Labels: Restrict-View-EditIssue

Comment 20 by, Mar 10 2013

Project Member
Labels: -Type-Security -SecSeverity-High -Mstone-14 -SecImpacts-Stable Type-Bug-Security Security-Severity-High Security-Impact-Stable M-14

Comment 21 by, Mar 11 2013

Project Member
Labels: -Area-Undefined

Comment 22 by, Mar 13 2013

Project Member
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue

Comment 23 by, Mar 21 2013

Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue

Comment 24 by, Mar 21 2013

Project Member
Labels: -Security-Severity-High Security_Severity-High

Comment 25 by, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 26 by, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Comment 27 by, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Comment 28 by, Oct 2 2016

Labels: allpublic

Comment 29 by, Apr 26 2018

Labels: CVE_description-submitted

Comment 30 by, Jul 29 2018

Project Member
Labels: -Pri-0 Pri-1

Sign in to add a comment