New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Aug 2011
Cc:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

[LangFuzz] Crash at Runtime_QuoteJSONString with invalid write

Reported by decoder...@gmail.com, Jul 31 2011

Issue description

VULNERABILITY DETAILS
The JavaScript code attached crashes Chromium 15.0.838.0 at function "Runtime_QuoteJSONString" with an invalid write. This test is very fragile, even adding comments(!) to the JS code changes the address of write and maybe even the crash function. I attached only a semi-minimized testcase due to this instability and even this code crashes differently in the shell and Chromium. In my shell I get this:

==3901== Process terminating with default action of signal 11 (SIGSEGV)
==3901==  Access not within mapped region at address 0xB012C20
==3901==    at 0x80B090D: v8::internal::SetElement(v8::internal::Handle<v8::internal::JSObject>, unsigned int, v8::internal::Handle<v8::internal::Object>, v8::internal::StrictModeFlag) (in /scratch/holler/LangFuzz/v8_bleeding_edge/shell)

while in the browser, it crashes differently (see below). This was tested on 32 bit.

VERSION
Chrome Version: 15.0.838.0 (Developer Build 94616 Linux) dev
Operating System: Ubuntu 11.04, tested on 32 bit

REPRODUCTION CASE
See attachment, too large to inline here.


FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State:

Program received signal SIGSEGV, Segmentation fault.
length (args=..., isolate=0x3581000) at v8/src/objects-inl.h:2102
2102    v8/src/objects-inl.h: No such file or directory.
        in v8/src/objects-inl.h
(gdb) bt
#0  length (args=..., isolate=0x3581000) at v8/src/objects-inl.h:2102
#1  IsFlat (args=..., isolate=0x3581000) at v8/src/objects-inl.h:2183
#2  v8::internal::Runtime_QuoteJSONString (args=..., isolate=0x3581000)
    at v8/src/runtime.cc:5339
#3  0x422360b6 in ?? ()
#4  0x5e5b0185 in ?? ()
#5  0x5e5af82e in ?? ()
#6  0x42237481 in ?? ()
#7  0x42252d43 in ?? ()
#8  0x422531da in ?? ()
#9  0x42253c6c in ?? ()
#10 0x42237481 in ?? ()
#11 0x422529f4 in ?? ()
#12 0x422494fa in ?? ()
#13 0x42239deb in ?? ()
#14 0x00f63433 in v8::internal::Invoke (construct=<value optimized out>, 
    func=..., receiver=..., argc=0, args=0x0, has_pending_exception=0xbfffd9af)
    at v8/src/execution.cc:121
#15 0x00f63b15 in v8::internal::Execution::Call (callable=..., receiver=..., 
    argc=0, args=0x0, pending_exception=0xbfffd9af) at v8/src/execution.cc:158
#16 0x00f2eff6 in v8::Script::Run (this=0x3723bdc) at v8/src/api.cc:1555
#17 0x017c7dd8 in WebCore::V8Proxy::runScript (this=0x35e6b80, script=..., 
    isInlineCode=false)

(gdb) x /4i $pc
=> 0x1063193 <v8::internal::Runtime_QuoteJSONString(v8::internal::Arguments, v8::internal::Isolate*)+323>:      mov    0x3(%edx),%edx
   0x1063196 <v8::internal::Runtime_QuoteJSONString(v8::internal::Arguments, v8::internal::Isolate*)+326>:      shr    %edx
   0x1063198 <v8::internal::Runtime_QuoteJSONString(v8::internal::Arguments, v8::internal::Isolate*)+328>:
    je     0x10630aa <v8::internal::Runtime_QuoteJSONString(v8::internal::Arguments, v8::internal::Isolate*)+90>
   0x106319e <v8::internal::Runtime_QuoteJSONString(v8::internal::Arguments, v8::internal::Isolate*)+334>:      mov    %esi,(%esp)

(gdb) info registers
eax            0x31     49
ecx            0x5e5b0158       1583022424
edx            0x6      6
ebx            0x347de8c        55041676
esp            0xbfffd5c0       0xbfffd5c0
ebp            0x3581000        0x3581000
esi            0x3705da61       923130465
edi            0x1      1
eip            0x1063193        0x1063193 <v8::internal::Runtime_QuoteJSONString(v8::internal::Arguments, v8::internal::Isolate*)+323>
eflags         0x210246 [ PF ZF IF RF ID ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
 
crashQuoteJSON.js
21.8 KB View Download
Cc: danno@chromium.org ager@chromium.org
Cc: danno@google.com

Comment 3 by danno@chromium.org, Aug 2 2011

Cc: lrn@chromium.org
Owner: lrn@chromium.org
Status: Assigned
Reproed with top of tree. Lasse has offered to take a look.

Comment 4 by lrn@chromium.org, Aug 2 2011

Owner: kmillikin@chromium.org
Status: Fixed
Yuck (and thanks for the report).  The bug is triggered by the code:

function f() {
  try {
    throw 0;
  } catch (e) {
    function g() { return e; }
  }
  g();
}

Ignore that it's not obvious what the programmer intends here.  We hoist the declaration of function g to function f's scope, but since http://code.google.com/p/v8/source/detail?r=8496 we compile g's body as if it's inside the catch.

The resulting off by one (in the length of the context chain) enables out of bounds writes (if a context is too short) and trashing the global context (by forcing a context write to overshoot by one).

Fixed in http://code.google.com/p/v8/source/detail?r=8783.
Status: Assigned
I've temporarily reverted the fix because it led to test failures.  Will reapply ASAP (tomorrow).
Labels: SecSeverity-High Mstone-14 ReleaseBlock-Beta
Definitely a High severity based on description :)
Labels: Merge-Approved
Labels: reward-topanel
Status: Fixed
I've reapplied the fix to bleeding edge in http://code.google.com/p/v8/source/detail?r=8797.  I've merged it to the 3.4 branch (it does not affect 3.3 and earlier).

Comment 11 by k...@google.com, Aug 3 2011

Labels: -Merge-Approved Merge-Merged
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Status: FixUnreleased
Labels: -reward-topanel reward-500 reward-unpaid
@decoder.oh: Thanks, good regression catch. Repro is kind of ugly, but definitely good for a $500 reward.

----
Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
----
Labels: CVE-2011-2852
Labels: -reward-unpaid
Payment in system.
Labels: SecImpacts-Stable
Batch update.

Comment 17 by cdn@chromium.org, May 15 2012

Status: Fixed
Marking old security bugs Fixed..
Project Member

Comment 18 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

Comment 19 by laforge@google.com, Jan 18 2013

Labels: Restrict-View-EditIssue
Project Member

Comment 20 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -SecSeverity-High -Mstone-14 -SecImpacts-Stable Type-Bug-Security Security-Severity-High Security-Impact-Stable M-14
Project Member

Comment 21 by bugdroid1@chromium.org, Mar 11 2013

Labels: -Area-Undefined
Project Member

Comment 22 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member

Comment 24 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 25 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 26 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 27 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted
Project Member

Comment 30 by sheriffbot@chromium.org, Jul 29

Labels: -Pri-0 Pri-1

Sign in to add a comment