Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 95920 [LangFuzz] Crash at v8::internal::ElementsAccessorBase with invalid read
Starred by 1 user Reported by decoder...@gmail.com, Sep 8 2011 Back to list
Status: Fixed
Owner:
Closed: Sep 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 0
Type: Bug-Security



Sign in to add a comment
VULNERABILITY DETAILS
The one-line javascript testcase below crashes in Chrome 15 and V8 shells, tested on 64 bit. Note that the testcase only works in Chrome or D8, not in shell, because it requires typed arrays.

In addition to the gdb information from the browser, I took a valgrind trace from the d8 shell:

==3451== Invalid read of size 1
==3451==    at 0x45C277: v8::internal::ElementsAccessorBase<v8::internal::ExternalByteElementsAccessor, v8::internal::ExternalByteArray>::Get(v8::internal::FixedArrayBase*, unsigned int, v8::internal::JSObject*, v8::internal::Object*) (in /scratch/holler/LangFuzz/v8_bleeding_edge-64/d8)
==3451==    by 0x52EA80: v8::internal::Object::GetElementWithReceiver(v8::internal::Object*, unsigned int) (in /scratch/holler/LangFuzz/v8_bleeding_edge-64/d8)
==3451==    by 0x48B53B: v8::internal::GetElement(v8::internal::Handle<v8::internal::Object>, unsigned int) (in /scratch/holler/LangFuzz/v8_bleeding_edge-64/d8)
==3451==    by 0x58E844: v8::internal::Runtime_GetOwnProperty(v8::internal::Arguments, v8::internal::Isolate*) (in /scratch/holler/LangFuzz/v8_bleeding_edge-64/d8)
==3451==    by 0x1F7A7DD5C341: ???
==3451==    by 0x1F7A7DD6934C: ???
==3451==    by 0x1F7A7DD8FD8D: ???
==3451==    by 0x1F7A7DD8FA43: ???
==3451==    by 0x1F7A7DD5CC2D: ???
==3451==    by 0x1F7A7DD8F727: ???
==3451==    by 0x1F7A7DD5CC2D: ???
==3451==    by 0x1F7A7DD8F349: ???
==3451==  Address 0x2a00000001 is not stack'd, malloc'd or (recently) free'd

VERSION
Chrome Version: 15.0.865.0 (Developer Build 98568 Linux)
Operating System: Ubuntu 11.04 64 bit

REPRODUCTION CASE

[0].every(function(){ Object.seal((new Int8Array(42))); });

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State (GDB trace taken from renderer process):

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff599696c in v8::internal::ElementsAccessorBase<v8::internal::ExternalByteElementsAccessor, v8::internal::ExternalByteArray>::Get(v8::internal::FixedArrayBase*, unsigned int, v8::internal::JSObject*, v8::internal::Object*) ()
(gdb) bt
#0  0x00007ffff599696c in v8::internal::ElementsAccessorBase<v8::internal::ExternalByteElementsAccessor, v8::internal::ExternalByteArray>::Get(v8::internal::FixedArrayBase*, unsigned int, v8::internal::JSObject*, v8::internal::Object*) ()
#1  0x00007ffff585e537 in v8::internal::Object::GetElementWithReceiver(v8::internal::Object*, unsigned int) ()
#2  0x00007ffff57cf4ef in v8::internal::GetElement(v8::internal::Handle<v8::internal::Object>, unsigned int) ()
#3  0x00007ffff58bc332 in v8::internal::Runtime_GetOwnProperty(v8::internal::Arguments, v8::internal::Isolate*) ()
#4  0x00002492a762e14e in ?? ()
#5  0x00002492a762e0c1 in ?? ()
#6  0x00007fffffffb9d0 in ?? ()
#7  0x00007fffffffba38 in ?? ()
#8  0x00002492a7655ecd in ?? ()
#9  0x000028251208c3b1 in ?? ()
#10 0x000028251208bd81 in ?? ()
[..snip.. only unresolved heap addresses here]

(gdb) x /4i $pc
=> 0x7ffff599696c <_ZN2v88internal20ElementsAccessorBaseINS0_28ExternalByteElementsAccessorENS0_17ExternalByteArrayEE3GetEPNS0_14FixedArrayBaseEjPNS0_8JSObjectEPNS0_6ObjectE+12>:     movsbl (%rax,%rdx,1),%eax
   0x7ffff5996970 <_ZN2v88internal20ElementsAccessorBaseINS0_28ExternalByteElementsAccessorENS0_17ExternalByteArrayEE3GetEPNS0_14FixedArrayBaseEjPNS0_8JSObjectEPNS0_6ObjectE+16>:     shl    $0x20,%rax
   0x7ffff5996974 <_ZN2v88internal20ElementsAccessorBaseINS0_28ExternalByteElementsAccessorENS0_17ExternalByteArrayEE3GetEPNS0_14FixedArrayBaseEjPNS0_8JSObjectEPNS0_6ObjectE+20>:     retq   
   0x7ffff5996975 <_ZN2v88internal20ElementsAccessorBaseINS0_28ExternalByteElementsAccessorENS0_17ExternalByteArrayEE3GetEPNS0_14FixedArrayBaseEjPNS0_8JSObjectEPNS0_6ObjectE+21>:
    jmp    0x7ffff5996978 <_ZN2v88internal20ElementsAccessorBaseINS0_28ExternalByteElementsAccessorENS0_17ExternalByteArrayEE3GetEPNS0_14FixedArrayBaseEjPNS0_8JSObjectEPNS0_6ObjectE+24>

(gdb) info register
rax            0x2a00000000     180388626432
rbx            0x28251208bd81   44139681463681
rcx            0x28251208bd81   44139681463681
rdx            0x1      1
rsi            0x28251208d069   44139681468521
rdi            0x7ffff8478840   140737358825536
rbp            0x7ffff85410a8   0x7ffff85410a8
rsp            0x7fffffffb8a8   0x7fffffffb8a8
r8             0x28251208bd81   44139681463681
r9             0x1      1
r10            0x0      0
r11            0x1      1
r12            0x1      1
r13            0x28251208bd81   44139681463681
r14            0x7ffff8541000   140737359646720
r15            0x7ffff87a5138   140737362153784
rip            0x7ffff599696c   0x7ffff599696c <v8::internal::ElementsAccessorBase<v8::internal::ExternalByteElementsAccessor, v8::internal::ExternalByteArray>::Get(v8::internal::FixedArrayBase*, unsigned int, v8::internal::JSObject*, v8::internal::Object*)+12>

 
Cc: erikcorry@google.com danno@chromium.org kmillikin@chromium.org
Labels: -Area-Undefined Area-WebKit WebKit-JavaScript
Forwarding on to the v8 guys.
Comment 2 by danno@chromium.org, Sep 9 2011
Owner: danno@chromium.org
Status: Assigned
I'll take a look.
Comment 3 by danno@chromium.org, Sep 9 2011
Cc: ricow@chromium.org
Comment 4 by danno@chromium.org, Sep 12 2011
Status: Fixed
This bug allowed a external elements array to be interpreted as as number dictionary due to missing checks that prevented external elements arrays from getting normalized. I didn't spend a lot of time figuring out how it could be exploited, but it's a pretty egregious breakage of the type system, allowing arbitrary user-defined ints to be interrupted as object pointers. 

Fixed in v8:r9213 and merged into 3.3.10.37, 3.4.14.21 and 3.5.10.7 (M13-M15).
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Mstone-14 reward-topanel SecSeverity-High Merge-Approved
Status: FixUnreleased
Thanks Danno!

(Note to self: marking Merge-Approved until I work out if this made the M14 final build)
Labels: -Merge-Approved Merge-Merged
Ah, this made it into 14.0.835.163
Cool.

Labels: -reward-topanel reward-1000 reward-unpaid CVE-2011-2875
@decoder.oh: really nice bug, thanks for the 1-liner repro! Seems obviously good for a $1000 Chromium Security Reward.

----
Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
----
Labels: -reward-unpaid
Payment in system.
No payment has been issued for this, please check your data. Thanks.
See comment #8, "Payment in system.", dated Sep 23rd. That's only a week old; the latency on payment (inter-bank wires etc). can be a lot higher.
Sorry, what I meant was I didn't even receive the system email that I usually get. But if it's in the system, then just ignore this (and the ones from my email if that's the same issue) :). Thanks for looking into this.
Labels: SecImpacts-Stable
Batch update.
Comment 13 by cdn@chromium.org, May 15 2012
Status: Fixed
Marking old security bugs Fixed..
Cc: holi...@gmail.com
Project Member Comment 15 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-WebKit -WebKit-JavaScript -Mstone-14 -SecSeverity-High -SecImpacts-Stable Cr-Content Cr-Content-JavaScript Security-Impact-Stable Security-Severity-High Type-Bug-Security M-14
Labels: -Restrict-View-SecurityNotify
Project Member Comment 17 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 18 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 19 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 20 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content-JavaScript Cr-Blink-JavaScript
Project Member Comment 21 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 22 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment