New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Closed: Oct 2011
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

  • Only users with EditIssue permission may comment.

Sign in to add a comment

[LangFuzz] Crash at v8::Object::SlowGetPointerFromInternalField with invalid read

Reported by, Oct 1 2011 Back to list

Issue description

The JavaScript code below crashes Chromium 15/Chrome 16 at function "v8::Object::SlowGetPointerFromInternalField" and V8 shell (d8) at function "JSObject::PrepareElementsForSort", both with an invalid read.

The shell address is 0x4e454d44 which looks particularly dangerous (ASCII, most likely in some data). The address in Chromium 15 is 0x10000a313000005.

Note that you might need to refresh the testcase once or twice for the sad tab to show up.

Chrome Version: 15.0.865.0 (Developer Build 98568 Linux) beta
Chrome Version: 16.0.891.0 dev
Operating System: Ubuntu 11.04, tested on 64 bit

var nonArray = { length: 0xb , 0: 42, 2: 37, "\xda" : undefined, 4: 0 }; Int16Array(345), this);

Type of crash: tab
Crash State:

GDB Trace from Chromium 15:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5773c60 in v8::Object::SlowGetPointerFromInternalField(int) ()
(gdb) bt
#0  0x00007ffff5773c60 in v8::Object::SlowGetPointerFromInternalField(int) ()
#1  0x00007ffff62ac8a6 in WebCore::IntrusiveDOMWrapperMap::removeIfPresent(WebCore::Node*, v8::Persistent<v8::Object>) ()
#2  0x00007ffff62a80ea in WebCore::DOMDataStore::weakNodeCallback(v8::Persistent<v8::Value>, void*) ()
#3  0x00007ffff57ca252 in v8::internal::GlobalHandles::PostGarbageCollectionProcessing(v8::internal::GarbageCollector) ()
#4  0x00007ffff57e7f9f in v8::internal::Heap::PerformGarbageCollection(v8::internal::GarbageCollector, v8::internal::GCTracer*) ()
#5  0x00007ffff57e8659 in v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollector) ()
#6  0x00007ffff57e8c21 in v8::internal::Heap::IdleNotification() ()
#7  0x00007ffff5ef59e6 in WebCore::ThreadTimers::sharedTimerFiredInternal() ()
#8  0x00007ffff53f7efe in base::subtle::TaskClosureAdapter::Run() ()
#9  0x00007ffff53d3b83 in MessageLoop::RunTask(MessageLoop::PendingTask const&) ()
#10 0x00007ffff53d40e8 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) ()
#11 0x00007ffff53d449f in MessageLoop::DoDelayedWork(base::TimeTicks*) ()
#12 0x00007ffff53d8f8e in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) ()
#13 0x00007ffff53d254c in MessageLoop::Run() ()
#14 0x00007ffff6a118a7 in RendererMain(MainFunctionParams const&) ()
#15 0x00007ffff4c59d39 in ChromeMain ()
#16 0x00007ffff4c5a781 in main ()
(gdb) x /4i $pc
=> 0x7ffff5773c60 <_ZN2v86Object31SlowGetPointerFromInternalFieldEi+96>:       mov    -0x1(%rax),%rdx
   0x7ffff5773c64 <_ZN2v86Object31SlowGetPointerFromInternalFieldEi+100>:      cmpb   $0x85,0xb(%rdx)
   0x7ffff5773c68 <_ZN2v86Object31SlowGetPointerFromInternalFieldEi+104>:      jne    0x7ffff5773c5c <_ZN2v86Object31SlowGetPointerFromInternalFieldEi+92>
   0x7ffff5773c6a <_ZN2v86Object31SlowGetPointerFromInternalFieldEi+106>:      mov    0x7(%rax),%rax
(gdb) info register rax rdx
rax            0x10000a313000005        72058294436364293
rdx            0x1      1

Valgrind trace from V8 shell:

==19885== Invalid read of size 4
==19885==    at 0x820B878: v8::internal::JSObject::PrepareElementsForSort(unsigned int) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19885==  Address 0x4e454d44 is not stack'd, malloc'd or (recently) free'd
==19885== Process terminating with default action of signal 11 (SIGSEGV)

Notify me if you need a Chrome 16 trace. I choose Chromium 15 because my system should have debug symbols for that. By the way, there is no Chromium 16 build for Ubuntu available it seems :( I downloaded the Chrome build from Google directly instead.
Labels: Mstone-15
cc:ing team v8 :D
As always, we'd love an analysis on the root cause, so we can assign severity / reward appropriately.

Comment 2 by, Oct 3 2011

Labels: -Pri-0 -Area-Undefined Pri-1 Area-Internals SecSeverity-High OS-All

Comment 3 by, Oct 4 2011

Status: Assigned
Status: Fixed
Fixed in v8 bleeding edge and also merged back to the 3.4 and 3.5 branch as version and respectively.

The function PrepareElementsForSort() mistreated an array containing external elements as one containing fast elements and hence accessed memory areas behind the array object. We had an assertion in place covering that assumption, but those are disabled in release builds. Carefully choosing array length and objects behind the array would have allowed to arbitrarily overwrite heap objects in that areas.
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Merged merge-merged-874 SecImpacts-Stable SecImpacts-Beta
Status: FixUnreleased

Comment 6 by, Oct 12 2011

Labels: reward-topanel
Labels: -reward-topanel reward-1000 reward-unpaid
@decoder.oh: thanks for continue to help us with v8 robustness! $1000

Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
Labels: CVE-2011-3886
Labels: Stability-Valgrind
Labels: -reward-unpaid
Payment in system, can take up to a couple of weeks.

Comment 11 by, May 15 2012

Status: Fixed
Marking old security bugs Fixed..
Project Member

Comment 12 by, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 13 by, Mar 10 2013

Labels: -Type-Security -Area-Internals -Mstone-15 -SecSeverity-High -SecImpacts-Stable -SecImpacts-Beta -Stability-Valgrind Security-Impact-Beta Cr-Internals Security-Severity-High Security-Impact-Stable Performance-Valgrind M-15 Type-Bug-Security
Project Member

Comment 14 by, Mar 13 2013

Labels: Restrict-View-EditIssue
Project Member

Comment 15 by, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member

Comment 17 by, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 18 by, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 19 by, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 20 by, Apr 1 2013

Labels: -Performance-Valgrind Stability-Valgrind
Project Member

Comment 21 by, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 22 by, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member

Comment 23 by, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment