New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Oct 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
link

Issue 99167: [LangFuzz] Crash on Heap involving GC (invalid write)

Reported by decoder...@gmail.com, Oct 5 2011

Issue description

VULNERABILITY DETAILS
The HTML file attached (containing two JavaScripts) crashes Chrome 16 and V8 shell (d8 with the two scripts on command line) on heap with an invalid write.

NOTE: The test uses gc(), so you need --js-flags="-expose-gc" for the browser, respectively --expose-gc for d8. I did not test Chromium 15 because my builds of Chromium don't have the --js-flags option for some reason.

VERSION
Chrome Version: 16.0.899.0 dev
Operating System: Ubuntu 11.04, tested on 64 bit

REPRODUCTION CASE
See attached HTML file.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State:

GDB Information from Chrome 16:

Program received signal SIGSEGV, Segmentation fault.
[ Backtrace omitted, all heap, no symbols ]
(gdb) x /4i $pc
=> 0x2c8f63076246:      mov    %r10,0x8(%r9)
   0x2c8f6307624a:      mov    %rax,%rbx
   0x2c8f6307624d:      mov    %rdx,%rax
   0x2c8f63076250:      or     $0x1,%rax
(gdb) info registers r9 r10
r9             0x1a38b80ffff8   28830908547064
r10            0x300000000      12884901888


Valgrind trace from V8 shell:

==8324== Invalid write of size 4
==8324==    at 0x3164C852: ???
==8324==    by 0x3164C3D0: ???
==8324==    by 0x210FEE19: ???
==8324==    by 0x210FE0A5: ???
==8324==    by 0x80AA347: v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Object***, bool*) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==8324==  Address 0x5e080000 is not stack'd, malloc'd or (recently) free'd
==8324== 
==8324== 
==8324== Process terminating with default action of signal 11 (SIGSEGV)
 
testCrashHeapGC.html
448 bytes View Download

Comment 1 by scarybea...@gmail.com, Oct 5 2011

Cc: kmillikin@chromium.org erikcorry@google.com
Owner: danno@chromium.org
Danno, possibly related to the new gc landing? Or not, as appropriate :)

Comment 2 by danno@chromium.org, Oct 5 2011

Owner: kmillikin@chromium.org
Status: Assigned
GC hasn't landed yet, but that doesn't make this any less of a bug. Assigning to Kevin because it might actually not be a gc problem, and to make sure it gets attention but to Erik and Slava focus on any new GC issues that might pop up.

Comment 3 by infe...@chromium.org, Oct 5 2011

Cc: -kmillikin@chromium.org danno@chromium.org ager@chromium.org
Labels: -Pri-0 -Area-Undefined Pri-1 Area-Internals WebKit-JavaScript SecSeverity-High OS-All Mstone-15

Comment 4 by kmillikin@chromium.org, Oct 5 2011

I know what this is, and it is a GC-related bug.  It is a longstanding issue that is present in both the old and new collectors.

I'll have a fix for it tomorrow.

Comment 5 by kmillikin@chromium.org, Oct 5 2011

Cc: vegorov@chromium.org
Looping in Slava.

Comment 6 by infe...@chromium.org, Oct 5 2011

Labels: SecImpacts-Stable

Comment 7 by kmillikin@chromium.org, Oct 5 2011

Proposed fix: http://codereview.chromium.org/8139037/

I want to get a standalone test case, and I don't understand enough about the inobject slack tracking to understand why it doesn't work.  I think I can put something together with eval tomorrow.

Severity: object's internal properties are shuffled and improperly initialized (but initialized to valid V8 values).  This gives wrong results.

The bug also writes past the new space allocation pointer, which is benign if the allocation pointer is not at the top of the space, but will try to write to the top of the next page if the allocation pointer is at the top of the space.

Comment 8 by kmillikin@chromium.org, Oct 10 2011

Status: Fixed
This is fixed in http://code.google.com/p/v8/source/detail?r=9540 with a regression test committed in http://code.google.com/p/v8/source/detail?r=9562.

The fix has been pushed to the V8 3.5 branch (Chrome 15) and the V8 3.4 branch (Chrome 14).  Chrome 13 and earlier are unaffected.

Comment 9 by jsc...@chromium.org, Oct 10 2011

Labels: SecImpacts-Beta
Status: FixUnreleased

Comment 10 by scarybea...@gmail.com, Oct 10 2011

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify reward-topanel

Comment 11 by scarybea...@gmail.com, Oct 19 2011

Labels: -reward-topanel reward-1000 reward-unpaid
@decoder.oh: nice. Looks like you helped the v8 team take care of a long standing stability / security issue :)
$1000

----
Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
----

Comment 12 by scarybea...@gmail.com, Oct 19 2011

Labels: CVE-2011-3886

Comment 13 by timurrrr@chromium.org, Oct 25 2011

Labels: Stability-Valgrind

Comment 14 by scarybea...@gmail.com, Oct 28 2011

Labels: -reward-unpaid
Payment in system, can take up to a couple of weeks.

Comment 15 by cdn@chromium.org, May 15 2012

Status: Fixed
Marking old security bugs Fixed..

Comment 16 by bugdroid1@chromium.org, Oct 13 2012

Project Member
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

Comment 17 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Type-Security -Area-Internals -WebKit-JavaScript -SecSeverity-High -Mstone-15 -SecImpacts-Stable -SecImpacts-Beta -Stability-Valgrind Cr-Content-JavaScript M-15 Security-Impact-Beta Cr-Internals Security-Severity-High Security-Impact-Stable Performance-Valgrind Type-Bug-Security

Comment 18 by bugdroid1@chromium.org, Mar 13 2013

Project Member
Labels: Restrict-View-EditIssue

Comment 19 by bugdroid1@chromium.org, Mar 13 2013

Project Member
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue

Comment 20 by scarybea...@gmail.com, Mar 21 2013

Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue

Comment 21 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-High Security_Severity-High

Comment 22 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 23 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Beta Security_Impact-Beta

Comment 24 by bugdroid1@chromium.org, Apr 1 2013

Project Member
Labels: -Performance-Valgrind Stability-Valgrind

Comment 25 by bugdroid1@chromium.org, Apr 6 2013

Project Member
Labels: Cr-Blink

Comment 26 by bugdroid1@chromium.org, Apr 6 2013

Project Member
Labels: -Cr-Content-JavaScript Cr-Blink-JavaScript

Comment 27 by sheriffbot@chromium.org, Jun 14 2016

Project Member
Labels: -security_impact-beta

Comment 28 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 29 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 30 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 31 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment