My favorites | Sign in
Project Home Downloads Wiki Issues Code Search
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 88591: [LangFuzz] CHECK(!value->IsTheHole()) failed // Crash with invalid read in shell
1 person starred this issue and may be notified of changes. Back to list
 
Reported by decoder...@googlemail.com, Jul 6, 2011
VULNERABILITY DETAILS

The following code crashes an optimized v8 shell (version as in Chrome 14.0.813.0 which is v8-trunk r8431) or asserts in a debug shell. The same code does not crash in Chromium, I suspect it could be that the memory layout is different there and the specific test case therefore fails on Chromium. Please check if this really does not affect Chromium as well.

Debug builds abort with:

#
# Fatal error in src/objects.cc, line 1797
# CHECK(!value->IsTheHole()) failed
#

VERSION
V8 Version: http://v8.googlecode.com/svn/trunk@8431 (as in Chrome Version 14.0.813.0).
Operating System: Ubuntu Linux 11.04

REPRODUCTION CASE

(function () {
  function classOf(object) { typeof(value); };
})();
function F() {}
Object.prototype.__defineSetter__('x', function(value) { result_x = value; });
this.__proto__ = { x: 42 };
try {
  fail;
} catch (e) {
  eval('const x = 7');
}


FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: Shell
Crash Trace:

==26391== Use of uninitialised value of size 8
==26391==    at 0x4E3490: v8::internal::JSObject::GetNormalizedProperty(v8::internal::LookupResult*) (in /scratch/holler/LangFuzz/v8-trunk/shell)
==26391==    by 0x5502A2: v8::internal::Runtime_InitializeConstContextSlot(v8::internal::Arguments, v8::internal::Isolate*) (in /scratch/holler/LangFuzz/v8-trunk/shell)
==26391==    by 0x9F48341: ???
==26391==    by 0x9F6C0DD: ???
==26391==    by 0x9F48C2D: ???
==26391==    by 0x9F6B08E: ???
==26391==    by 0x9F493E6: ???
==26391==    by 0x9F48127: ???
==26391==    by 0x447FA8: v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Object***, bool*) (in /scratch/holler/LangFuzz/v8-trunk/shell)
==26391==    by 0x448468: v8::internal::Execution::Call(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Object***, bool*) (in /scratch/holler/LangFuzz/v8-trunk/shell)
==26391==    by 0x414477: v8::Script::Run() (in /scratch/holler/LangFuzz/v8-trunk/shell)
==26391==    by 0x402F73: ExecuteString(v8::Handle<v8::String>, v8::Handle<v8::Value>, bool, bool) (in /scratch/holler/LangFuzz/v8-trunk/shell)
==26391== 
==26391== Invalid read of size 8
==26391==    at 0x4E3490: v8::internal::JSObject::GetNormalizedProperty(v8::internal::LookupResult*) (in /scratch/holler/LangFuzz/v8-trunk/shell)
==26391==    by 0x5502A2: v8::internal::Runtime_InitializeConstContextSlot(v8::internal::Arguments, v8::internal::Isolate*) (in /scratch/holler/LangFuzz/v8-trunk/shell)
==26391==    by 0x9F48341: ???
==26391==    by 0x9F6C0DD: ???
==26391==    by 0x9F48C2D: ???
==26391==    by 0x9F6B08E: ???
==26391==    by 0x9F493E6: ???
==26391==    by 0x9F48127: ???
==26391==    by 0x447FA8: v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Object***, bool*) (in /scratch/holler/LangFuzz/v8-trunk/shell)
==26391==    by 0x448468: v8::internal::Execution::Call(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Object***, bool*) (in /scratch/holler/LangFuzz/v8-trunk/shell)
==26391==    by 0x414477: v8::Script::Run() (in /scratch/holler/LangFuzz/v8-trunk/shell)
==26391==    by 0x402F73: ExecuteString(v8::Handle<v8::String>, v8::Handle<v8::Value>, bool, bool) (in /scratch/holler/LangFuzz/v8-trunk/shell)
==26391==  Address 0xffffffff96781a20 is not stack'd, malloc'd or (recently) free'd
==26391== 
==26391== 
==26391== Process terminating with default action of signal 11 (SIGSEGV)
==26391==  Access not within mapped region at address 0xFFFFFFFF96781A20


Jul 6, 2011
#1 infe...@chromium.org
Mads, can you please help to triage.
Status: Assigned
Owner: ager@chromium.org
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecSeverity-Medium OS-All Mstone-13 WebKit-JavaScript
Jul 8, 2011
#2 scarybea...@gmail.com
(Add Erik "fixing machine" Corry and Soren to cc: as well)
Cc: erik.corry sgjesse@chromium.org
Jul 8, 2011
#3 erik.corry
I sending this on to Vyacheslav because I am on my way out of the door for a vacation.
Owner: vegorov@chromium.org
Cc: ricow@chromium.org
Jul 8, 2011
#4 scarybea...@gmail.com
Happy vacation :)
Jul 10, 2011
#5 infe...@chromium.org
(No comment was entered for this change.)
Labels: -SecSeverity-Medium SecSeverity-High
Jul 10, 2011
#6 ricow@chromium.org
Kevin, could this be related to r8496?
Cc: kmillikin@chromium.org
Jul 10, 2011
#7 ricow@chromium.org
Never mind, I did a revert of 8496 and the failure is still there.
Jul 10, 2011
#8 decoder...@googlemail.com
A bisect shows r8224 as the revision introducing this, but given the log text, I'm not sure that's accurate.
Jul 10, 2011
#9 scarybea...@gmail.com
@inferno: is this marked Mstone-13 because the test case also crashes M13?
Jul 10, 2011
#10 ricow@chromium.org
decoder: r8224 actually makes good sense, since this is only crashing with try-catch. 
Jul 10, 2011
#11 kmillikin@chromium.org
I'll take a look.
Owner: kmillikin@chromium.org
Jul 10, 2011
#12 kmillikin@chromium.org
This was previously reported as https://code.google.com/p/v8/issues/detail?id=1528.

Bug was introduced in https://code.google.com/p/v8/source/detail?r=8224, fixed in https://code.google.com/p/v8/source/detail?r=8523.  It affects V8 trunk versions in the range 3.4.4 to 3.4.8, inclusive.
Status: Fixed
Jul 11, 2011
#13 kmillikin@chromium.org
I spoke too soon, this bug is still present in v8 bleeding_edge.  I'm working on a fix.
Status: Assigned
Jul 11, 2011
#14 kmillikin@chromium.org
I did speak too soon.  Though it has a very similar reproduction, this is a different issue than https://code.google.com/p/v8/issues/detail?id=1528.

This bug has nothing essential to do with try/catch.  The assertion can also be triggered by:

Object.prototype.__defineSetter__('x', function (x) {});
this.__proto__ = { x: 42 };
with ({}) { eval('const x = 7'); }

Status: Fixed
Jul 11, 2011
#16 infe...@chromium.org
Kevin has pushed the fix to m13 and m12 branches.
Status: FixUnreleased
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Jul 11, 2011
#17 scarybea...@gmail.com
(No comment was entered for this change.)
Labels: reward-topanel
Jul 19, 2011
#18 scarybea...@gmail.com
@decoder.oh: thanks for your continued help in catching these very interesting corner-case v8 issues! It's a fairly easy panel decision to offer you a $1000 Chromium Security Reward for your help.

----
Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
----
Labels: -reward-topanel reward-1000 reward-unpaid
Jul 21, 2011
#19 scarybea...@gmail.com
(No comment was entered for this change.)
Labels: CVE-2011-2802
Aug 4, 2011
#20 scarybea...@gmail.com
(No comment was entered for this change.)
Labels: -reward-unpaid
Oct 4, 2011
#21 jsc...@chromium.org
Batch update.
Labels: SecImpacts-Stable
May 15, 2012
#22 cdn@chromium.org
Marking old security bugs Fixed.. 
Status: Fixed
Oct 13, 2012
#23 bugdro...@chromium.org
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Labels: Restrict-AddIssueComment-Commit
Mar 9, 2013
#24 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Type-Security -Area-WebKit -SecSeverity-High -Mstone-13 -WebKit-JavaScript -SecImpacts-Stable Cr-Content Security-Impact-Stable Cr-Content-JavaScript Security-Severity-High M-13 Type-Bug-Security
Mar 13, 2013
#25 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: Restrict-View-EditIssue
Mar 13, 2013
#26 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Mar 21, 2013
#27 scarybea...@gmail.com
(No comment was entered for this change.)
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Mar 21, 2013
#28 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Severity-High Security_Severity-High
Mar 21, 2013
#29 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Impact-Stable Security_Impact-Stable
Apr 5, 2013
#30 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Cr-Content Cr-Blink
Apr 5, 2013
#31 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Cr-Content-JavaScript Cr-Blink-JavaScript
Sign in to add a comment

Powered by Google Project Hosting