Verified
Status Update
No update yet.
Comments
24...@project.gserviceaccount.com
Automatically applying components based on crash stacktrace and information from OWNERS files.
If this is incorrect, please apply the hotlistid:4801165.
If this is incorrect, please apply the hotlistid:4801165.
24...@project.gserviceaccount.com
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/2c1dd921fb0df335ff8ce603c753562500702147 ([turboshaft] Maglev-to-ts: support JS eval()).
If this is incorrect, please let us know why and apply the hotlistid:5433122. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
If this is incorrect, please let us know why and apply the hotlistid:5433122. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
dm...@chromium.org
Whups, this is pretty bad and has been broken for months now. In short, there is a buffer-overflow in the compiler (in a malloced buffer), and it's pretty easy to trigger. Hard to say what the security impact is, but we should probably fix and backmerge at least to Beta, maybe even Stable.
pe...@google.com
You have been auto-cc'ed due to this issue's component.
To update this component's auto-cc rules, visit
go/peepsi-blintz-auto-cc-rules
To update this component's auto-cc rules, visit
go/peepsi-blintz-auto-cc-rules
sa...@chromium.org
Ah this is kind of funny: we found this through our sandbox fuzzer, but it doesn't require any up-front heap corruption (as would normally be the case for a V8 sandbox violation). So this actually is a "real" vulnerability, and I'm therefore not adjusting the labels (as I would for a "regular" sandbox violation). It's still also a sandbox violation though, and I think the first one that can directly be triggered from JavaScript.
dm...@chromium.org
Simplified repro
function g() { }
function f() {
// We need a CallOp that is 516 bytes large. CallOp itself is 24 bytes. So we
// need 516-24=492 bytes of inputs, with 4 bytes per input, this amounts to
// 492/4 = 123 inputs.
// JS calls in Turboshaft always have 6 additional inputs (target, frame
// state, context, number of arguments...), so we write a JS call with 117
// inputs to reach the 123 inputs required for CallOp.
g( 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28,
29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42,
43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56,
57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70,
71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84,
85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98,
99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112,
113, 114, 115, 116, 117);
}
%PrepareFunctionForOptimization(f);
f();
%OptimizeFunctionOnNextCall(f);
f();
ap...@google.com
Project: v8/v8
Branch: main
commit fab3ba3a0e29d17ee6c24132e1286c44a555ac3d
Author: Darius Mercadier <dmercadier@chromium.org>
Date: Wed Mar 27 13:06:26 2024
[turboshaft] Compute correct input_count in CreateOperation
Fixed: 331241020
Bug: v8:12783
Change-Id: I30d5a1ebc7e10313fc95c42b31c065c35f95cc91
Reviewed-on:https://chromium-review.googlesource.com/c/v8/v8/+/5400799
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Auto-Submit: Darius Mercadier <dmercadier@chromium.org>
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#93065}
M src/compiler/turboshaft/index.h
M src/compiler/turboshaft/operations.h
M src/wasm/turboshaft-graph-interface.cc
https://chromium-review.googlesource.com/5400799
Branch: main
commit fab3ba3a0e29d17ee6c24132e1286c44a555ac3d
Author: Darius Mercadier <dmercadier@chromium.org>
Date: Wed Mar 27 13:06:26 2024
[turboshaft] Compute correct input_count in CreateOperation
Fixed: 331241020
Bug: v8:12783
Change-Id: I30d5a1ebc7e10313fc95c42b31c065c35f95cc91
Reviewed-on:
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Auto-Submit: Darius Mercadier <dmercadier@chromium.org>
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#93065}
M src/compiler/turboshaft/index.h
M src/compiler/turboshaft/operations.h
M src/wasm/turboshaft-graph-interface.cc
pe...@google.com
Setting milestone because of s0/s1 severity.
pe...@google.com
Setting Priority to P1 to match Severity s1. If this is incorrect, please reset the priority. The automation bot account won't make this change again.
pe...@google.com
This is sufficiently serious that it should be merged to extended stable. But I can't see a Chromium repo commit here,so you will need to investigate what - if anything - needs to be merged to M122. Is there a fix in some other repo which should be merged? Or, perhaps this ticket is a duplicate of some other ticket which has the real fix: please track that down and ensure it is merged appropriately.
This is sufficiently serious that it should be merged to stable. But I can't see a Chromium repo commit here,so you will need to investigate what - if anything - needs to be merged to M123. Is there a fix in some other repo which should be merged? Or, perhaps this ticket is a duplicate of some other ticket which has the real fix: please track that down and ensure it is merged appropriately.
This is sufficiently serious that it should be merged to beta. But I can't see a Chromium repo commit here,so you will need to investigate what - if anything - needs to be merged to M124. Is there a fix in some other repo which should be merged? Or, perhaps this ticket is a duplicate of some other ticket which has the real fix: please track that down and ensure it is merged appropriately.
Thank you for fixing this security bug! We aim to ship security fixes as quickly as possible, to limit their opportunity for exploitation as an "n-day" (that is, a bug where git fixes are developed into attacks before those fixes reach users).
We have determined this fix is necessary on milestone(s): [].
Please answer the following questions so that we can safely process this merge request:
1. Which CLs should be backmerged? (Please include Gerrit links.)
2. Has this fix been verified on Canary to not pose any stability regressions?
3. Does this fix pose any potential non-verifiable stability risks?
4. Does this fix pose any known compatibility risks?
5. Does it require manual verification by the test team? If so, please describe required testing.
This is sufficiently serious that it should be merged to stable. But I can't see a Chromium repo commit here,so you will need to investigate what - if anything - needs to be merged to M123. Is there a fix in some other repo which should be merged? Or, perhaps this ticket is a duplicate of some other ticket which has the real fix: please track that down and ensure it is merged appropriately.
This is sufficiently serious that it should be merged to beta. But I can't see a Chromium repo commit here,so you will need to investigate what - if anything - needs to be merged to M124. Is there a fix in some other repo which should be merged? Or, perhaps this ticket is a duplicate of some other ticket which has the real fix: please track that down and ensure it is merged appropriately.
Thank you for fixing this security bug! We aim to ship security fixes as quickly as possible, to limit their opportunity for exploitation as an "n-day" (that is, a bug where git fixes are developed into attacks before those fixes reach users).
We have determined this fix is necessary on milestone(s): [].
Please answer the following questions so that we can safely process this merge request:
1. Which CLs should be backmerged? (Please include Gerrit links.)
2. Has this fix been verified on Canary to not pose any stability regressions?
3. Does this fix pose any potential non-verifiable stability risks?
4. Does this fix pose any known compatibility risks?
5. Does it require manual verification by the test team? If so, please describe required testing.
dm...@chromium.org
Replies to Comment 11:
-
Not on Canary yet (it landed earlier today in V8, should be in Chrome soonish, so it makes sense to wait a few days to merge)
-
no
-
no
-
no
Additional comment: I'm not sure how exploitable this is, and I'd expect that the risk is more on the stability side rather than security side. That being said, I'm not aware of any crashes that are caused by this. So, I'm not sure how important it is to backmerge "far". Backmerging to Beta seems like it doesn't cost much so why not. Further than that, I don't know.
am...@chromium.org
Thanks for your input here, Darius -- much appreciated. Based on Samuel's assessment in
All that being said, yes, let's also make sure this gets sufficient bake time on Canary and I'll revisit in a couple of days.
24...@project.gserviceaccount.com
ClusterFuzz testcase 6030038469640192 is verified as fixed in https://clusterfuzz.com/revisions?job=linux_asan_d8_sandbox_fuzzing&range=93064:93065
If this is incorrect, please add the hotlistid:5432646 and re-open the issue.
If this is incorrect, please add the hotlistid:5432646 and re-open the issue.
pe...@google.com
Merge review required: M124 is already shipping to beta.
Please answer the following questions so that we can safely process your merge request:
1. Why does your merge fit within the merge criteria for these milestones?
- Chrome Browser:https://chromiumdash.appspot.com/branches
- Chrome OS:https://goto.google.com/cros-release-branch-merge-guidelines
2. What changes specifically would you like to merge? Please link to Gerrit.
3. Have the changes been released and tested on canary?
4. Is this a new feature? If yes, is it behind a Finch flag and are experiments active in any release channels?
5. [Chrome OS only]: Was the change reviewed and approved by the Eng Prod Representative?https://goto.google.com/cros-engprodcomponents
6. If this merge addresses a major issue in the stable channel, does it require manual verification by the test team? If so, please describe required testing.
Please contact the milestone owner if you have questions.
Owners: eakpobaro (Android), eakpobaro (iOS), obenedict (ChromeOS), danielyip (Desktop)
Please answer the following questions so that we can safely process your merge request:
1. Why does your merge fit within the merge criteria for these milestones?
- Chrome Browser:
- Chrome OS:
2. What changes specifically would you like to merge? Please link to Gerrit.
3. Have the changes been released and tested on canary?
4. Is this a new feature? If yes, is it behind a Finch flag and are experiments active in any release channels?
5. [Chrome OS only]: Was the change reviewed and approved by the Eng Prod Representative?
6. If this merge addresses a major issue in the stable channel, does it require manual verification by the test team? If so, please describe required testing.
Please contact the milestone owner if you have questions.
Owners: eakpobaro (Android), eakpobaro (iOS), obenedict (ChromeOS), danielyip (Desktop)
dm...@chromium.org
am...@chromium.org
M124 merge approved for
ap...@google.com
Project: v8/v8
Branch: refs/branch-heads/12.4
commit f2b5b98010236d7dbe75ca598c844882f15a86af
Author: Darius Mercadier <dmercadier@chromium.org>
Date: Wed Mar 27 13:06:26 2024
Merged: [turboshaft] Compute correct input_count in CreateOperation
Bug: v8:12783, 331241020
(cherry picked from commit fab3ba3a0e29d17ee6c24132e1286c44a555ac3d)
Change-Id: Ia5e317d3b383761baf58394d30cda6ba918b5cec
Reviewed-on:https://chromium-review.googlesource.com/c/v8/v8/+/5423128
Auto-Submit: Darius Mercadier <dmercadier@chromium.org>
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/branch-heads/12.4@{#16}
Cr-Branched-From: 309640da62fae0485c7e4f64829627c92d53b35d-refs/heads/12.4.254@{#1}
Cr-Branched-From: 5dc24701432278556a9829d27c532f974643e6df-refs/heads/main@{#92862}
M src/compiler/turboshaft/index.h
M src/compiler/turboshaft/operations.h
M src/wasm/turboshaft-graph-interface.cc
https://chromium-review.googlesource.com/5423128
Branch: refs/branch-heads/12.4
commit f2b5b98010236d7dbe75ca598c844882f15a86af
Author: Darius Mercadier <dmercadier@chromium.org>
Date: Wed Mar 27 13:06:26 2024
Merged: [turboshaft] Compute correct input_count in CreateOperation
Bug: v8:12783, 331241020
(cherry picked from commit fab3ba3a0e29d17ee6c24132e1286c44a555ac3d)
Change-Id: Ia5e317d3b383761baf58394d30cda6ba918b5cec
Reviewed-on:
Auto-Submit: Darius Mercadier <dmercadier@chromium.org>
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/branch-heads/12.4@{#16}
Cr-Branched-From: 309640da62fae0485c7e4f64829627c92d53b35d-refs/heads/12.4.254@{#1}
Cr-Branched-From: 5dc24701432278556a9829d27c532f974643e6df-refs/heads/main@{#92862}
M src/compiler/turboshaft/index.h
M src/compiler/turboshaft/operations.h
M src/wasm/turboshaft-graph-interface.cc
pe...@google.com
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!
If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.
Thanks for your time! To disable nags, add Disable-Nags (case sensitive) to the Chromium Labels custom field.
If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.
Thanks for your time! To disable nags, add Disable-Nags (case sensitive) to the Chromium Labels custom field.
pe...@google.com
This bug has been closed for more than 14 weeks. Removing issue access restrictions.
Description
Fuzzer: None
Job Type: linux_asan_d8_sandbox_fuzzing
Platform Id: linux
Crash Type: V8 sandbox violation
Crash Address: 0x515000004b00
Crash State:
void v8::base::Vector<v8::internal::compiler::turboshaft::OpIndex>::OverwriteWit
v8::internal::compiler::turboshaft::CallOp::CallOp
v8::internal::compiler::turboshaft::CallOp* v8::internal::compiler::turboshaft::
Sanitizer: address (ASAN)
Regressed:
Reproducer Testcase:
Issue filed automatically.
To reproduce this, please build the target in this report and run it against the reproducer testcase. Please use the GN arguments provided at bottom of this report when building the binary.
If you have trouble reproducing, please also export the environment variables listed under "[Environment]" in the crash stacktrace.
If you have any feedback on reproducing test cases, let us know at