Status Update
Comments
cl...@appspot.gserviceaccount.com <cl...@appspot.gserviceaccount.com> #2
Fuzzer: None
Job Type: linux_d8_dbg
Platform Id: linux
Crash Type: DCHECK failure
Crash Address:
Crash State:
!var->has_forced_context_allocation() || var->is_used() in scopes.cc
Sanitizer: address (ASAN)
Crash Revision:
Reproducer Testcase:
To reproduce this, please build the target in this report and run it against the reproducer testcase. Please use the GN arguments provided at bottom of this report when building the binary.
If you have trouble reproducing, please also export the environment variables listed under "[Environment]" in the crash stacktrace.
If you have any feedback on reproducing test cases, let us know at
am...@chromium.org <am...@chromium.org> #3
renderer type confusion -> RCE == high severity
active exploitation == Pri-0
FoundIn-124, active working exploit used against Stable 124; 124 is current Extended Stable / oldest active release
temporarily assigning to cffsmith@ -- current V8 security shepherd until I figure out who is a more appropriate owner
am...@chromium.org <am...@chromium.org> #4
Clusterfuzz regression range not helpful, links to flag change CL enabling harmony static initializer blocks
am...@chromium.org <am...@chromium.org>
cl...@appspot.gserviceaccount.com <cl...@appspot.gserviceaccount.com> #5
am...@chromium.org <am...@chromium.org> #6
adding ast and parsing owners
cl...@appspot.gserviceaccount.com <cl...@appspot.gserviceaccount.com> #7
Fuzzer: None
Job Type: linux_asan_d8_noflags
Platform Id: linux
Crash Type: UNKNOWN
Crash Address: 0x7ec741414141
Crash State:
NULL
Sanitizer: address (ASAN)
Recommended Security Severity: High
Crash Revision:
Reproducer Testcase:
To reproduce this, please build the target in this report and run it against the reproducer testcase. Please use the GN arguments provided at bottom of this report when building the binary.
If you have trouble reproducing, please also export the environment variables listed under "[Environment]" in the crash stacktrace.
If you have any feedback on reproducing test cases, let us know at
am...@chromium.org <am...@chromium.org> #8
swapped ownership based digging around in parser.cc and looking at Parser::PostProcessParseResult
am...@chromium.org <am...@chromium.org> #10
reassigning as it appears that leszeks@ is OOO this week
am...@chromium.org <am...@chromium.org> #11
assigning to ishell@ based on off-bug conversation thanks for your investigative efforts thus far, syg@
is...@chromium.org <is...@chromium.org>
pe...@google.com <pe...@google.com> #12
am...@chromium.org <am...@chromium.org> #13
confirmed with TAG this issue does not need to be under embargo
ap...@google.com <ap...@google.com> #14
Branch: main
commit 3e037e195e508dea045f5626862412e8f64fc919
Author: Shu-yu Guo <syg@chromium.org>
Date: Tue May 21 10:06:20 2024
[parser] Using FunctionParsingScope for parsing class static blocks
Class static blocks contain statements, don't inherit the
ExpressionScope stack.
Bug: 341663589
Change-Id: Id52a60d77781201a706fcf2290d7d103f39bed83
Reviewed-on:
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#94014}
M src/ast/scopes.cc
M src/parsing/parser-base.h
sy...@chromium.org <sy...@chromium.org>
ap...@google.com <ap...@google.com> #15
Branch: chromium/6493
commit 5955c250b2e957ab1d243457472be147c875a41b
Author: Shu-yu Guo <syg@chromium.org>
Date: Tue May 21 10:06:20 2024
Merged: [parser] Using FunctionParsingScope for parsing class static blocks
Class static blocks contain statements, don't inherit the
ExpressionScope stack.
Bug: 341663589
(cherry picked from commit 3e037e195e508dea045f5626862412e8f64fc919)
Change-Id: I1a8266ed4022bbe1f4d7052284a782539b420f11
Reviewed-on:
Reviewed-by: Adam Klein <adamk@chromium.org>
M src/ast/scopes.cc
M src/parsing/parser-base.h
pe...@google.com <pe...@google.com> #16
This issue has been flagged as a merge candidate for Chrome OS' LTS channel. If selected, our merge team will handle any additional merges. To help us determine if this issue requires a merge to LTS, please answer this short questionnaire:
1. Was this issue a regression for the milestone it was found in?
2. Is this issue related to a change or feature merged after the latest LTS Milestone?
am...@chromium.org <am...@chromium.org> #17
new canary build 127.0.6493.0 with this fix is now available; in the interim of having data to monitor, I'm approving merges for M125 Stable, please CP to minibranches:
- refs/heads/chromium/6422_53 for Android
- refs/heads/chromium/6422_76 for Desktop
ap...@google.com <ap...@google.com> #18
Branch: chromium/6422_76
commit 8c46911f080ea752530fb12b4c796e86f9884554
Author: Shu-yu Guo <syg@chromium.org>
Date: Tue May 21 10:06:20 2024
Merged: [parser] Using FunctionParsingScope for parsing class static blocks
Class static blocks contain statements, don't inherit the
ExpressionScope stack.
Bug: 341663589
(cherry picked from commit 3e037e195e508dea045f5626862412e8f64fc919)
Change-Id: I0ca24c1512598532e5ad6b60f782a6f76b1c4d64
Reviewed-on:
Reviewed-by: Adam Klein <adamk@chromium.org>
M src/ast/scopes.cc
M src/parsing/parser-base.h
am...@chromium.org <am...@chromium.org> #19
Merge approved for 126. Please merge to 12.6 asap so this fix can be in this afternoon's cut for tomorrow's M126 Beta update. (this should be all the merges for today)
ap...@google.com <ap...@google.com> #20
Branch: refs/branch-heads/12.6
commit 4fbbbb89bf0b01e0dc18da4c3ca5ae7e074de87b
Author: Shu-yu Guo <syg@chromium.org>
Date: Tue May 21 10:06:20 2024
Merged: [parser] Using FunctionParsingScope for parsing class static blocks
Class static blocks contain statements, don't inherit the
ExpressionScope stack.
Bug: 341663589
(cherry picked from commit 3e037e195e508dea045f5626862412e8f64fc919)
Change-Id: I50ed5d948c6d5ddd2471edda93166490ba8d49cb
Reviewed-on:
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/branch-heads/12.6@{#10}
Cr-Branched-From: 3c9fa12db3183a6f4ea53d2675adb66ea1194529-refs/heads/12.6.228@{#2}
Cr-Branched-From: 981bb15ba4dbf9e2381dfc94ec2c4af0b9c6a0b6-refs/heads/main@{#93835}
M src/ast/scopes.cc
M src/parsing/parser-base.h
pe...@google.com <pe...@google.com> #21
24...@project.gserviceaccount.com <24...@project.gserviceaccount.com> #22
If this is incorrect, please add the hotlistid:5432646 and re-open the issue.
ap...@google.com <ap...@google.com> #23
Branch: refs/branch-heads/12.5
commit 4565b6a2a184062f6b7555e4ebb329698a8570cd
Author: Shu-yu Guo <syg@chromium.org>
Date: Tue May 21 10:06:20 2024
Merged: [parser] Using FunctionParsingScope for parsing class static blocks
Class static blocks contain statements, don't inherit the
ExpressionScope stack.
(cherry picked from commit 3e037e195e508dea045f5626862412e8f64fc919)
Bug: 341663589
Change-Id: Ifc8f921be8e485e290fe1d5c4ec2cf5ae3c467e5
Reviewed-on:
Owners-Override: Adam Klein <adamk@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/branch-heads/12.5@{#24}
Cr-Branched-From: 15b9756484d5bda98ba273ae13f8db58200db4db-refs/heads/12.5.227@{#1}
Cr-Branched-From: 497d8573dc80b1b69052a834bec894cf5d4238e7-refs/heads/main@{#93350}
M src/ast/scopes.cc
M src/parsing/parser-base.h
ap...@google.com <ap...@google.com> #24
Branch: refs/branch-heads/12.4
commit 6e5e1053fa619b709d6290c12fdef2f0b0641188
Author: Shu-yu Guo <syg@chromium.org>
Date: Tue May 21 10:06:20 2024
Merged: [parser] Using FunctionParsingScope for parsing class static blocks
Class static blocks contain statements, don't inherit the
ExpressionScope stack.
(cherry picked from commit 3e037e195e508dea045f5626862412e8f64fc919)
Bug: 341663589
Change-Id: Ice9a710293b028e5d9fd30d5d85c4842f970b152
Reviewed-on:
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/branch-heads/12.4@{#38}
Cr-Branched-From: 309640da62fae0485c7e4f64829627c92d53b35d-refs/heads/12.4.254@{#1}
Cr-Branched-From: 5dc24701432278556a9829d27c532f974643e6df-refs/heads/main@{#92862}
M src/ast/scopes.cc
M src/parsing/parser-base.h
ap...@google.com <ap...@google.com> #25
Branch: refs/branch-heads/12.0
commit 8f1c780b30fcd354fbeecfab5534b08e5f41a805
Author: Shu-yu Guo <syg@chromium.org>
Date: Tue May 21 10:06:20 2024
[M120-LTS][parser] Using FunctionParsingScope for parsing class static blocks
Class static blocks contain statements, don't inherit the
ExpressionScope stack.
(cherry picked from commit 3e037e195e508dea045f5626862412e8f64fc919)
Bug:
Change-Id: Id52a60d77781201a706fcf2290d7d103f39bed83
Reviewed-on:
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#94014}
Reviewed-on:
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/12.0@{#54}
Cr-Branched-From: ed7b4caf1fb8184ad9e24346c84424055d4d430a-refs/heads/12.0.267@{#1}
Cr-Branched-From: 210e75b19db4352c9b78dce0bae11c2dc3077df4-refs/heads/main@{#90651}
M src/ast/scopes.cc
M src/parsing/parser-base.h
pe...@google.com <pe...@google.com> #26
This bug has been closed for more than 14 weeks. Removing issue access restrictions.
Description
VULNERABILITY DETAILS
NOTE: TAG has evidence that the following bug is being used in the wild. Therefore, this bug is subject to TAG's 7 day disclosure deadline.
There is a bug in V8's scope analysis that can result in type confusions. The following pocs were reconstructed from an exploit chain delivered to Chrome 124 and the bug also triggers on head.
VERSION
Chrome Version: 125.0.6422.60 + head
REPRODUCTION CASE
Minimal poc that triggers a dcheck in dcheck.js
Arbitrary read/write primitive can be found in rw.js
CREDIT INFORMATION
Externally reported security bugs may appear in Chrome release notes. If this bug is included, how would you like to be credited?
Reporter credit: Clément Lecigne of Google's Threat Analysis Group and Brendon Tiszka