Verified
Status Update
No update yet.
Comments
cl...@appspot.gserviceaccount.com
Detailed Report: https://clusterfuzz.com/testcase?key=4671973404639232
Fuzzer: None
Job Type: linux_d8_dbg
Platform Id: linux
Crash Type: DCHECK failure
Crash Address:
Crash State:
!var->has_forced_context_allocation() || var->is_used() in scopes.cc
Sanitizer: address (ASAN)
Crash Revision:https://clusterfuzz.com/revisions?job=linux_d8_dbg&revision=93991
Reproducer Testcase:https://clusterfuzz.com/download?testcase_id=4671973404639232
To reproduce this, please build the target in this report and run it against the reproducer testcase. Please use the GN arguments provided at bottom of this report when building the binary.
If you have trouble reproducing, please also export the environment variables listed under "[Environment]" in the crash stacktrace.
If you have any feedback on reproducing test cases, let us know athttps://forms.gle/Yh3qCYFveHj6E5jz5 so we can improve.
Fuzzer: None
Job Type: linux_d8_dbg
Platform Id: linux
Crash Type: DCHECK failure
Crash Address:
Crash State:
!var->has_forced_context_allocation() || var->is_used() in scopes.cc
Sanitizer: address (ASAN)
Crash Revision:
Reproducer Testcase:
To reproduce this, please build the target in this report and run it against the reproducer testcase. Please use the GN arguments provided at bottom of this report when building the binary.
If you have trouble reproducing, please also export the environment variables listed under "[Environment]" in the crash stacktrace.
If you have any feedback on reproducing test cases, let us know at
am...@chromium.org
renderer type confusion -> RCE == high severity
active exploitation == Pri-0
FoundIn-124, active working exploit used against Stable 124; 124 is current Extended Stable / oldest active release
temporarily assigning to cffsmith@ -- current V8 security shepherd until I figure out who is a more appropriate owner
am...@chromium.org
Clusterfuzz regression range not helpful, links to flag change CL enabling harmony static initializer blocks
am...@chromium.org
cl...@appspot.gserviceaccount.com
Comment has been deleted.
am...@chromium.org
adding ast and parsing owners
cl...@appspot.gserviceaccount.com
Detailed Report: https://clusterfuzz.com/testcase?key=4856085029519360
Fuzzer: None
Job Type: linux_asan_d8_noflags
Platform Id: linux
Crash Type: UNKNOWN
Crash Address: 0x7ec741414141
Crash State:
NULL
Sanitizer: address (ASAN)
Recommended Security Severity: High
Crash Revision:https://clusterfuzz.com/revisions?job=linux_asan_d8_noflags&revision=93991
Reproducer Testcase:https://clusterfuzz.com/download?testcase_id=4856085029519360
To reproduce this, please build the target in this report and run it against the reproducer testcase. Please use the GN arguments provided at bottom of this report when building the binary.
If you have trouble reproducing, please also export the environment variables listed under "[Environment]" in the crash stacktrace.
If you have any feedback on reproducing test cases, let us know athttps://forms.gle/Yh3qCYFveHj6E5jz5 so we can improve.
Fuzzer: None
Job Type: linux_asan_d8_noflags
Platform Id: linux
Crash Type: UNKNOWN
Crash Address: 0x7ec741414141
Crash State:
NULL
Sanitizer: address (ASAN)
Recommended Security Severity: High
Crash Revision:
Reproducer Testcase:
To reproduce this, please build the target in this report and run it against the reproducer testcase. Please use the GN arguments provided at bottom of this report when building the binary.
If you have trouble reproducing, please also export the environment variables listed under "[Environment]" in the crash stacktrace.
If you have any feedback on reproducing test cases, let us know at
am...@chromium.org
swapped ownership based digging around in parser.cc and looking at Parser::PostProcessParseResult
am...@chromium.org
reassigning as it appears that leszeks@ is OOO this week
am...@chromium.org
assigning to ishell@ based on off-bug conversation thanks for your investigative efforts thus far, syg@
is...@chromium.org
pe...@google.com
Setting milestone because of s0/s1 severity.
am...@chromium.org
confirmed with TAG this issue does not need to be under embargo
ap...@google.com
Project: v8/v8
Branch: main
commit 3e037e195e508dea045f5626862412e8f64fc919
Author: Shu-yu Guo <syg@chromium.org>
Date: Tue May 21 10:06:20 2024
[parser] Using FunctionParsingScope for parsing class static blocks
Class static blocks contain statements, don't inherit the
ExpressionScope stack.
Bug: 341663589
Change-Id: Id52a60d77781201a706fcf2290d7d103f39bed83
Reviewed-on:https://chromium-review.googlesource.com/c/v8/v8/+/5553030
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#94014}
M src/ast/scopes.cc
M src/parsing/parser-base.h
https://chromium-review.googlesource.com/5553030
Branch: main
commit 3e037e195e508dea045f5626862412e8f64fc919
Author: Shu-yu Guo <syg@chromium.org>
Date: Tue May 21 10:06:20 2024
[parser] Using FunctionParsingScope for parsing class static blocks
Class static blocks contain statements, don't inherit the
ExpressionScope stack.
Bug: 341663589
Change-Id: Id52a60d77781201a706fcf2290d7d103f39bed83
Reviewed-on:
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#94014}
M src/ast/scopes.cc
M src/parsing/parser-base.h
sy...@chromium.org
ap...@google.com
Project: v8/v8
Branch: chromium/6493
commit 5955c250b2e957ab1d243457472be147c875a41b
Author: Shu-yu Guo <syg@chromium.org>
Date: Tue May 21 10:06:20 2024
Merged: [parser] Using FunctionParsingScope for parsing class static blocks
Class static blocks contain statements, don't inherit the
ExpressionScope stack.
Bug: 341663589
(cherry picked from commit 3e037e195e508dea045f5626862412e8f64fc919)
Change-Id: I1a8266ed4022bbe1f4d7052284a782539b420f11
Reviewed-on:https://chromium-review.googlesource.com/c/v8/v8/+/5554481
Reviewed-by: Adam Klein <adamk@chromium.org>
M src/ast/scopes.cc
M src/parsing/parser-base.h
https://chromium-review.googlesource.com/5554481
Branch: chromium/6493
commit 5955c250b2e957ab1d243457472be147c875a41b
Author: Shu-yu Guo <syg@chromium.org>
Date: Tue May 21 10:06:20 2024
Merged: [parser] Using FunctionParsingScope for parsing class static blocks
Class static blocks contain statements, don't inherit the
ExpressionScope stack.
Bug: 341663589
(cherry picked from commit 3e037e195e508dea045f5626862412e8f64fc919)
Change-Id: I1a8266ed4022bbe1f4d7052284a782539b420f11
Reviewed-on:
Reviewed-by: Adam Klein <adamk@chromium.org>
M src/ast/scopes.cc
M src/parsing/parser-base.h
pe...@google.com
LTS Milestone M120
This issue has been flagged as a merge candidate for Chrome OS' LTS channel. If selected, our merge team will handle any additional merges. To help us determine if this issue requires a merge to LTS, please answer this short questionnaire:
1. Was this issue a regression for the milestone it was found in?
2. Is this issue related to a change or feature merged after the latest LTS Milestone?
This issue has been flagged as a merge candidate for Chrome OS' LTS channel. If selected, our merge team will handle any additional merges. To help us determine if this issue requires a merge to LTS, please answer this short questionnaire:
1. Was this issue a regression for the milestone it was found in?
2. Is this issue related to a change or feature merged after the latest LTS Milestone?
am...@chromium.org
new canary build 127.0.6493.0 with this fix is now available; in the interim of having data to monitor, I'm approving merges for M125 Stable, please CP to minibranches:
- refs/heads/chromium/6422_53 for Android
- refs/heads/chromium/6422_76 for Desktop
ap...@google.com
Project: v8/v8
Branch: chromium/6422_76
commit 8c46911f080ea752530fb12b4c796e86f9884554
Author: Shu-yu Guo <syg@chromium.org>
Date: Tue May 21 10:06:20 2024
Merged: [parser] Using FunctionParsingScope for parsing class static blocks
Class static blocks contain statements, don't inherit the
ExpressionScope stack.
Bug: 341663589
(cherry picked from commit 3e037e195e508dea045f5626862412e8f64fc919)
Change-Id: I0ca24c1512598532e5ad6b60f782a6f76b1c4d64
Reviewed-on:https://chromium-review.googlesource.com/c/v8/v8/+/5555848
Reviewed-by: Adam Klein <adamk@chromium.org>
M src/ast/scopes.cc
M src/parsing/parser-base.h
https://chromium-review.googlesource.com/5555848
Branch: chromium/6422_76
commit 8c46911f080ea752530fb12b4c796e86f9884554
Author: Shu-yu Guo <syg@chromium.org>
Date: Tue May 21 10:06:20 2024
Merged: [parser] Using FunctionParsingScope for parsing class static blocks
Class static blocks contain statements, don't inherit the
ExpressionScope stack.
Bug: 341663589
(cherry picked from commit 3e037e195e508dea045f5626862412e8f64fc919)
Change-Id: I0ca24c1512598532e5ad6b60f782a6f76b1c4d64
Reviewed-on:
Reviewed-by: Adam Klein <adamk@chromium.org>
M src/ast/scopes.cc
M src/parsing/parser-base.h
am...@chromium.org
Merge approved for 126. Please merge to 12.6 asap so this fix can be in this afternoon's cut for tomorrow's M126 Beta update. (this should be all the merges for today)
ap...@google.com
Project: v8/v8
Branch: refs/branch-heads/12.6
commit 4fbbbb89bf0b01e0dc18da4c3ca5ae7e074de87b
Author: Shu-yu Guo <syg@chromium.org>
Date: Tue May 21 10:06:20 2024
Merged: [parser] Using FunctionParsingScope for parsing class static blocks
Class static blocks contain statements, don't inherit the
ExpressionScope stack.
Bug: 341663589
(cherry picked from commit 3e037e195e508dea045f5626862412e8f64fc919)
Change-Id: I50ed5d948c6d5ddd2471edda93166490ba8d49cb
Reviewed-on:https://chromium-review.googlesource.com/c/v8/v8/+/5556242
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/branch-heads/12.6@{#10}
Cr-Branched-From: 3c9fa12db3183a6f4ea53d2675adb66ea1194529-refs/heads/12.6.228@{#2}
Cr-Branched-From: 981bb15ba4dbf9e2381dfc94ec2c4af0b9c6a0b6-refs/heads/main@{#93835}
M src/ast/scopes.cc
M src/parsing/parser-base.h
https://chromium-review.googlesource.com/5556242
Branch: refs/branch-heads/12.6
commit 4fbbbb89bf0b01e0dc18da4c3ca5ae7e074de87b
Author: Shu-yu Guo <syg@chromium.org>
Date: Tue May 21 10:06:20 2024
Merged: [parser] Using FunctionParsingScope for parsing class static blocks
Class static blocks contain statements, don't inherit the
ExpressionScope stack.
Bug: 341663589
(cherry picked from commit 3e037e195e508dea045f5626862412e8f64fc919)
Change-Id: I50ed5d948c6d5ddd2471edda93166490ba8d49cb
Reviewed-on:
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/branch-heads/12.6@{#10}
Cr-Branched-From: 3c9fa12db3183a6f4ea53d2675adb66ea1194529-refs/heads/12.6.228@{#2}
Cr-Branched-From: 981bb15ba4dbf9e2381dfc94ec2c4af0b9c6a0b6-refs/heads/main@{#93835}
M src/ast/scopes.cc
M src/parsing/parser-base.h
pe...@google.com
This high+ V8 security issue with stable impact requires a lightweight post mortem. Please take some time to answer questions asked in this form [1] to help us improve V8 security. [1] https://docs.google.com/forms/d/e/1FAIpQLSdSMCiEpIFLLFkMbgtulK1sf1B-idQmkFaA4XP2Rz5mN1cqWg/viewform?usp=pp_url&entry.307501673=341663589&entry.958145677=Android , Fuchsia, Linux, Mac, Windows, Lacros, ChromeOS&entry.763880440=Extended&entry.1678852700=High&entry.763402679=Blink>JavaScript, Blink>JavaScript>Parser&entry.975983575=ishell@chromium.org Please ensure to copy the full link, as otherwise some issue meta data might not be populated automatically.
24...@project.gserviceaccount.com
ClusterFuzz testcase 4856085029519360 is verified as fixed in https://clusterfuzz.com/revisions?job=linux_asan_d8_noflags&range=94013:94014
If this is incorrect, please add the hotlistid:5432646 and re-open the issue.
If this is incorrect, please add the hotlistid:5432646 and re-open the issue.
ap...@google.com
Project: v8/v8
Branch: refs/branch-heads/12.5
commit 4565b6a2a184062f6b7555e4ebb329698a8570cd
Author: Shu-yu Guo <syg@chromium.org>
Date: Tue May 21 10:06:20 2024
Merged: [parser] Using FunctionParsingScope for parsing class static blocks
Class static blocks contain statements, don't inherit the
ExpressionScope stack.
(cherry picked from commit 3e037e195e508dea045f5626862412e8f64fc919)
Bug: 341663589
Change-Id: Ifc8f921be8e485e290fe1d5c4ec2cf5ae3c467e5
Reviewed-on:https://chromium-review.googlesource.com/c/v8/v8/+/5558537
Owners-Override: Adam Klein <adamk@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/branch-heads/12.5@{#24}
Cr-Branched-From: 15b9756484d5bda98ba273ae13f8db58200db4db-refs/heads/12.5.227@{#1}
Cr-Branched-From: 497d8573dc80b1b69052a834bec894cf5d4238e7-refs/heads/main@{#93350}
M src/ast/scopes.cc
M src/parsing/parser-base.h
https://chromium-review.googlesource.com/5558537
Branch: refs/branch-heads/12.5
commit 4565b6a2a184062f6b7555e4ebb329698a8570cd
Author: Shu-yu Guo <syg@chromium.org>
Date: Tue May 21 10:06:20 2024
Merged: [parser] Using FunctionParsingScope for parsing class static blocks
Class static blocks contain statements, don't inherit the
ExpressionScope stack.
(cherry picked from commit 3e037e195e508dea045f5626862412e8f64fc919)
Bug: 341663589
Change-Id: Ifc8f921be8e485e290fe1d5c4ec2cf5ae3c467e5
Reviewed-on:
Owners-Override: Adam Klein <adamk@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/branch-heads/12.5@{#24}
Cr-Branched-From: 15b9756484d5bda98ba273ae13f8db58200db4db-refs/heads/12.5.227@{#1}
Cr-Branched-From: 497d8573dc80b1b69052a834bec894cf5d4238e7-refs/heads/main@{#93350}
M src/ast/scopes.cc
M src/parsing/parser-base.h
ap...@google.com
Project: v8/v8
Branch: refs/branch-heads/12.4
commit 6e5e1053fa619b709d6290c12fdef2f0b0641188
Author: Shu-yu Guo <syg@chromium.org>
Date: Tue May 21 10:06:20 2024
Merged: [parser] Using FunctionParsingScope for parsing class static blocks
Class static blocks contain statements, don't inherit the
ExpressionScope stack.
(cherry picked from commit 3e037e195e508dea045f5626862412e8f64fc919)
Bug: 341663589
Change-Id: Ice9a710293b028e5d9fd30d5d85c4842f970b152
Reviewed-on:https://chromium-review.googlesource.com/c/v8/v8/+/5558360
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/branch-heads/12.4@{#38}
Cr-Branched-From: 309640da62fae0485c7e4f64829627c92d53b35d-refs/heads/12.4.254@{#1}
Cr-Branched-From: 5dc24701432278556a9829d27c532f974643e6df-refs/heads/main@{#92862}
M src/ast/scopes.cc
M src/parsing/parser-base.h
https://chromium-review.googlesource.com/5558360
Branch: refs/branch-heads/12.4
commit 6e5e1053fa619b709d6290c12fdef2f0b0641188
Author: Shu-yu Guo <syg@chromium.org>
Date: Tue May 21 10:06:20 2024
Merged: [parser] Using FunctionParsingScope for parsing class static blocks
Class static blocks contain statements, don't inherit the
ExpressionScope stack.
(cherry picked from commit 3e037e195e508dea045f5626862412e8f64fc919)
Bug: 341663589
Change-Id: Ice9a710293b028e5d9fd30d5d85c4842f970b152
Reviewed-on:
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/branch-heads/12.4@{#38}
Cr-Branched-From: 309640da62fae0485c7e4f64829627c92d53b35d-refs/heads/12.4.254@{#1}
Cr-Branched-From: 5dc24701432278556a9829d27c532f974643e6df-refs/heads/main@{#92862}
M src/ast/scopes.cc
M src/parsing/parser-base.h
ap...@google.com
Project: v8/v8
Branch: refs/branch-heads/12.0
commit 8f1c780b30fcd354fbeecfab5534b08e5f41a805
Author: Shu-yu Guo <syg@chromium.org>
Date: Tue May 21 10:06:20 2024
[M120-LTS][parser] Using FunctionParsingScope for parsing class static blocks
Class static blocks contain statements, don't inherit the
ExpressionScope stack.
(cherry picked from commit 3e037e195e508dea045f5626862412e8f64fc919)
Bug:
Change-Id: Id52a60d77781201a706fcf2290d7d103f39bed83
Reviewed-on:https://chromium-review.googlesource.com/c/v8/v8/+/5553030
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#94014}
Reviewed-on:https://chromium-review.googlesource.com/c/v8/v8/+/5564223
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/12.0@{#54}
Cr-Branched-From: ed7b4caf1fb8184ad9e24346c84424055d4d430a-refs/heads/12.0.267@{#1}
Cr-Branched-From: 210e75b19db4352c9b78dce0bae11c2dc3077df4-refs/heads/main@{#90651}
M src/ast/scopes.cc
M src/parsing/parser-base.h
https://chromium-review.googlesource.com/5564223
Branch: refs/branch-heads/12.0
commit 8f1c780b30fcd354fbeecfab5534b08e5f41a805
Author: Shu-yu Guo <syg@chromium.org>
Date: Tue May 21 10:06:20 2024
[M120-LTS][parser] Using FunctionParsingScope for parsing class static blocks
Class static blocks contain statements, don't inherit the
ExpressionScope stack.
(cherry picked from commit 3e037e195e508dea045f5626862412e8f64fc919)
Bug:
Change-Id: Id52a60d77781201a706fcf2290d7d103f39bed83
Reviewed-on:
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#94014}
Reviewed-on:
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/12.0@{#54}
Cr-Branched-From: ed7b4caf1fb8184ad9e24346c84424055d4d430a-refs/heads/12.0.267@{#1}
Cr-Branched-From: 210e75b19db4352c9b78dce0bae11c2dc3077df4-refs/heads/main@{#90651}
M src/ast/scopes.cc
M src/parsing/parser-base.h
pe...@google.com
This bug has been closed for more than 14 weeks. Removing issue access restrictions.
Description
VULNERABILITY DETAILS
NOTE: TAG has evidence that the following bug is being used in the wild. Therefore, this bug is subject to TAG's 7 day disclosure deadline.
There is a bug in V8's scope analysis that can result in type confusions. The following pocs were reconstructed from an exploit chain delivered to Chrome 124 and the bug also triggers on head.
VERSION
Chrome Version: 125.0.6422.60 + head
REPRODUCTION CASE
Minimal poc that triggers a dcheck in dcheck.js
Arbitrary read/write primitive can be found in rw.js
CREDIT INFORMATION
Externally reported security bugs may appear in Chrome release notes. If this bug is included, how would you like to be credited?
Reporter credit: Clément Lecigne of Google's Threat Analysis Group and Brendon Tiszka