Bug 1335449 (CVE-2016-1669)

Summary: CVE-2016-1669 V8: integer overflow leading to buffer overflow in Zone::New
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abhgupta, apevec, bkearney, bleanhar, cbillett, ccoleman, chrisw, cvsbot-xmlrpc, dedgar, dmcphers, gmollett, hhorak, jgoulding, jialiu, jjoyce, jkeck, jmatthew, joelsmith, jokerman, jorton, jschluet, jshepherd, kbasil, lhh, lmeyer, lpeer, markmc, mmccomas, mmccune, mrunge, nodejs-sig, ohadlevy, rbryant, rhos-maint, sclewis, sgallagh, sisharma, srevivo, tcallawa, tchollingsworth, tdawson, tdecacqu, thoger, thrcka, tiwillia, tlestach, tomckay, tomspur, tpopela, tsanders, zsvetlik
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Chrome 50.0.2661.10, nodejs 0.10.46, nodejs 0.12.15, nodejs 4.4.6, nodejs 5.12.2, nodejs 6.2.0 Doc Type: Bug Fix
Doc Text:
An integer-overflow flaw was found in V8's Zone class when allocating new memory (Zone::New() and Zone::NewExpand()). An attacker with the ability to manipulate a large zone could crash the application or, potentially, execute arbitrary code with the application privileges.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:51:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1335475, 1335476, 1353618, 1353619, 1353620, 1353622, 1353623, 1392914, 1392915, 1395691, 1399557, 1417969, 1417970, 1417971, 1417972, 1417997, 1424744, 1424745, 1424746, 1424747, 1432656, 1470273, 1470274, 1470275, 1470276, 1470277, 1470278, 1470299, 1470302, 1472051    
Bug Blocks: 1335455, 1353625, 1412813    
Attachments:
Description Flags
314 patch
none
Patch for old v8 v3.14.5.10 none

Description Andrej Nemec 2016-05-12 08:58:13 UTC 
A buffer overflow flaw was found in the V8 component of the Chromium browser.

Upstream bug(s):

https://code.google.com/p/chromium/issues/detail?id=606115

External References:

http://googlechromereleases.blogspot.com/2016/05/stable-channel-update.html
Comment 2 errata-xmlrpc 2016-05-13 07:37:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2016:1080 https://rhn.redhat.com/errata/RHSA-2016-1080.html
Comment 6 Adam Mariš 2016-07-07 15:18:37 UTC 
Created v8 tracking bugs for this issue:

Affects: fedora-all [bug 1353620]
Affects: epel-all [bug 1353623]
Comment 7 Adam Mariš 2016-07-07 15:18:42 UTC 
Created nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1353619]
Affects: epel-all [bug 1353622]
Comment 8 Adam Mariš 2016-07-07 15:22:11 UTC 
Nodejs advisory:

https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/
Comment 9 Tomas Hoger 2016-07-07 20:12:18 UTC 
V8 upstream commit and review request:

https://chromium.googlesource.com/v8/v8/+/3a9bfecfe41737aaf0dbf92ce68352f8acaaaf73%5E%21/#F0
https://codereview.chromium.org/1930873002

Node.js backport of the fix to the embedded V8:

https://github.com/nodejs/node/commit/fcb9145e291e8cb82164bc1fe3db1c1dae219b55

Fixed in Node.js versions 0.10.46, 0.12.15, 4.4.6, 5.12.2 and 6.2.0.
Comment 12 errata-xmlrpc 2017-01-02 15:56:27 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS

Via RHSA-2017:0002 https://rhn.redhat.com/errata/RHSA-2017-0002.html
Comment 18 Lon Hohberger 2017-03-13 19:16:43 UTC 
It is my belief that OSP 7-10 are not affected:

1) We ship v8 v8-3.14.5.10-18.el7ost, which is much older than v5.1.128

2) There is no Zone::New() method specifically defined in v3.14.15.10

3) The Zone::NewExpand() method takes an int as size_t (ok, whatever), and calls directly to malloc().  Here's the entire function from 3.14.5.10:

  // Creates a new segment, sets it size, and pushes it to the front
  // of the segment chain. Returns the new segment.
  Segment* Zone::NewSegment(int size) {
    Segment* result = reinterpret_cast<Segment*>(Malloced::New(size));
    adjust_segment_bytes_allocated(size);
    if (result != NULL) {
      result->Initialize(segment_head_, size);
      segment_head_ = result;
    }
    return result;
  }

Here's what Malloced::New(size) does (from allocation.cc):

  void* Malloced::New(size_t size) {
    void* result = malloc(size);
    ...

5) In later versions of v8, they tried to be efficient with calls to glibc malloc/free and got things wrong, exposing the issue:

  // Compute the new segment size. We use a 'high water mark'
  // strategy, where we increase the segment size every time we expand
  // except that we employ a maximum segment size when we delete. This
  // is to avoid excessive malloc() and free() overhead.

These later versions of v8 are not shipped in RHEL OSP 7-10, so I don't think this product is affected.  Please correct me if I'm wrong.
Comment 19 Lon Hohberger 2017-03-13 19:18:52 UTC 
That is, the overflow in NewExpand() would be because we tried to expand past the bounds of the previously-allocated block on v5.  In v3.14.5.10, we always call malloc(), so this issue doesn't occur.

Since there's no Zone::New() in v3.14.5.10, this function also can't be affected.
Comment 20 Lon Hohberger 2017-03-13 19:23:35 UTC 
Whoops, wrong function :)
Comment 21 Lon Hohberger 2017-03-13 19:29:14 UTC 
So, ignore point (3) (wrong function) and (5) (NewExpand does try to preserve some memory).

Points (1) and (2) are still valid. There is no Zone::New() in v8 3.14.5.10

The patch that is added to NewExpand() adds a DCHECK() line which does not do anything on production builds (only debug builds).
Comment 22 Lon Hohberger 2017-03-13 19:37:38 UTC 
Nope, theory disproved:

[root@localhost ~]# d8
V8 version 3.14.5.10 [console: readline]
d8> var r2 = new RegExp("(?=)*", "g");
d8> var s0 = s0 = Array(220000700).join('a');
d8> result = s0.match(r2)
[  301.477942] d8[2486]: segfault at 7f3f71ad7000 ip 00007f3f7f4f3ceb sp 00007ffecb537d98 error 7 in libc-2.17.so[7f3f7f465000+1b6000]
Segmentation fault (core dumped)
Comment 23 Lon Hohberger 2017-03-13 19:42:45 UTC 
The backtrace is completely different, but it's still falling apart.  OK, we'll fix it.
Comment 27 Garth Mollett 2017-03-15 05:41:27 UTC 
Created attachment 1263179 [details]
314 patch
Comment 29 Lon Hohberger 2017-03-15 12:03:30 UTC 
Created attachment 1263290 [details]
Patch for old v8 v3.14.5.10
Comment 37 errata-xmlrpc 2017-04-05 02:40:49 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2017:0882 https://access.redhat.com/errata/RHSA-2017:0882
Comment 38 errata-xmlrpc 2017-04-05 02:41:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7

Via RHSA-2017:0881 https://access.redhat.com/errata/RHSA-2017:0881
Comment 39 errata-xmlrpc 2017-04-05 02:42:33 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 8.0 (Liberty)

Via RHSA-2017:0879 https://access.redhat.com/errata/RHSA-2017:0879
Comment 40 errata-xmlrpc 2017-04-05 02:43:31 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 9.0 (Mitaka)

Via RHSA-2017:0880 https://access.redhat.com/errata/RHSA-2017:0880
Comment 43 Kurt Seifried 2017-07-12 16:53:54 UTC 
Created nodejs tracking bugs for this issue:

Affects: openshift-1 [bug 1470299]
Comment 47 errata-xmlrpc 2018-02-21 12:26:56 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.3 for RHEL 7

Via RHSA-2018:0336 https://access.redhat.com/errata/RHSA-2018:0336
Comment 48 Jason Shepherd 2018-04-03 02:24:31 UTC 
Openshift Enterprise 3.7 is using RHSCL latest image which includes Node 4.6.2. See:
https://github.com/openshift/library/blob/master/official/nodejs/imagestreams/nodejs-rhel7.json

Openshift also includes the v8 engine embedded in MongoDB. However it's not possible to exploit this issue via the mongodb shell because the execute the 'eval' function:

sh-4.2$ mongo -u admin -p $MONGODB_ADMIN_PASSWORD admin
MongoDB shell version: 2.6.9
connecting to: admin
...
> function bar() {
...   var r2 = new RegExp("(?=)*", "g");
...   var s0 = Array(220000700).join('a');
...   result = s0.match(r2)
... }
> 
> db.eval(bar,'')
2018-04-03T02:08:29.557+0000 {
	"ok" : 0,
	"errmsg" : "not authorized on admin to execute command { $eval: function bar() {\n  var r2 = new RegExp(\"(?=)*\", \"g\");\n  var s0 = Array..., args: [ \"\" ] }",
	"code" : 13
} at src/mongo/shell/db.js:403

The v8 engine has been removed from MongoDB 3.1 onwards, see:
https://jira.mongodb.org/browse/SERVER-19376

Marking Openshift Enteprise 3 as not affected and closing the linked tracking bugs.