Bug 1039889 - (CVE-2013-6640) CVE-2013-6640 v8: DoS (out-of-bounds read) in DehoistArrayIndex function in hydrogen.cc
CVE-2013-6640 v8: DoS (out-of-bounds read) in DehoistArrayIndex function in h...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20131204,repor...
: Security
Depends On: 1039894 1039895 1139698
Blocks: 1040074 1139716
  Show dependency treegraph
 
Reported: 2013-12-10 04:20 EST by Ratul Gupta
Modified: 2016-04-26 18:16 EDT (History)
54 users (show)

See Also:
Fixed In Version: v8 3.22.24.7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-30 08:59:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
v8-3.14.5.10-CVE-2013-6640.patch (12.23 KB, patch)
2013-12-13 13:43 EST, T.C. Hollingsworth
no flags Details | Diff

  None (edit)
Description Ratul Gupta 2013-12-10 04:20:24 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-6640 to the following vulnerability:

Name: CVE-2013-6640
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6640
Assigned: 20131105
Reference: http://code.google.com/p/v8/source/detail?r=17801
Reference: http://googlechromereleases.blogspot.com/2013/12/stable-channel-update.html
Reference: https://code.google.com/p/chromium/issues/detail?id=319860

The DehoistArrayIndex function in hydrogen-dehoist.cc in Google V8 before 3.22.24.7, as used in Google Chrome before 31.0.1650.63, allows remote attackers to cause a denial of service (out-of-bounds read) via JavaScript code that sets a variable to the value of an array element with a crafted index.
Comment 1 Ratul Gupta 2013-12-10 04:27:35 EST
Created v8 tracking bugs for this issue:

Affects: fedora-all [bug 1039894]
Affects: epel-6 [bug 1039895]
Comment 2 T.C. Hollingsworth 2013-12-10 10:50:56 EST
This does not appear the affect v8-3.14.5.10 stable version used by Fedora for node.js.  The hydrogen-dehoist.cc file does not exist in this version.
Comment 3 Garth Mollett 2013-12-13 01:40:15 EST
(In reply to T.C. Hollingsworth from comment #2)
> This does not appear the affect v8-3.14.5.10 stable version used by Fedora
> for node.js.  The hydrogen-dehoist.cc file does not exist in this version.

I have had a look at this and while we have no file named hydrogen-dehoist.cc we do have hydrogen.cc that has a function DehoistArrayIndex() and looks to contain
the vulnerable code.

I think perhaps this was split into multiple files in a later version (I haven't looked at the history upstream).

Would you mind double checking?
Comment 4 T.C. Hollingsworth 2013-12-13 02:33:25 EST
(In reply to Garth Mollett from comment #3)
> I have had a look at this and while we have no file named
> hydrogen-dehoist.cc we do have hydrogen.cc that has a function
> DehoistArrayIndex() and looks to contain
> the vulnerable code.
> 
> I think perhaps this was split into multiple files in a later version (I
> haven't looked at the history upstream).wit
> 
> Would you mind double checking?

Good catch.  That's what I get for answering bugmail before coffee.  :-(

You can test w/Fedora or EPEL's nodejs package by running:
wget https://raw.github.com/v8/v8/3d45af8494ab85d312c4be77999155ed5c045048/test/mjsunit/regress/regress-crbug-319835.js
wget https://raw.github.com/v8/v8/3d45af8494ab85d312c4be77999155ed5c045048/test/mjsunit/regress/regress-crbug-319860.js
node --allow_natives_syntax regress-crbug-319835.js
node --allow_natives_syntax regress-crbug-319860.js

The first `node` call segfaults as expected with the vulnerability, while the second one does not with Fedora's v8 version.  I guess that isn't so strange given the question mark in the comments in the regression tests.  (I *really* wish Google would open their security bugs after CVEs go public.  Playing these guessing games is getting really old...)

Backporting shouldn't be too difficult; will post a patch shortly.
Comment 5 T.C. Hollingsworth 2013-12-13 13:43:58 EST
Created attachment 836453 [details]
v8-3.14.5.10-CVE-2013-6640.patch

The attached patch resolves the issue with v8-3.14.5.10.  The regression tests described above are confirmed to pass.

Regression tests against nodejs itself to confirm that the patch doesn't cause any other issues also passed.  Updates for Fedora and EPEL will be pushed shortly.
Comment 6 T.C. Hollingsworth 2013-12-13 18:26:30 EST
The above patch has now landed in the bundled copy of v8 on the upstream node v0.10 branch:
https://github.com/joyent/node/pull/6699
Comment 7 Fedora Update System 2013-12-23 22:35:59 EST
v8-3.14.5.10-3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2013-12-23 22:41:50 EST
v8-3.14.5.10-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2013-12-23 22:43:17 EST
v8-3.14.5.10-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2013-12-30 14:28:34 EST
v8-3.14.5.10-3.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Tomas Hoger 2014-08-06 09:34:16 EDT
node.js commit fixing this in embedded v8 copy:
https://github.com/joyent/node/commit/39e2426
Comment 15 errata-xmlrpc 2014-10-30 08:09:05 EDT
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1744 https://rhn.redhat.com/errata/RHSA-2014-1744.html

Note You need to log in before you can comment on or make changes to this bug.