Bug 1039889 (CVE-2013-6640) - CVE-2013-6640 v8: DoS (out-of-bounds read) in DehoistArrayIndex function in hydrogen.cc
Summary: CVE-2013-6640 v8: DoS (out-of-bounds read) in DehoistArrayIndex function in h...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-6640
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20131204,repor...
Depends On: 1039894 1039895 1139698
Blocks: 1040074 1139716
TreeView+ depends on / blocked
 
Reported: 2013-12-10 09:20 UTC by Ratul Gupta
Modified: 2019-06-08 19:49 UTC (History)
54 users (show)

Fixed In Version: v8 3.22.24.7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-30 12:59:16 UTC


Attachments (Terms of Use)
v8-3.14.5.10-CVE-2013-6640.patch (12.23 KB, patch)
2013-12-13 18:43 UTC, T.C. Hollingsworth
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1744 normal SHIPPED_LIVE Moderate: v8314-v8 security update 2014-10-30 16:08:15 UTC

Description Ratul Gupta 2013-12-10 09:20:24 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-6640 to the following vulnerability:

Name: CVE-2013-6640
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6640
Assigned: 20131105
Reference: http://code.google.com/p/v8/source/detail?r=17801
Reference: http://googlechromereleases.blogspot.com/2013/12/stable-channel-update.html
Reference: https://code.google.com/p/chromium/issues/detail?id=319860

The DehoistArrayIndex function in hydrogen-dehoist.cc in Google V8 before 3.22.24.7, as used in Google Chrome before 31.0.1650.63, allows remote attackers to cause a denial of service (out-of-bounds read) via JavaScript code that sets a variable to the value of an array element with a crafted index.

Comment 1 Ratul Gupta 2013-12-10 09:27:35 UTC
Created v8 tracking bugs for this issue:

Affects: fedora-all [bug 1039894]
Affects: epel-6 [bug 1039895]

Comment 2 T.C. Hollingsworth 2013-12-10 15:50:56 UTC
This does not appear the affect v8-3.14.5.10 stable version used by Fedora for node.js.  The hydrogen-dehoist.cc file does not exist in this version.

Comment 3 Garth Mollett 2013-12-13 06:40:15 UTC
(In reply to T.C. Hollingsworth from comment #2)
> This does not appear the affect v8-3.14.5.10 stable version used by Fedora
> for node.js.  The hydrogen-dehoist.cc file does not exist in this version.

I have had a look at this and while we have no file named hydrogen-dehoist.cc we do have hydrogen.cc that has a function DehoistArrayIndex() and looks to contain
the vulnerable code.

I think perhaps this was split into multiple files in a later version (I haven't looked at the history upstream).

Would you mind double checking?

Comment 4 T.C. Hollingsworth 2013-12-13 07:33:25 UTC
(In reply to Garth Mollett from comment #3)
> I have had a look at this and while we have no file named
> hydrogen-dehoist.cc we do have hydrogen.cc that has a function
> DehoistArrayIndex() and looks to contain
> the vulnerable code.
> 
> I think perhaps this was split into multiple files in a later version (I
> haven't looked at the history upstream).wit
> 
> Would you mind double checking?

Good catch.  That's what I get for answering bugmail before coffee.  :-(

You can test w/Fedora or EPEL's nodejs package by running:
wget https://raw.github.com/v8/v8/3d45af8494ab85d312c4be77999155ed5c045048/test/mjsunit/regress/regress-crbug-319835.js
wget https://raw.github.com/v8/v8/3d45af8494ab85d312c4be77999155ed5c045048/test/mjsunit/regress/regress-crbug-319860.js
node --allow_natives_syntax regress-crbug-319835.js
node --allow_natives_syntax regress-crbug-319860.js

The first `node` call segfaults as expected with the vulnerability, while the second one does not with Fedora's v8 version.  I guess that isn't so strange given the question mark in the comments in the regression tests.  (I *really* wish Google would open their security bugs after CVEs go public.  Playing these guessing games is getting really old...)

Backporting shouldn't be too difficult; will post a patch shortly.

Comment 5 T.C. Hollingsworth 2013-12-13 18:43:58 UTC
Created attachment 836453 [details]
v8-3.14.5.10-CVE-2013-6640.patch

The attached patch resolves the issue with v8-3.14.5.10.  The regression tests described above are confirmed to pass.

Regression tests against nodejs itself to confirm that the patch doesn't cause any other issues also passed.  Updates for Fedora and EPEL will be pushed shortly.

Comment 6 T.C. Hollingsworth 2013-12-13 23:26:30 UTC
The above patch has now landed in the bundled copy of v8 on the upstream node v0.10 branch:
https://github.com/joyent/node/pull/6699

Comment 7 Fedora Update System 2013-12-24 03:35:59 UTC
v8-3.14.5.10-3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2013-12-24 03:41:50 UTC
v8-3.14.5.10-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2013-12-24 03:43:17 UTC
v8-3.14.5.10-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2013-12-30 19:28:34 UTC
v8-3.14.5.10-3.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Tomas Hoger 2014-08-06 13:34:16 UTC
node.js commit fixing this in embedded v8 copy:
https://github.com/joyent/node/commit/39e2426

Comment 15 errata-xmlrpc 2014-10-30 12:09:05 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1744 https://rhn.redhat.com/errata/RHSA-2014-1744.html


Note You need to log in before you can comment on or make changes to this bug.