Bug 1335449 (CVE-2016-1669) - CVE-2016-1669 V8: integer overflow leading to buffer overflow in Zone::New
Summary: CVE-2016-1669 V8: integer overflow leading to buffer overflow in Zone::New
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-1669
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1335475 1335476 1353618 1353619 1353620 1353622 1353623 1392914 1392915 1395691 1399557 1417969 1417970 1417971 1417972 1417997 1424744 1424745 1424746 1424747 1432656 1470273 1470274 1470275 1470276 1470277 1470278 1470299 1470302 1472051
Blocks: 1335455 1353625 1412813
TreeView+ depends on / blocked
 
Reported: 2016-05-12 08:58 UTC by Andrej Nemec
Modified: 2019-09-29 13:49 UTC (History)
52 users (show)

Fixed In Version: Chrome 50.0.2661.10, nodejs 0.10.46, nodejs 0.12.15, nodejs 4.4.6, nodejs 5.12.2, nodejs 6.2.0
Doc Type: Bug Fix
Doc Text:
An integer-overflow flaw was found in V8's Zone class when allocating new memory (Zone::New() and Zone::NewExpand()). An attacker with the ability to manipulate a large zone could crash the application or, potentially, execute arbitrary code with the application privileges.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:51:48 UTC


Attachments (Terms of Use)
314 patch (1.49 KB, patch)
2017-03-15 05:41 UTC, Garth Mollett
no flags Details | Diff
Patch for old v8 v3.14.5.10 (2.24 KB, patch)
2017-03-15 12:03 UTC, Lon Hohberger
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1080 normal SHIPPED_LIVE Important: chromium-browser security update 2016-05-13 11:36:54 UTC
Red Hat Product Errata RHSA-2017:0002 normal SHIPPED_LIVE Important: rh-nodejs4-nodejs and rh-nodejs4-http-parser security update 2017-01-02 20:55:58 UTC
Red Hat Product Errata RHSA-2017:0879 normal SHIPPED_LIVE Moderate: v8 security update 2017-04-05 06:40:21 UTC
Red Hat Product Errata RHSA-2017:0880 normal SHIPPED_LIVE Moderate: v8 security update 2017-04-05 06:40:33 UTC
Red Hat Product Errata RHSA-2017:0881 normal SHIPPED_LIVE Moderate: v8 security update 2017-04-05 06:40:06 UTC
Red Hat Product Errata RHSA-2017:0882 normal SHIPPED_LIVE Moderate: v8 security update 2017-04-05 06:39:50 UTC
Red Hat Product Errata RHSA-2018:0336 normal SHIPPED_LIVE Important: Satellite 6.3 security, bug fix, and enhancement update 2018-02-21 22:43:42 UTC

Description Andrej Nemec 2016-05-12 08:58:13 UTC
A buffer overflow flaw was found in the V8 component of the Chromium browser.

Upstream bug(s):

https://code.google.com/p/chromium/issues/detail?id=606115

External References:

http://googlechromereleases.blogspot.com/2016/05/stable-channel-update.html

Comment 2 errata-xmlrpc 2016-05-13 07:37:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2016:1080 https://rhn.redhat.com/errata/RHSA-2016-1080.html

Comment 6 Adam Mariš 2016-07-07 15:18:37 UTC
Created v8 tracking bugs for this issue:

Affects: fedora-all [bug 1353620]
Affects: epel-all [bug 1353623]

Comment 7 Adam Mariš 2016-07-07 15:18:42 UTC
Created nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1353619]
Affects: epel-all [bug 1353622]

Comment 8 Adam Mariš 2016-07-07 15:22:11 UTC
Nodejs advisory:

https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/

Comment 9 Tomas Hoger 2016-07-07 20:12:18 UTC
V8 upstream commit and review request:

https://chromium.googlesource.com/v8/v8/+/3a9bfecfe41737aaf0dbf92ce68352f8acaaaf73%5E%21/#F0
https://codereview.chromium.org/1930873002

Node.js backport of the fix to the embedded V8:

https://github.com/nodejs/node/commit/fcb9145e291e8cb82164bc1fe3db1c1dae219b55

Fixed in Node.js versions 0.10.46, 0.12.15, 4.4.6, 5.12.2 and 6.2.0.

Comment 12 errata-xmlrpc 2017-01-02 15:56:27 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS

Via RHSA-2017:0002 https://rhn.redhat.com/errata/RHSA-2017-0002.html

Comment 18 Lon Hohberger 2017-03-13 19:16:43 UTC
It is my belief that OSP 7-10 are not affected:

1) We ship v8 v8-3.14.5.10-18.el7ost, which is much older than v5.1.128

2) There is no Zone::New() method specifically defined in v3.14.15.10

3) The Zone::NewExpand() method takes an int as size_t (ok, whatever), and calls directly to malloc().  Here's the entire function from 3.14.5.10:

  // Creates a new segment, sets it size, and pushes it to the front
  // of the segment chain. Returns the new segment.
  Segment* Zone::NewSegment(int size) {
    Segment* result = reinterpret_cast<Segment*>(Malloced::New(size));
    adjust_segment_bytes_allocated(size);
    if (result != NULL) {
      result->Initialize(segment_head_, size);
      segment_head_ = result;
    }
    return result;
  }

Here's what Malloced::New(size) does (from allocation.cc):

  void* Malloced::New(size_t size) {
    void* result = malloc(size);
    ...

5) In later versions of v8, they tried to be efficient with calls to glibc malloc/free and got things wrong, exposing the issue:

  // Compute the new segment size. We use a 'high water mark'
  // strategy, where we increase the segment size every time we expand
  // except that we employ a maximum segment size when we delete. This
  // is to avoid excessive malloc() and free() overhead.

These later versions of v8 are not shipped in RHEL OSP 7-10, so I don't think this product is affected.  Please correct me if I'm wrong.

Comment 19 Lon Hohberger 2017-03-13 19:18:52 UTC
That is, the overflow in NewExpand() would be because we tried to expand past the bounds of the previously-allocated block on v5.  In v3.14.5.10, we always call malloc(), so this issue doesn't occur.

Since there's no Zone::New() in v3.14.5.10, this function also can't be affected.

Comment 20 Lon Hohberger 2017-03-13 19:23:35 UTC
Whoops, wrong function :)

Comment 21 Lon Hohberger 2017-03-13 19:29:14 UTC
So, ignore point (3) (wrong function) and (5) (NewExpand does try to preserve some memory).

Points (1) and (2) are still valid. There is no Zone::New() in v8 3.14.5.10

The patch that is added to NewExpand() adds a DCHECK() line which does not do anything on production builds (only debug builds).

Comment 22 Lon Hohberger 2017-03-13 19:37:38 UTC
Nope, theory disproved:

[root@localhost ~]# d8
V8 version 3.14.5.10 [console: readline]
d8> var r2 = new RegExp("(?=)*", "g");
d8> var s0 = s0 = Array(220000700).join('a');
d8> result = s0.match(r2)
[  301.477942] d8[2486]: segfault at 7f3f71ad7000 ip 00007f3f7f4f3ceb sp 00007ffecb537d98 error 7 in libc-2.17.so[7f3f7f465000+1b6000]
Segmentation fault (core dumped)

Comment 23 Lon Hohberger 2017-03-13 19:42:45 UTC
The backtrace is completely different, but it's still falling apart.  OK, we'll fix it.

Comment 27 Garth Mollett 2017-03-15 05:41:27 UTC
Created attachment 1263179 [details]
314 patch

Comment 29 Lon Hohberger 2017-03-15 12:03:30 UTC
Created attachment 1263290 [details]
Patch for old v8 v3.14.5.10

Comment 37 errata-xmlrpc 2017-04-05 02:40:49 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2017:0882 https://access.redhat.com/errata/RHSA-2017:0882

Comment 38 errata-xmlrpc 2017-04-05 02:41:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7

Via RHSA-2017:0881 https://access.redhat.com/errata/RHSA-2017:0881

Comment 39 errata-xmlrpc 2017-04-05 02:42:33 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 8.0 (Liberty)

Via RHSA-2017:0879 https://access.redhat.com/errata/RHSA-2017:0879

Comment 40 errata-xmlrpc 2017-04-05 02:43:31 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 9.0 (Mitaka)

Via RHSA-2017:0880 https://access.redhat.com/errata/RHSA-2017:0880

Comment 43 Kurt Seifried 2017-07-12 16:53:54 UTC
Created nodejs tracking bugs for this issue:

Affects: openshift-1 [bug 1470299]

Comment 47 errata-xmlrpc 2018-02-21 12:26:56 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.3 for RHEL 7

Via RHSA-2018:0336 https://access.redhat.com/errata/RHSA-2018:0336

Comment 48 Jason Shepherd 2018-04-03 02:24:31 UTC
Openshift Enterprise 3.7 is using RHSCL latest image which includes Node 4.6.2. See:
https://github.com/openshift/library/blob/master/official/nodejs/imagestreams/nodejs-rhel7.json

Openshift also includes the v8 engine embedded in MongoDB. However it's not possible to exploit this issue via the mongodb shell because the execute the 'eval' function:

sh-4.2$ mongo -u admin -p $MONGODB_ADMIN_PASSWORD admin
MongoDB shell version: 2.6.9
connecting to: admin
...
> function bar() {
...   var r2 = new RegExp("(?=)*", "g");
...   var s0 = Array(220000700).join('a');
...   result = s0.match(r2)
... }
> 
> db.eval(bar,'')
2018-04-03T02:08:29.557+0000 {
	"ok" : 0,
	"errmsg" : "not authorized on admin to execute command { $eval: function bar() {\n  var r2 = new RegExp(\"(?=)*\", \"g\");\n  var s0 = Array..., args: [ \"\" ] }",
	"code" : 13
} at src/mongo/shell/db.js:403

The v8 engine has been removed from MongoDB 3.1 onwards, see:
https://jira.mongodb.org/browse/SERVER-19376

Marking Openshift Enteprise 3 as not affected and closing the linked tracking bugs.


Note You need to log in before you can comment on or make changes to this bug.