Status: Accepted
Owner: ----
Labels: Type-Bug Priority-Medium
New issue 790 by [email protected]: OOM can lead to NULL ptrs rather
than a controlled crash
http://code.google.com/p/v8/issues/detail?id=790
In Chromium, the attached repro can trigger a NULL pointer dereference in
v8::internal::SetProperty. Similar code has triggered similar NULL pointer
derefences in v8::Value::IsNull. I've attached files that contain info
extracted from the debugger at the time of the crash.
The script allocates excessive amounts of memory, which probably trigger
this situation. However, v8 should detect OOM and crash Chromium on purpose
rather than not detect it and crash Chromium by accident.
Because the end result is the same (application crash), I would mark this
low priority. However, there are situations in which a NULL ptr dereference
might be exploitable: assume the case in which a pointer to an Array is
NULL, but the attacker can cause the code to set any element of the array
to any value; by specifying a large enough element index, the attacker
might be able to modify arbitrary memory. Luckily, I have no indication
that this is possible. However, I wouldn't mind somebody having a look to
see why this is happening and rule out any such security issue in the
affected code or other parts of v8.
Attachments:
repro.html 1.2 KB
v8..internal..SetProperty rea...@null
(f2b00a6dbe478165e8bfd471d911fc80).html 405 KB
v8..Value..IsNull rea...@null (2df67f9f2d4d12db78a28e267b938f02).html 298
KB
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
