Request for new Clusterfuzz job: linux_asan_d8_sbx
41 views
Skip to first unread message
Samuel Groß
Jun 8, 2022, 9:36:46 AM6/8/22
to clusterfuzz-dev
Hi!
// --enable-sandbox-crash-filter
const OFFSET_WASM_INSTANCE_MUTABLE_GLOBALS = 0x50;
let v = new DataView(new Sandbox.MemoryView(0, 0x100000000));
let wasm_global = new WebAssembly.Global({value:'i64', mutable:true}, 0n);
let wasm_code = new Uint8Array([ ... ]);
let wasm_module = new WebAssembly.Module(wasm_code);
let wasm_instance = new WebAssembly.Instance(wasm_module, {js: {global: wasm_global}});
let a = Sandbox.getAddressOf(wasm_instance);
v.setBigUint64(a + OFFSET_WASM_INSTANCE_MUTABLE_GLOBALS, 0x414141414141n, true);
I'd like to request a new job on Clusterfuzz: "linux_asan_d8_sbx" or "linux_asan_d8_sandbox_testing" (or something similar), which should basically be a copy of the existing linux_asan_d8, but with the following (additional) gn args:
is_debug = false
v8_enable_sandbox_future = true
v8_expose_memory_corruption_api = true
is_asan = true
v8_enable_sandbox_future = true
v8_expose_memory_corruption_api = true
is_asan = true
The job should not be used for fuzzing (at least at the moment), but only for the "Upload Testcase" feature. If there's a way to specify the default d8 command line flags for these jobs, then this one should also get --enable-sandbox-crash-filter (but that needs this CL to land first: https://chromium-review.googlesource.com/c/v8/v8/+/3688408).
For context: the use case here is that we are developing an in-process sandbox for V8 (see go/ubercage). We'd like to file bugs for sandbox issues and be able to reproduce testcases (and then verify fixes later on) on Clusterfuzz. An example of such a testcase is listed below. However, the sandbox testing requires a special d8 build that exposes an API to corrupt memory inside the V8 heap (to emulate a typical V8 exploit), and requires a "signal filter" that filters out "harmless" crashes, i.e. those where the access violation happened inside the sandbox address space. This is achieved through the gn args above and by supplying the '--enable-sandbox-crash-filter' flag to d8. See also https://bugs.chromium.org/p/v8/issues/detail?id=12878. At a later point we'd also want to run custom sandbox fuzzers, but that's still some way off (we have enough issues that we currently know about even without any fuzzers :) ).
Let me know if this is feasible and whether I can help out somehow!
Thanks!
Samuel
=================== SNIP ====================
const OFFSET_WASM_INSTANCE_MUTABLE_GLOBALS = 0x50;
let v = new DataView(new Sandbox.MemoryView(0, 0x100000000));
let wasm_global = new WebAssembly.Global({value:'i64', mutable:true}, 0n);
let wasm_code = new Uint8Array([ ... ]);
let wasm_module = new WebAssembly.Module(wasm_code);
let wasm_instance = new WebAssembly.Instance(wasm_module, {js: {global: wasm_global}});
let a = Sandbox.getAddressOf(wasm_instance);
v.setBigUint64(a + OFFSET_WASM_INSTANCE_MUTABLE_GLOBALS, 0x414141414141n, true);
wasm_instance.exports.setGlobal(0x42424242n); // Segmentation fault outside the sandbox
Oliver Chang
Jun 8, 2022, 8:30:55 PM6/8/22
to Samuel Groß, Michael Achenbach, clusterfuzz-dev
Hey Samuel,
Setting up a new job for testcase uploads is easy, but we will need these builds to be added to the Chrome build infra somewhere. +Michael Achenbach is this something your team can help with?
Cheers,
Oliver
Samuel Groß
Jun 9, 2022, 9:30:44 AM6/9/22
to Oliver Chang, Michael Achenbach, clusterfuzz-dev
Hey!
Great thanks! We've set everything up and it seems to be working now: https://clusterfuzz.com/testcase-detail/5425253476139008 (manually uploaded test case with one of the easiest-to-exploit V8 sandbox issues that we currently know about)
Thanks!
Samuel
Reply all
Reply to author
Forward
0 new messages