New issue
Advanced search Search tips
Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Oct 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 0
Type: Bug-Security

Blocking:
issue 422813



Sign in to add a comment

Use-of-uninitialized-value in v8::internal::Factory::NewNumber

Project Member Reported by ClusterFuzz, Oct 9 2014

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5493277166927872

Fuzzer: Mbarbella_js_mutation
Job Type: Linux_msan_d8

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  v8::internal::Factory::NewNumber
  v8::internal::Runtime_NumberSub
  v8::internal::Simulator::DoRuntimeCall
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_d8&range=288030:288271

Minimized Testcase (1.10 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96SYco8c6qgVr2_bfNuakvzydUV01cWMAPczMwKLR3pGhLs44AgDcbe2MuvXIsnLHqDONJ3dFSCmszERiU2tzrqNkZF5PT588GHzh4MtOFl9EPbIGaM45O8od4SjqTLnMVH7sJ6l7cnSGQCZX6NM4wHQgn1QQ

Filer: mbarbella
 
Owner: ishell@chromium.org
Status: Assigned
Minimal repro: Math.tan()

ishell: Could you please help find an owner for this?
Labels: Security_Impact-Stable M-39
Project Member

Comment 3 by ClusterFuzz, Oct 9 2014

Labels: Pri-1
Cc: yangguo@chromium.org
The bug is here:

https://code.google.com/p/chromium/codesearch#chromium/src/v8/src/runtime/runtime-maths.cc&l=69

The rempio2() call can leave |y| partially uninitialized, e.g. on this code path:

https://code.google.com/p/chromium/codesearch#chromium/src/v8/src/third_party/fdlibm/fdlibm.cc&rcl=1413138659&l=255

Yang, I think this is your code?
Cc: -yangguo@chromium.org mstarzinger@chromium.org ishell@chromium.org danno@chromium.org jkummerow@chromium.org
Labels: -Pri-1 Pri-0
Owner: yangguo@chromium.org
This is one of the top crashers on MSAN on ClusterFuzz. Please fix as soon as possible. This blocks legitimate bugs from being found. 
Blocking: chromium:422813
Status: Fixed
Thanks!
Project Member

Comment 10 by ClusterFuzz, Oct 15 2014

Labels: -Restrict-View-SecurityTeam Merge-Triage M-38 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Project Member

Comment 11 by ClusterFuzz, Oct 16 2014

ClusterFuzz has detected this issue as fixed in range 299683:299847.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5493277166927872

Fuzzer: Mbarbella_js_mutation
Job Type: Linux_msan_d8

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  v8::internal::Factory::NewNumber
  v8::internal::Runtime_NumberSub
  v8::internal::Simulator::DoRuntimeCall
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_d8&range=288030:288271
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_d8&range=299683:299847

Minimized Testcase (0.01 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94id7cj4s6Px-LWNYed6nYszwvJpNtuMiLdw_PiDn8QEFtbPcNURLBbEPgbaJ21doEtM97d2EHpBaITy5SLzQOIjlIKLXVj800-2u3kUfauZqYw8yti6Am4w7278DohhyIux3LNqZ5vYxiyti9eMQrSGauVKA
 Math.tan();

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Labels: -Merge-Triage -M-38 Merge-Requested
Labels: -Merge-Requested Merge-Approved
merge approved for m39 branch 2171.
Cc: amineer@chromium.org
Dev/Bug owner, please merge to M-39 branch 2171 asap. We need all these security fixes to go into the first stable.
Project Member

Comment 15 by bugdroid1@chromium.org, Nov 4 2014

Labels: -Merge-Approved merge-merged-3.29
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/43490db4c9020e4d16f93816160b051c8cdf1ce9

commit 43490db4c9020e4d16f93816160b051c8cdf1ce9
Author: yangguo@chromium.org <yangguo@chromium.org>
Date: Tue Nov 04 08:29:58 2014

Version 3.29.88.14 (merged r24621)

Initialize double values before calling rempio2.

BUG= chromium:421981 
LOG=N
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/705543002

Cr-Commit-Position: refs/branch-heads/3.29@{#25095}
git-svn-id: https://v8.googlecode.com/svn/branches/3.29@25095 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

[modify] https://chromium.googlesource.com/v8/v8.git/+/43490db4c9020e4d16f93816160b051c8cdf1ce9/src/runtime.cc
[modify] https://chromium.googlesource.com/v8/v8.git/+/43490db4c9020e4d16f93816160b051c8cdf1ce9/src/version.cc

Labels: Release-0-M39
Project Member

Comment 17 by ClusterFuzz, Jan 21 2015

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 18 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 19 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment