jochen@, would you be able to investigate this? you have some CLs in the range, although i'm honestly doubtful either is the culprit.

i think this is high, as it allows for controlling the "this" value of a v8::Object from js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/127d6781d91400397e15ba7302483643fb26c1da

commit 127d6781d91400397e15ba7302483643fb26c1da
Author: jochen <jochen@chromium.org>
Date: Fri May 06 14:10:12 2016

Convert primitive receivers for API property callbacks

They're always in sloppy mode, so always do the conversion

BUG= chromium:609134 
R=bmeurer@chromium.org,verwaest@chromium.org
LOG=n

Review-Url: https://codereview.chromium.org/1960663002
Cr-Commit-Position: refs/heads/master@{#36084}

[modify] https://crrev.com/127d6781d91400397e15ba7302483643fb26c1da/src/accessors.cc
[modify] https://crrev.com/127d6781d91400397e15ba7302483643fb26c1da/src/code-stubs.h
[modify] https://crrev.com/127d6781d91400397e15ba7302483643fb26c1da/src/factory.cc
[modify] https://crrev.com/127d6781d91400397e15ba7302483643fb26c1da/src/objects-inl.h
[modify] https://crrev.com/127d6781d91400397e15ba7302483643fb26c1da/src/objects.cc
[modify] https://crrev.com/127d6781d91400397e15ba7302483643fb26c1da/src/objects.h
[modify] https://crrev.com/127d6781d91400397e15ba7302483643fb26c1da/test/cctest/test-accessors.cc

Thanks Jochen. Bumping severity to high.

Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz

ClusterFuzz has detected this issue as fixed in range 392292:392298.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5570573001818112

Fuzzer: inferno_twister
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x0000ffff8007
Crash State:
  v8::Object::FindInstanceInPrototypeChain
  blink::DOMWindowV8Internal::focusOriginSafeMethodGetterCallback
  v8::internal::PropertyCallbackArguments::Call
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=387601:387928
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=392292:392298

Minimized Testcase (1.95 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96kG8cKEkKIrOccINbivuAL_ckUNL0CQXs_LWLW-ABc6NK38XwnV9KCzonHZ58vlf1PBy51GvcwKY60-ioW29nmdMAFcOTl0Uaf0jY8CIJe4jJqw1X6kYGAy9baG-gvEnAKN-4WNIKEYAnUF-4cAbHshezosA

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

still something more to do here.

Does it make sense to already merge the CL in #7?

next CL is coming in any second now :)

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/ced492a6df0359e18ffa07cad95a4fcf5595c318

commit ced492a6df0359e18ffa07cad95a4fcf5595c318
Author: jochen <jochen@chromium.org>
Date: Wed May 11 11:27:33 2016

Don't compile code for LoadICs if the receiver is primitive

BUG= chromium:609134 
R=verwaest@chromium.org

Review-Url: https://codereview.chromium.org/1966853004
Cr-Commit-Position: refs/heads/master@{#36168}

[modify] https://crrev.com/ced492a6df0359e18ffa07cad95a4fcf5595c318/src/ic/ic.cc
[modify] https://crrev.com/ced492a6df0359e18ffa07cad95a4fcf5595c318/test/cctest/test-accessors.cc

Please mark security bugs as fixed as soon as the fix lands, and before requesting merges.

- Your friendly ClusterFuzz

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/9c9708ac91314c8b485059d125eae2268325e119

commit 9c9708ac91314c8b485059d125eae2268325e119
Author: jochen <jochen@chromium.org>
Date: Thu May 12 11:04:47 2016

Interceptors expect the receiver to always be an JSReceiver.

BUG= chromium:609134 
R=verwaest@chromium.org

Review-Url: https://codereview.chromium.org/1973513002
Cr-Commit-Position: refs/heads/master@{#36203}

[modify] https://crrev.com/9c9708ac91314c8b485059d125eae2268325e119/src/ic/ic.cc
[modify] https://crrev.com/9c9708ac91314c8b485059d125eae2268325e119/src/objects.cc
[modify] https://crrev.com/9c9708ac91314c8b485059d125eae2268325e119/test/cctest/test-accessors.cc
[modify] https://crrev.com/9c9708ac91314c8b485059d125eae2268325e119/test/cctest/test-api-interceptors.cc

now it's fixed

Michael, can you take care of merging once this baked a bit?

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/bf95fd960eaa78da2edfe5d7ba26169cb1c0433a

commit bf95fd960eaa78da2edfe5d7ba26169cb1c0433a
Author: Toon Verwaest <verwaest@chromium.org>
Date: Wed May 18 08:15:58 2016

Version 5.1.281.41 (cherry-pick)

Convert primitive receivers for API property callbacks
Don't compile code for LoadICs if the receiver is primitive
Interceptors expect the receiver to always be an JSReceiver.

BUG= chromium:609134 
LOG=N
R=hablich@chromium.org

Review URL: https://codereview.chromium.org/1993633002 .

Cr-Commit-Position: refs/branch-heads/5.1@{#50}
Cr-Branched-From: 167dc63b4c9a1d0f0fe1b19af93644ac9a561e83-refs/heads/5.1.281@{#1}
Cr-Branched-From: 03953f52bd4a184983a551927c406be6489ef89b-refs/heads/master@{#35282}

[modify] https://crrev.com/bf95fd960eaa78da2edfe5d7ba26169cb1c0433a/include/v8-version.h
[modify] https://crrev.com/bf95fd960eaa78da2edfe5d7ba26169cb1c0433a/src/accessors.cc
[modify] https://crrev.com/bf95fd960eaa78da2edfe5d7ba26169cb1c0433a/src/factory.cc
[modify] https://crrev.com/bf95fd960eaa78da2edfe5d7ba26169cb1c0433a/src/ic/ic.cc
[modify] https://crrev.com/bf95fd960eaa78da2edfe5d7ba26169cb1c0433a/src/objects-inl.h
[modify] https://crrev.com/bf95fd960eaa78da2edfe5d7ba26169cb1c0433a/src/objects.cc
[modify] https://crrev.com/bf95fd960eaa78da2edfe5d7ba26169cb1c0433a/src/objects.h
[modify] https://crrev.com/bf95fd960eaa78da2edfe5d7ba26169cb1c0433a/test/cctest/test-accessors.cc
[modify] https://crrev.com/bf95fd960eaa78da2edfe5d7ba26169cb1c0433a/test/cctest/test-api-interceptors.cc

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Is this something node needs?

Yes, the fix would be useful for Node too; although I don't think this is high-severity in the Node case.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot