Issue 623186 link

Starred by 1 user

Issue metadata

Status:	Verified
Owner:	----
Closed:	Jun 2016
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug-Security
Reproducible Stability-Memory-AddressSanitizer M-52 M-53 Security_Impact-Stable Security_Severity-Medium allpublic Clusterfuzz M-51 ClusterFuzz-Verified

Crash in v8::internal::JavaScriptFrame::receiver

Project Member Reported by ClusterFuzz, Jun 24 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5972763110277120

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x7ffc4b95e378
Crash State:
  v8::internal::JavaScriptFrame::receiver
  v8::internal::JavaScriptFrame::Summarize
  v8::internal::Isolate::CaptureSimpleStackTrace
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=359738:359776

Minimized Testcase (0.15 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97yQsFgVvX9PYeSxYGwM-Etd9kTyAfVafdspkcC288ayGIfGObfXWyW8uNTORU_Qnjq0jjReI00PXSnwBdujxovpxeFNvB7Il5oX5-unQP2GGArfvJR2UBdjhRNrQx9IPuNKWNBzCKyZB8F2TDm-AqsI4KIYw?testcase_id=5972763110277120
<script>
function go (y = (function rec() {
 b = "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCAAAA"; 
 a2 + 1;
})()
        , b = eval()
        )
{}
go();
</script>


Filer: tanin

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Project Member

Comment 1 by ClusterFuzz, Jun 25 2016

ClusterFuzz has detected this issue as fixed in range 401251:401526.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5972763110277120

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x7ffc4b95e378
Crash State:
  v8::internal::JavaScriptFrame::receiver
  v8::internal::JavaScriptFrame::Summarize
  v8::internal::Isolate::CaptureSimpleStackTrace
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=359738:359776
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=401251:401526

Minimized Testcase (0.15 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97yQsFgVvX9PYeSxYGwM-Etd9kTyAfVafdspkcC288ayGIfGObfXWyW8uNTORU_Qnjq0jjReI00PXSnwBdujxovpxeFNvB7Il5oX5-unQP2GGArfvJR2UBdjhRNrQx9IPuNKWNBzCKyZB8F2TDm-AqsI4KIYw?testcase_id=5972763110277120
<script>
function go (y = (function rec() {
 b = "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCAAAA"; 
 a2 + 1;
})()
        , b = eval()
        )
{}
go();
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Project Member

Comment 2 by ClusterFuzz, Jun 25 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Available)

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Project Member

Comment 3 by ClusterFuzz, Jun 25 2016

Labels: Merge-Triage M-51 M-53 M-52

Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Request-XX label, where XX is the Chrome milestone.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

Your fix is very close to the branch point. After the branch happens, please make sure to check if your fix is in.

- Your friendly ClusterFuzz

Project Member

Comment 4 by sheriffbot@chromium.org, Jun 25 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 5 by awhalley@chromium.org, Jul 8 2016

Labels: -Merge-Triage

Project Member

Comment 6 by sheriffbot@chromium.org, Oct 1 2016

Labels: -Restrict-View-SecurityNotify

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Project Member

Comment 7 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 8 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Project Member

Comment 9 by sheriffbot@chromium.org, Jul 28

Labels: Pri-1

►

Issue 623186 link

Issue metadata

Crash in v8::internal::JavaScriptFrame::receiver

Issue description

Comment 1 by ClusterFuzz, Jun 25 2016

Comment 1 Deleted

Comment 2 by ClusterFuzz, Jun 25 2016

Comment 2 Deleted

Comment 3 by ClusterFuzz, Jun 25 2016

Comment 3 Deleted

Comment 4 by sheriffbot@chromium.org, Jun 25 2016

Comment 4 Deleted

Comment 5 by awhalley@chromium.org, Jul 8 2016

Comment 5 Deleted

Comment 6 by sheriffbot@chromium.org, Oct 1 2016

Comment 6 Deleted

Comment 7 by sheriffbot@chromium.org, Oct 2 2016

Comment 7 Deleted

Comment 8 by mbarbe...@chromium.org, Oct 2 2016

Comment 8 Deleted

Comment 9 by sheriffbot@chromium.org, Jul 28

Comment 9 Deleted

Sign in to add a comment