Issue metadata
Sign in to add a comment
|
Heap-buffer-overflow in unibrow::Utf8::Validate |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5867155656802304 Fuzzer: libfuzzer_v8_wasm_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x60600000e45b Crash State: unibrow::Utf8::Validate DecodeGlobalInModule DecodeModule Recommended Security Severity: Medium Minimized Testcase (0.06 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94oTjKIoQAg11Vv760lOagidW5pd9GqnKVRKl7j0Hdoss1gOhieLA9Z4MEeq-AALXKQ71b0zpJRzYuEZCvRL-TLmdXmBrKGVYRUgxAwAzrGoDDMRKvpCCBIU7jeAXBFX_JIeLVuiXvTBH9hueNtd8jNY66lfA?testcase_id=5867155656802304 Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 15 2016
Please note that this has been found with Debug build of fuzzer, the call inside DCHECK() looks to be an issue: https://cs.chromium.org/chromium/src/v8/src/wasm/module-decoder.cc?sq=package:chromium&type=cs&l=482
,
Jul 15 2016
,
Jul 15 2016
,
Jul 15 2016
,
Jul 15 2016
,
Jul 19 2016
,
Jul 19 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 19 2016
M53 beta launch is next week.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix before 6:00 PM PST, Friday (07/22/16). Thank you.
,
Jul 21 2016
I'm removing the BetaBlocker label, since this is in WASM, which is off by default.
,
Jul 21 2016
,
Jul 21 2016
,
Aug 3 2016
M53 Stable launch is coming soon.Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix asap so it gets chance to bake in beta before stable promotion. Thank you.
,
Aug 3 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/6cf621ec891edb0c56ac1773a0fd57ee7a296713 commit 6cf621ec891edb0c56ac1773a0fd57ee7a296713 Author: titzer <titzer@chromium.org> Date: Wed Aug 03 22:54:41 2016 [wasm] Require global names to be validate UTF-8. R=ahaas@chromium.org,bradnelson@chromium.org BUG= chromium:628542 Review-Url: https://codereview.chromium.org/2207183002 Cr-Commit-Position: refs/heads/master@{#38317} [modify] https://crrev.com/6cf621ec891edb0c56ac1773a0fd57ee7a296713/src/wasm/module-decoder.cc
,
Aug 3 2016
,
Aug 4 2016
,
Aug 11 2016
Re-open for a minute to attach one more reproducer.
,
Aug 11 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4800721535107072 Fuzzer: libfuzzer_v8_wasm_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x60600000e45b Crash State: unibrow::Utf8::Validate DecodeGlobalInModule DecodeModule Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=400113:400163 Minimized Testcase (0.06 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95VhIfOm6nBMOiCShnxiq3zZZBgJh8r_HHZZ01rboKH1tZy9QrNzkLAeDLpsTqRWn83z8dN3NUtex5VaZcIvqQZfU3pAV7LfktbQnJDcSws8MKV411cq1CVstPXW67LSDFmMBIXM1UslDLfi9RPa8CecVme-g?testcase_id=4800721535107072 Issue manually filed by: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Aug 11 2016
,
Aug 11 2016
,
Aug 11 2016
Your change meets the bar and is auto-approved for M53 (branch: 2785)
,
Aug 11 2016
Please merge your change to M53 branch 2785 latest by Friday 5:00 PM PT so we can take it in for next week Beta release. Thank you.
,
Aug 15 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 16 2016
Please merge your change by Tuesday (08/16) 4:00 PM PT so we can take it in for this week Beta release. Thank you.
,
Aug 16 2016
+mbarbella@ or +inferno@, could you please help with this merge before 4:00 PM PT today so we can take it for tomorrow's beta release. Thank you.
,
Aug 17 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/76836236dcadde0bcbccfb3206790e3339903e9a commit 76836236dcadde0bcbccfb3206790e3339903e9a Author: titzer <titzer@chromium.org> Date: Wed Aug 17 08:48:42 2016 Merged: [wasm] Require global names to be validate UTF-8. Revision: 6cf621ec891edb0c56ac1773a0fd57ee7a296713 BUG= chromium:628542 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=hablich@chromium.org Review-Url: https://codereview.chromium.org/2248213003 Cr-Commit-Position: refs/branch-heads/5.3@{#44} Cr-Branched-From: 820a23aade5e74a92d794e05a0c2b3597f0da4b5-refs/heads/5.3.332@{#2} Cr-Branched-From: 37538cb2c1b4d75c41af386cb4fedbe5566f5608-refs/heads/master@{#37308} [modify] https://crrev.com/76836236dcadde0bcbccfb3206790e3339903e9a/src/wasm/module-decoder.cc
,
Aug 17 2016
Per comment #28, this is already merged to M53 so removing "Merge-Approved-53" label.
,
Aug 20 2016
ClusterFuzz has detected this issue as fixed in range 413124:413277. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4800721535107072 Fuzzer: libfuzzer_v8_wasm_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x60600000e45b Crash State: unibrow::Utf8::Validate DecodeGlobalInModule DecodeModule Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=400113:400163 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=413124:413277 Minimized Testcase (0.06 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95VhIfOm6nBMOiCShnxiq3zZZBgJh8r_HHZZ01rboKH1tZy9QrNzkLAeDLpsTqRWn83z8dN3NUtex5VaZcIvqQZfU3pAV7LfktbQnJDcSws8MKV411cq1CVstPXW67LSDFmMBIXM1UslDLfi9RPa8CecVme-g?testcase_id=4800721535107072 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 20 2016
ClusterFuzz has detected this issue as fixed in range 413124:413277. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5867155656802304 Fuzzer: libfuzzer_v8_wasm_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x60600000e45b Crash State: unibrow::Utf8::Validate DecodeGlobalInModule DecodeModule Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=400113:400163 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=413124:413277 Minimized Testcase (0.06 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94oTjKIoQAg11Vv760lOagidW5pd9GqnKVRKl7j0Hdoss1gOhieLA9Z4MEeq-AALXKQ71b0zpJRzYuEZCvRL-TLmdXmBrKGVYRUgxAwAzrGoDDMRKvpCCBIU7jeAXBFX_JIeLVuiXvTBH9hueNtd8jNY66lfA?testcase_id=5867155656802304 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 25 2016
,
Nov 17 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, Jul 15 2016Components: Blink>JavaScript>WebAssembly
Owner: clemensh@chromium.org