New issue
Advanced search Search tips

Issue 644135 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 644215
Owner:
Closed: Sep 2016
Cc:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: SIGILL: Fatal error, unreachable code

Reported by lu...@princeton.edu, Sep 5 2016

Issue description

This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
The attached input crash1.js causes SIGILL when run against the v8 engine corresponding to dev/beta/stable releases, in addition to the tip of v8.

In v8, I built d8 with the tip, and used commit 3807927f46dda120dd7c5192e1313a1188cae83a corresponding to the v8 engine shipped with dev (54.0.2840.8) and used commit c668dfb3c38e0efcab923d8381e60f67a5cbb4c0 corresponding to the v8 engine shipped with beta/stable (53.0.2785.89).

Running ./d8 crash1.js causes

#
# Fatal error in , line 0
# unreachable code
#

==== C stack trace ===============================

 1: 0xae9829
 2: 0x4a4f75
 3: 0x4a4e5b
 4: 0x6c2fb2
 5: 0x114e09108206
Illegal instruction (core dumped)

VERSION
Chrome Version: 54.0.2840.6, dev
                53.0.2785.87, beta/stable

Operating System: Linux

REPRODUCTION CASE
crash1.js. Run ./d8 crash1.js to observe the error.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: in v8 engine
Crash State: see above; SIGILL

Please let me know if this submission is eligible for a bug bounty. Thanks!
 
crash1.js
88 bytes View Download

Comment 1 by vakh@chromium.org, Sep 6 2016

Cc: bmeu...@chromium.org jarin@chromium.org
Owner: mvstan...@chromium.org
mvstanton@chromium.org: Can you please take a look at this issue also. Seems related to  issue 644048 .
Project Member

Comment 2 by ClusterFuzz, Sep 6 2016

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5030498202288128
Project Member

Comment 3 by sheriffbot@chromium.org, Sep 6 2016

Status: Assigned (was: Unconfirmed)
Cc: cbruni@chromium.org
Mergedinto: 644215
Status: Duplicate (was: Assigned)
Same as  issue 644215 , spread operator causing a leaked hole.
Cc: adamk@chromium.org
Project Member

Comment 7 by sheriffbot@chromium.org, Dec 16 2016

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment