Issue metadata
Sign in to add a comment
|
Heap-buffer-overflow in v8::internal::Simulator::DecodeType3 |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6192417483259904 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0xe3813410 Crash State: v8::internal::Simulator::DecodeType3 v8::internal::Simulator::InstructionDecode v8::internal::Simulator::Execute Recommended Security Severity: Medium Regressed: V8: r37469:37470 Minimized Testcase (0.35 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94pJIBeltUYhNmfFosSlu1ji1N08she7389ltaoMf6pxygK3grzkgWLTaPecsbrUx2LPBO4nOXHRleikNGtUodVO4eGNehFbL8rr-GZY_VDyN0P9Zs_Iut1RE1wunVCpX5EU6Mv-2-1kH4X0KwZXk0U4-Fmnw?testcase_id=6192417483259904 var __v_8 = {}; function __f_58(expected, __f_75, __f_7) { __f_75(__v_8, __f_7, new ArrayBuffer(1)).__f_19(); } function __f_105(__v_8, __v_36, buffer) { "use asm"; var __v_34 = new __v_8.Int32Array(buffer); function __f_19() { var __v_31 = 4; __v_34[__v_31 >> 2] = ((__v_34[0]|0) + 1) | 0; } return {__f_19: __f_19}; } __f_58(7, __f_105); Issue manually filed by: ishell See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 8 2016
,
Sep 9 2016
,
Sep 9 2016
,
Sep 9 2016
,
Sep 23 2016
bradnelson: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 28 2016
Friendly ping, this a stable blocker for M54, please try to have a fix in by the first week of October so it can be fixed in time for the release.
,
Oct 5 2016
A small memory like this also tickles wasm (but in changeheap): https://codereview.chromium.org/2393083003 The issue with this one seems to be that reads/writes that spill off the end of the heap by a fraction of the word size (1-3 bytes) aren't being properly bounds checked. Dropping as stable blocker (as it's behind a v8 flag in M54). The only slightly related issue with the memory bounds check seems to be for <4 bytes in the arraybuffer (as that wraps negative in the effective size calculation). But the failure happens at any size, as long as you're partially off the end of the array. It repros for arm-asan, but not x64-asan, which is also puzzling.
,
Oct 10 2016
Removing ReleaseBlock-Stable per #8
,
Oct 11 2016
,
Oct 11 2016
Per #9 moving to M55, Sheriffbot will always add RBS back to medium/high severity issues with Security_Impact-Beta
,
Oct 19 2016
bradnelson: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 26 2016
**** Bulk edit - please ignore if not applicable **** A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!
,
Oct 31 2016
**** Bulk edit - please ignore if not applicable **** A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!
,
Nov 1 2016
,
Nov 1 2016
Are we now rejecting instantiations with too small of memory? If so, this should be fixed.
,
Nov 1 2016
,
Nov 2 2016
Removing the ReleaseBlock-Stable from this bug again. If this bug is fixed we should just close it.
,
Nov 3 2016
,
Nov 3 2016
,
Nov 3 2016
Issue 653038 has been merged into this issue.
,
Nov 3 2016
,
Feb 9 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 5 2017
ClusterFuzz has detected this issue as fixed in range 45077:45078. Detailed report: https://clusterfuzz.com/testcase?key=6192417483259904 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0xe3813410 Crash State: v8::internal::Simulator::DecodeType3 v8::internal::Simulator::InstructionDecode v8::internal::Simulator::Execute Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: V8: 37469:37470 Fixed: V8: 45077:45078 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6192417483259904 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ishell@chromium.org
, Sep 8 2016Owner: bradnelson@chromium.org
Status: Assigned (was: Untriaged)