New issue
Advanced search Search tips

Issue 646351 link

Starred by 1 user
Status: Fixed
Owner:
cbruni@chromium.org
Closed: Sep 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Crash in v8::internal::SloppyArgumentsElementsAccessor<v8::internal::SlowSloppyArgumentsE

Project Member Reported by ClusterFuzz, Sep 13 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5746069701132288

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: UNKNOWN READ
Crash Address: 0x23ccf912
Crash State:
  v8::internal::SloppyArgumentsElementsAccessor<v8::internal::SlowSloppyArgumentsE
  v8::internal::ElementsAccessorBase<v8::internal::SlowSloppyArgumentsElementsAcce
  v8::internal::Runtime_ArrayIndexOf
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=417856:417919

Minimized Testcase (9.23 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95tcz-epYQmp2Bh8tDjq3P5S-pz2gjZN0os0YuVDETLPE11ercPc8WxVTdCf78nNGklujw_4vxl6IdanYcP0K4dd2Y97V7iRcGItBHa9UuyqLRWDdef3kCEY84dpggaFTNzmlUM7cq43OAYNMdNzNh4wQOc0Q?testcase_id=5746069701132288

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by hablich@chromium.org, Sep 13 2016

Cc: titzer@chromium.org
Status: Available (was: Untriaged)

Comment 2 by penny...@chromium.org, Sep 13 2016

Labels: Pri-2
Owner: cbruni@chromium.org
Status: Assigned (was: Available)
Hello Camillo,

Assigning this security bug to you (as it appears it might be related to CL https://chromium.googlesource.com/v8/v8/+/621f4af7200ef76bfafa671efa6121bb9b6fb630).

Thank you!
Project Member

Comment 3 by sheriffbot@chromium.org, Sep 14 2016

Labels: M-55
Project Member

Comment 4 by sheriffbot@chromium.org, Sep 14 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by sheriffbot@chromium.org, Sep 14 2016

Labels: -Pri-2 Pri-1

Comment 6 by cbruni@chromium.org, Sep 14 2016

Labels: -ReleaseBlock-Beta -Security_Severity-Medium -Security_Impact-Head
The found regression range doesn't make sense. 
I can repro it with the version 5.5.150 (3fbbc7afd46a5664db9f65f2db758bdfa6830007), but this has been fixed by https://codereview.chromium.org/2332503002.

Comment 7 by cbruni@chromium.org, Sep 14 2016

Cc: -titzer@chromium.org

Comment 8 by cbruni@chromium.org, Sep 19 2016

Status: Fixed (was: Assigned)

Comment 9 by awhalley@chromium.org, Sep 20 2016

Labels: Security_Impact-Head
Project Member

Comment 10 by sheriffbot@chromium.org, Sep 20 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 11 by sheriffbot@chromium.org, Dec 26 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment