Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in v8::internal::JSArrayBuffer::SetupAllocatingData |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5400246610034688 Fuzzer: mbarbella_js_mutation Job Type: linux_msan_d8 Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: v8::internal::JSArrayBuffer::SetupAllocatingData v8::WebAssemblyMemory v8::internal::FunctionCallbackArguments::Call Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_d8&range=420270:420294 Minimized Testcase (0.38 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97jrfvMNH1w4JJKzTY2jJc0tka8qp_uMwbqxqqZmVDCsZ_D19Tk95UbMPm6wBBDykXPQwRfwBlj7-wVFLr4ik1mTpSFG1-8atgpWML0d0PgwS-63dmTOKWE5nkMwWD5rUUS0gRTwM_esCfMlzRhipwxbsHOpg?testcase_id=5400246610034688 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 23 2016
,
Sep 23 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 26 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/7bffaaac2c2d3c638475ade4adba60f1b01dd66f commit 7bffaaac2c2d3c638475ade4adba60f1b01dd66f Author: ahaas <ahaas@chromium.org> Date: Mon Sep 26 13:07:44 2016 [wasm] Do a proper HasProperty() check in the memory and table setup. The WebAssembly spec requires a HasProperty() check for the maximum property of the descriptor object which is used to set up a WebAssembly.Memory object or a WebAssembly.Table object. The original implementation only approximated the HasProperty() check. It used Get() to get the value of the maximum property of the descriptor object and compared the resulting value to {undefined}. However, this approximation is incorrect if the property exists but its value is {undefined}. R=titzer@chromium.org, franzih@chromium.org BUG= chromium:649461 TEST=mjsunit/wasm/memory Review-Url: https://codereview.chromium.org/2367673003 Cr-Commit-Position: refs/heads/master@{#39722} [modify] https://crrev.com/7bffaaac2c2d3c638475ade4adba60f1b01dd66f/src/wasm/wasm-js.cc [modify] https://crrev.com/7bffaaac2c2d3c638475ade4adba60f1b01dd66f/test/mjsunit/wasm/memory.js [modify] https://crrev.com/7bffaaac2c2d3c638475ade4adba60f1b01dd66f/test/mjsunit/wasm/table.js
,
Sep 26 2016
,
Sep 27 2016
ClusterFuzz has detected this issue as fixed in range 420859:421045. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5400246610034688 Fuzzer: mbarbella_js_mutation Job Type: linux_msan_d8 Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: v8::internal::JSArrayBuffer::SetupAllocatingData v8::WebAssemblyMemory v8::internal::FunctionCallbackArguments::Call Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_d8&range=420270:420294 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_d8&range=420859:421045 Minimized Testcase (0.38 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97jrfvMNH1w4JJKzTY2jJc0tka8qp_uMwbqxqqZmVDCsZ_D19Tk95UbMPm6wBBDykXPQwRfwBlj7-wVFLr4ik1mTpSFG1-8atgpWML0d0PgwS-63dmTOKWE5nkMwWD5rUUS0gRTwM_esCfMlzRhipwxbsHOpg?testcase_id=5400246610034688 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 27 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 28 2016
,
Oct 25 2016
,
Jan 3 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Sep 22 2016Owner: ahaas@chromium.org
Status: Assigned (was: Untriaged)