Issue metadata
Sign in to add a comment
|
Heap-buffer-overflow in v8::internal::Simulator::DecodeType6CoprocessorIns |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5207823032254464 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 4 Crash Address: 0xdd220d10 Crash State: v8::internal::Simulator::DecodeType6CoprocessorIns v8::internal::Simulator::InstructionDecode v8::internal::Simulator::Execute Recommended Security Severity: High Regressed: V8: r37469:37470 Minimized Testcase (0.38 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96fKkNbT8NXpqoRndbFg5yqayt5zs9JJos6_IosWAMbUR37IiJM_ngsxuR_5FyWiSLhMjKYtG1gh0YTEJEItsMgpD5t5bZl3ousej7qQSrmfb3bg5f_J_D9XlbQki7E5MSlAt1v1dPFy9yyaxN2t7VpqDxUAg?testcase_id=5207823032254464 __v_12 = this; function __f_64(expected, __f_82, __f_11) { __f_82(__v_12, __f_11, new ArrayBuffer(1)).__f_25(); } function __f_6() { } (function() { })(); function __f_60(__v_12, __v_41, heap) { "use asm"; var __v_13 = new __v_12.Float32Array(heap); function __f_82() { var __v_30 = 1.23; __v_13[0] = __v_30; } return {__f_25: __f_82}; } __f_64(1.23, __f_60); ( { })(); Issue manually filed by: rossberg See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 10 2016
,
Oct 11 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 13 2016
,
Oct 13 2016
Clusterfuzz believes the regression was introduced by the following change: https://chromium.googlesource.com/v8/v8/+log/d781b9561997fba1ae0315b020b79abf71959e7f..f20323dce2a796f25eddec83c34b97127d046745?pretty=fuller
,
Oct 14 2016
This looks like it is only related to the simulator. Rossberg@ or bradnelson@ can you confirm?
,
Oct 18 2016
,
Oct 24 2016
bradnelson: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 26 2016
**** Bulk edit - please ignore if not applicable **** A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!
,
Oct 31 2016
**** Bulk edit - please ignore if not applicable **** A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!
,
Nov 3 2016
Looks like another case of a non-page aligned memory.
,
Nov 3 2016
,
Feb 10 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Oct 10 2016