New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 654391 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner:
Closed: Feb 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug-Security

Blocked on:
issue v8:6090


Participants' hotlists:
Hotlist-AsmJsParser


Sign in to add a comment

Heap-buffer-overflow in v8::internal::Simulator::DecodeType6CoprocessorIns

Project Member Reported by ClusterFuzz, Oct 10 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5207823032254464

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_v8_arm_dbg
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 4
Crash Address: 0xdd220d10
Crash State:
  v8::internal::Simulator::DecodeType6CoprocessorIns
  v8::internal::Simulator::InstructionDecode
  v8::internal::Simulator::Execute
  
Recommended Security Severity: High

Regressed: V8: r37469:37470

Minimized Testcase (0.38 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96fKkNbT8NXpqoRndbFg5yqayt5zs9JJos6_IosWAMbUR37IiJM_ngsxuR_5FyWiSLhMjKYtG1gh0YTEJEItsMgpD5t5bZl3ousej7qQSrmfb3bg5f_J_D9XlbQki7E5MSlAt1v1dPFy9yyaxN2t7VpqDxUAg?testcase_id=5207823032254464
__v_12 = this;
function __f_64(expected, __f_82, __f_11) {
 __f_82(__v_12, __f_11, new ArrayBuffer(1)).__f_25();
}
function __f_6() {
}
(function() {
})();
function __f_60(__v_12, __v_41, heap) {
  "use asm";
  var __v_13 = new __v_12.Float32Array(heap);
  function __f_82() {
    var __v_30 = 1.23;
    __v_13[0] = __v_30;
  }
  return {__f_25: __f_82};
}
__f_64(1.23, __f_60);
( {
})();


Issue manually filed by: rossberg

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Owner: bradnelson@chromium.org
Status: Assigned (was: Untriaged)
Brad, this seems related to your change.
Project Member

Comment 2 by sheriffbot@chromium.org, Oct 10 2016

Labels: Pri-1

Comment 3 by tsepez@chromium.org, Oct 10 2016

Labels: Security_Impact-None
This is still behind a flag, right?  If not, please re-assess security impact.
Labels: Hotlist-Asm

Comment 5 by aarya@google.com, May 25 2017

Cc: mstarzinger@chromium.org
Brad any update on this issue? If this option is behind a flag does it warrant a P1 status still. (just going through blink SLO violations as blink triage sheriff)
Please reduce priority if this is not P1 priority.

Comment 8 by kochi@chromium.org, Dec 12 2017

Ping (on behalf of triage sheriff)

Comment 9 by palmer@chromium.org, Feb 14 2018

Cc: danno@chromium.org hablich@chromium.org
Labels: OS-Android OS-Chrome OS-Fuchsia OS-Mac OS-Windows
If this is a bug in production code, it's past its 60-day deadline and we need to get someone on it. If it's simulator-only, please note that fact and mark it as a Type=Bug and remove the security labels. Thank you!

Also, it would presumably affect all V8 platforms, right?
Blockedon: v8:6090
Cc: -mstarzinger@chromium.org bradnelson@chromium.org
Owner: mstarzinger@chromium.org
Status: WontFix (was: Assigned)
This was only affecting the "old asm.js validator", the "new asm.js validator" correctly reports the instantiation with an ArrayBuffer of size 1 as bogus. This is no longer actionable ...

$ ./out/x64.debug/d8 test/mjsunit/foo.js 
test/mjsunit/foo.js:75: Linking failure in asm.js: Unexpected heap size
test/mjsunit/foo.js:77: RangeError: byte length of Float32Array should be a multiple of 4
  var __v_13 = new __v_12.Float32Array(heap);
               ^
RangeError: byte length of Float32Array should be a multiple of 4
    at new Float32Array (<anonymous>)
    at __f_60 (test/mjsunit/foo.js:77:16)
    at __f_64 (test/mjsunit/foo.js:69:2)
    at test/mjsunit/foo.js:84:1

Project Member

Comment 11 by sheriffbot@chromium.org, May 24 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment