New issue
Advanced search Search tips

Issue 664469 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Nov 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Crash in v8::internal::Simulator::DecodeType3

Project Member Reported by ClusterFuzz, Nov 11 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6475380073693184

Fuzzer: v8_builtins_generator
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0xda7849bc
Crash State:
  v8::internal::Simulator::DecodeType3
  v8::internal::Simulator::InstructionDecode
  v8::internal::Simulator::Execute
  
Recommended Security Severity: Medium

Regressed: V8: r40895:40896

Minimized Testcase (0.17 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96jGGc4pqJxLr8lnxWkVEDz6-1z-DN5P60KeGdXgO2Ywz8nTqhsDrW45uAzL_U5XHFBCOLd1447MztdrbdMmEjEQgASY9lANSjxt3XMWO587HcYGgvebm79m1nIjc_dmlSkdsVr1tENgpt7beY33QS0SDg3OA?testcase_id=6475380073693184
var v37 = {};
var v45 = {};
Object.prototype.__defineGetter__(0, function() { 
    this[1] = -2147483648;
this[1] = v45;
this[1] = Array(0x8000).join();
});
 v81 = v37[0]; 


Issue manually filed by: titzer

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by titzer@chromium.org, Nov 11 2016

Owner: jkummerow@chromium.org
Status: Assigned (was: Untriaged)
Jakob, can you please take a look? It bisected to your recent CL.
Project Member

Comment 2 by ClusterFuzz, Nov 11 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5482593819820032

Fuzzer: v8_builtins_generator
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0xda2849bc
Crash State:
  v8::internal::Simulator::DecodeTypeImmediate
  v8::internal::Simulator::InstructionDecode
  v8::internal::Simulator::Execute
  
Recommended Security Severity: Medium

Regressed: V8: r40895:40896

Minimized Testcase (0.24 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97qYqCP0AdZv3HSwDhzHUVc7pC6Q3zXFAVxdABUaNZ3E_g2fegITFaPriB-R-VI2p14bURK6hx9e_gXmtfkQhJmZw-dmZ-mFEfwPaaAT4pKSRLsnh87w957EpkWSTvSC_b5eBYY0xwpdfL10TWOVUFCiAAF2Q?testcase_id=5482593819820032
var v0 = {};
Object.prototype.__defineGetter__(0, function() { 
this[1] = -2147483648;
this[0] = v0;
})
Object.prototype.__defineSetter__(0, function() { 
    this[1] = v0;
this[0] = Array(0x8000).join();
});
 v61 = new Intl.NumberFormat(); 


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 3 by bugdroid1@chromium.org, Nov 11 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/567904f1a784595f606dd855684f25dc4358abeb

commit 567904f1a784595f606dd855684f25dc4358abeb
Author: jkummerow <jkummerow@chromium.org>
Date: Fri Nov 11 13:01:49 2016

[ic] Fix elements conversion in KeyedStoreGeneric

A SmiUntag() was missing when loading the old backing store's length.

BUG= chromium:664469 

Review-Url: https://codereview.chromium.org/2492783004
Cr-Commit-Position: refs/heads/master@{#40921}

[modify] https://crrev.com/567904f1a784595f606dd855684f25dc4358abeb/src/ic/keyed-store-generic.cc
[add] https://crrev.com/567904f1a784595f606dd855684f25dc4358abeb/test/mjsunit/regress/regress-crbug-664469.js

Status: Fixed (was: Assigned)
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 11 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 6 by ClusterFuzz, Nov 12 2016

ClusterFuzz has detected this issue as fixed in range 40919:40926.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5482593819820032

Fuzzer: v8_builtins_generator
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0xda2849bc
Crash State:
  v8::internal::Simulator::DecodeTypeImmediate
  v8::internal::Simulator::InstructionDecode
  v8::internal::Simulator::Execute
  
Recommended Security Severity: Medium

Regressed: V8: r40895:40896
Fixed: V8: r40919:40926

Minimized Testcase (0.24 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97qYqCP0AdZv3HSwDhzHUVc7pC6Q3zXFAVxdABUaNZ3E_g2fegITFaPriB-R-VI2p14bURK6hx9e_gXmtfkQhJmZw-dmZ-mFEfwPaaAT4pKSRLsnh87w957EpkWSTvSC_b5eBYY0xwpdfL10TWOVUFCiAAF2Q?testcase_id=5482593819820032
var v0 = {};
Object.prototype.__defineGetter__(0, function() { 
this[1] = -2147483648;
this[0] = v0;
})
Object.prototype.__defineSetter__(0, function() { 
    this[1] = v0;
this[0] = Array(0x8000).join();
});
 v61 = new Intl.NumberFormat(); 


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Nov 12 2016

ClusterFuzz has detected this issue as fixed in range 40919:40926.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6475380073693184

Fuzzer: v8_builtins_generator
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0xda7849bc
Crash State:
  v8::internal::Simulator::DecodeType3
  v8::internal::Simulator::InstructionDecode
  v8::internal::Simulator::Execute
  
Recommended Security Severity: Medium

Regressed: V8: r40895:40896
Fixed: V8: r40919:40926

Minimized Testcase (0.17 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96jGGc4pqJxLr8lnxWkVEDz6-1z-DN5P60KeGdXgO2Ywz8nTqhsDrW45uAzL_U5XHFBCOLd1447MztdrbdMmEjEQgASY9lANSjxt3XMWO587HcYGgvebm79m1nIjc_dmlSkdsVr1tENgpt7beY33QS0SDg3OA?testcase_id=6475380073693184
var v37 = {};
var v45 = {};
Object.prototype.__defineGetter__(0, function() { 
    this[1] = -2147483648;
this[1] = v45;
this[1] = Array(0x8000).join();
});
 v81 = v37[0]; 


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Labels: Security_Impact-Head M-56
Project Member

Comment 9 by sheriffbot@chromium.org, Feb 17 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 10 by sheriffbot@chromium.org, Jul 28

Labels: Pri-1

Sign in to add a comment