New issue
Advanced search Search tips

Issue 666517 link

Starred by 1 user
Status: Verified
Owner:
jochen@chromium.org
Closed: Nov 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-buffer-overflow in unibrow::Utf8::CalculateValue

Project Member Reported by ClusterFuzz, Nov 17 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4883078360334336

Fuzzer: libfuzzer_v8_wasm_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x60300001796e
Crash State:
  unibrow::Utf8::CalculateValue
  unibrow::Utf8::Validate
  v8::internal::wasm::ModuleDecoder::consume_string
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=432836:432874

Minimized Testcase (0.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95heabenf99YFH0JJr8WQ0ww7LOnu_knQuP3QZf-7TroO4IcdsR9-yYPeUtbIXKY5ncw5Bt1Qk0s_nRSNWEVgBkgem5q0MjdBKBac_G3ksViKj9BqjNV7I2PgimIVxsN_yuGulD7eH0oXgBvznsKdlxHHQFhw?testcase_id=4883078360334336

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Project Member

Comment 1 by sheriffbot@chromium.org, Nov 18 2016

Labels: M-56
Project Member

Comment 2 by sheriffbot@chromium.org, Nov 18 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Nov 18 2016

Labels: Pri-1

Comment 4 by kerrnel@chromium.org, Nov 18 2016

Owner: jochen@chromium.org
Status: Assigned (was: Untriaged)
jochen@, is this something you can take a look at? Thanks.

Comment 5 by kerrnel@chromium.org, Nov 18 2016

Components: Blink>JavaScript
Project Member

Comment 6 by ClusterFuzz, Nov 19 2016 

ClusterFuzz has detected this issue as fixed in range 433084:433312.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4883078360334336

Fuzzer: libfuzzer_v8_wasm_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x60300001796e
Crash State:
  unibrow::Utf8::CalculateValue
  unibrow::Utf8::Validate
  v8::internal::wasm::ModuleDecoder::consume_string
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=432836:432874
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=433084:433312

Minimized Testcase (0.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95heabenf99YFH0JJr8WQ0ww7LOnu_knQuP3QZf-7TroO4IcdsR9-yYPeUtbIXKY5ncw5Bt1Qk0s_nRSNWEVgBkgem5q0MjdBKBac_G3ksViKj9BqjNV7I2PgimIVxsN_yuGulD7eH0oXgBvznsKdlxHHQFhw?testcase_id=4883078360334336

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Nov 19 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 8 by sheriffbot@chromium.org, Nov 19 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 9 by ClusterFuzz, Dec 16 2016 

ClusterFuzz has detected this issue as fixed in range 433834:433855.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4883078360334336

Fuzzer: libfuzzer_v8_wasm_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x60300001796e
Crash State:
  unibrow::Utf8::CalculateValue
  unibrow::Utf8::Validate
  v8::internal::wasm::ModuleDecoder::consume_string
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=432836:432874
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=433834:433855

Minimized Testcase (0.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95heabenf99YFH0JJr8WQ0ww7LOnu_knQuP3QZf-7TroO4IcdsR9-yYPeUtbIXKY5ncw5Bt1Qk0s_nRSNWEVgBkgem5q0MjdBKBac_G3ksViKj9BqjNV7I2PgimIVxsN_yuGulD7eH0oXgBvznsKdlxHHQFhw?testcase_id=4883078360334336

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 10 by awhalley@google.com, Dec 16 2016

Labels: -ReleaseBlock-Beta OS-Windows
Likely fixed by: https://chromium.googlesource.com/v8/v8/+/9d524bd33dd2e8d861128499b1ffa3b3c6377628
Project Member

Comment 11 by sheriffbot@chromium.org, Feb 25 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment