Issue metadata
Sign in to add a comment
|
Heap-buffer-overflow in unibrow::Utf8::CalculateValue |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5079519695470592 Fuzzer: libfuzzer_v8_serialized_script_value_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x61d00000c7e6 Crash State: unibrow::Utf8::CalculateValue unibrow::Utf8DecoderBase::Reset v8::internal::Factory::NewStringFromUtf8 Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=433457:433459 Minimized Testcase (2.34 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96FurnxPiyj76LFMj2yaeJCoBbE6iMgTEgJ6593E8Yl_82HV7BtQvMjP-vehFYDktbAOY8cz6XrHHegmWWMX6n9d9tCcKY2uzMu-LNpecxr8Lj-5GzF9Ye6UviD6FsrHYWYYSLOim4zkXENMw5l8LlDYHMviQ?testcase_id=5079519695470592 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Nov 21 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 21 2016
,
Nov 21 2016
Can you take a look at this or route it someone who can? Thanks.
,
Nov 21 2016
,
Nov 21 2016
This looks to be a genuine issue in unibrow::Utf8::CalculateValue introduced in https://codereview.chromium.org/2493143003. In particular, if 0xf0 occurs at the end of a buffer (i.e. it is str[0]), then str[1] (which is out of range) is accessed to compare it to 0x90 and 0xBF. There are similar cases in the same block. I'll send out a CL to vogelheim shortly.
,
Nov 21 2016
,
Nov 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/9d524bd33dd2e8d861128499b1ffa3b3c6377628 commit 9d524bd33dd2e8d861128499b1ffa3b3c6377628 Author: jbroman <jbroman@chromium.org> Date: Tue Nov 22 09:27:41 2016 Fix out-of-range access in unibrow::Utf8::CalculateValue. This code should not access bytes out of the permitted range in order to check the range of a possible UTF-8 value. Instead, the length check should occur before such checks. BUG= chromium:667260 , chromium:662822 Review-Url: https://codereview.chromium.org/2520053003 Cr-Commit-Position: refs/heads/master@{#41165} [modify] https://crrev.com/9d524bd33dd2e8d861128499b1ffa3b3c6377628/src/unicode-decoder.h [modify] https://crrev.com/9d524bd33dd2e8d861128499b1ffa3b3c6377628/src/unicode.cc [modify] https://crrev.com/9d524bd33dd2e8d861128499b1ffa3b3c6377628/test/unittests/BUILD.gn [add] https://crrev.com/9d524bd33dd2e8d861128499b1ffa3b3c6377628/test/unittests/unicode-unittest.cc [modify] https://crrev.com/9d524bd33dd2e8d861128499b1ffa3b3c6377628/test/unittests/unittests.gyp
,
Nov 22 2016
,
Nov 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/7c462455b0aae841aaa5e53777ec31c910525c49 commit 7c462455b0aae841aaa5e53777ec31c910525c49 Author: Daniel Vogelheim <vogelheim@chromium.org> Date: Tue Nov 22 10:42:12 2016 Merged: Fix out-of-range access in unibrow::Utf8::CalculateValue. Revision: 9d524bd33dd2e8d861128499b1ffa3b3c6377628 BUG= chromium:662822 , chromium:667260 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=hablich@chromium.org Review URL: https://codereview.chromium.org/2521933002 . Cr-Commit-Position: refs/branch-heads/5.5@{#54} Cr-Branched-From: 3cbd5838bd8376103daa45d69dade929ee4e0092-refs/heads/5.5.372@{#1} Cr-Branched-From: b3c8b0ce2c9af0528837d8309625118d4096553b-refs/heads/master@{#40015} [modify] https://crrev.com/7c462455b0aae841aaa5e53777ec31c910525c49/src/unicode-decoder.h [modify] https://crrev.com/7c462455b0aae841aaa5e53777ec31c910525c49/src/unicode.cc [modify] https://crrev.com/7c462455b0aae841aaa5e53777ec31c910525c49/test/unittests/BUILD.gn [add] https://crrev.com/7c462455b0aae841aaa5e53777ec31c910525c49/test/unittests/unicode-unittest.cc [modify] https://crrev.com/7c462455b0aae841aaa5e53777ec31c910525c49/test/unittests/unittests.gyp
,
Nov 22 2016
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 22 2016
ClusterFuzz has detected this issue as fixed in range 433834:433855. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5079519695470592 Fuzzer: libfuzzer_v8_serialized_script_value_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x61d00000c7e6 Crash State: unibrow::Utf8::CalculateValue unibrow::Utf8DecoderBase::Reset v8::internal::Factory::NewStringFromUtf8 Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=433457:433459 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=433834:433855 Minimized Testcase (2.34 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96FurnxPiyj76LFMj2yaeJCoBbE6iMgTEgJ6593E8Yl_82HV7BtQvMjP-vehFYDktbAOY8cz6XrHHegmWWMX6n9d9tCcKY2uzMu-LNpecxr8Lj-5GzF9Ye6UviD6FsrHYWYYSLOim4zkXENMw5l8LlDYHMviQ?testcase_id=5079519695470592 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 23 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/8a92864905039bfc359a9526b1aeb2085d5c00bf commit 8a92864905039bfc359a9526b1aeb2085d5c00bf Author: Daniel Vogelheim <vogelheim@chromium.org> Date: Wed Nov 23 11:54:53 2016 Merged: Squashed multiple commits. Merged: Return kBadChar for longest subpart of incomplete utf-8 character. Revision: fd40ebb1e64274ae3529f8bbe6dad6adc76cb391 Merged: Fix out-of-range access in unibrow::Utf8::CalculateValue. Revision: 9d524bd33dd2e8d861128499b1ffa3b3c6377628 BUG= chromium:662822 , chromium:667260 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=marja@chromium.org, hablich@chromium.org Review URL: https://codereview.chromium.org/2522193002 . Cr-Commit-Position: refs/branch-heads/5.6@{#13} Cr-Branched-From: bdd3886218dfe76e8560eb8a18401942452ae859-refs/heads/5.6.326@{#1} Cr-Branched-From: 879f6599eee6e1dfcbe9a24bf688b261c03e9558-refs/heads/master@{#41014} [modify] https://crrev.com/8a92864905039bfc359a9526b1aeb2085d5c00bf/src/unicode-decoder.h [modify] https://crrev.com/8a92864905039bfc359a9526b1aeb2085d5c00bf/src/unicode.cc [modify] https://crrev.com/8a92864905039bfc359a9526b1aeb2085d5c00bf/test/cctest/test-parsing.cc [modify] https://crrev.com/8a92864905039bfc359a9526b1aeb2085d5c00bf/test/unittests/BUILD.gn [add] https://crrev.com/8a92864905039bfc359a9526b1aeb2085d5c00bf/test/unittests/unicode-unittest.cc [modify] https://crrev.com/8a92864905039bfc359a9526b1aeb2085d5c00bf/test/unittests/unittests.gyp
,
Nov 23 2016
,
Jan 10 2017
No further action needed for Node.js as this issue is not present in V8 5.4 or older.
,
Jan 27 2017
,
Mar 1 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Nov 21 2016