Regression range seems to go all the way back to f20323dce2a796f25eddec83c34b97127d046745 when we initially hooked up the asm.js validator. I am unable to reproduce without ASAN, also unsure whether this is ARM simulator only or affects other architectures as well.

Assuming this impacts stable based on the regression range.

bradnelson: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

bradnelson: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Ping on this - do we have any more idea of what's going on?

+mbarbella
Any idea how Finch impacts clusterfuzz?
I would have expected the trial being at 0%, these would all dry up?

These can only be tickled with the validator on (behind a flag). We've turned down the Finch experiment to 0%, and have a different validator that we'll be switching over to in the coming weeks.

As this seems to be down at the wasm codegen level, we'll want to confirm v3 of the validator isn't also affected (but they look like bad checks on the size of the heap being a multiple of 8).

We aren't using finch. We are explicitly passing --validate-asm for this test case, though. The fuzzer in question picks up the flags from the existing tests.

If there are definitely no plans to re-enable the experiment, it's fine to flip this to Security_Impact-None.

ClusterFuzz has detected this issue as fixed in range 45077:45078.

Detailed report: https://clusterfuzz.com/testcase?key=5323460609048576

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 4
Crash Address: 0xdca93830
Crash State:
  v8::internal::Simulator::DecodeType3
  v8::internal::Simulator::InstructionDecode
  v8::internal::Simulator::CallInternal
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: V8: 37469:37470
Fixed: V8: 45077:45078

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5323460609048576


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5323460609048576 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Yep, has been fixed by switching to new asm.js validator.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot