New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 670903 link

Starred by 1 user
Status: Duplicate
Merged: issue v8:5716
Owner:
titzer@chromium.org
Closed: Dec 2016
Cc:
bradnelson@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Crash in asm-wasm-builder

Project Member Reported by ClusterFuzz, Dec 3 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6299221377679360

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x7fc9e1f00038
Crash State:
  heap
  GetHeap
  v8::internal::HandleBase::IsDereferenceAllowed
  
Recommended Security Severity: Medium

Regressed: V8: r41444:41445

Minimized Testcase (8.22 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95knWPYJxMYzVDtXc-gr9ldNGWXQIFndQxl_blkl5LURtTPC-6Lj3RU8qHx_zv0cfjK8LqUvE76UI1nKV2v39y3bz6bLvnrrlzMP3jiAINhzB28GzcSMpSkmV44i6bWYGYSmmRQLnuUB0XUiv1QT8tNZMWJ5A?testcase_id=6299221377679360

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 1 by sheriffbot@chromium.org, Dec 3 2016

Labels: Pri-1

Comment 2 by och...@chromium.org, Dec 5 2016

Owner: titzer@chromium.org
Status: Assigned (was: Untriaged)
Assigning to V8 CF sheriff.

Comment 3 by och...@chromium.org, Dec 5 2016

Labels: Security_Impact-Head

Comment 4 by titzer@chromium.org, Dec 6 2016

Cc: bradnelson@chromium.org
This bisects to https://chromium.googlesource.com/v8/v8/+log/45e45e0eb69ffa7dde0b9fdd3d365900db4e1573..5529430dec0d8997319d46e02c473a7a4faf1933?pretty=fuller

which routes lexical variables through Ignition and TurboFan.

But this crash happens in asm->wasm. Will investigate. CC'ing Brad.

Comment 5 by titzer@chromium.org, Dec 6 2016

Summary: Crash in asm-wasm-builder (was: Crash in heap)
Project Member

Comment 6 by sheriffbot@chromium.org, Dec 6 2016

Labels: M-56
Project Member

Comment 7 by sheriffbot@chromium.org, Dec 6 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 8 by bradnelson@chromium.org, Dec 6 2016

Mergedinto: v8:5716
Status: Duplicate (was: Assigned)
Believe this is the same cause.
Project Member

Comment 9 by ClusterFuzz, Dec 7 2016 

ClusterFuzz has detected this issue as fixed in range 41528:41529.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6299221377679360

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x7fc9e1f00038
Crash State:
  heap
  GetHeap
  v8::internal::HandleBase::IsDereferenceAllowed
  
Recommended Security Severity: Medium

Regressed: V8: r41444:41445
Fixed: V8: r41528:41529

Minimized Testcase (8.22 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95knWPYJxMYzVDtXc-gr9ldNGWXQIFndQxl_blkl5LURtTPC-6Lj3RU8qHx_zv0cfjK8LqUvE76UI1nKV2v39y3bz6bLvnrrlzMP3jiAINhzB28GzcSMpSkmV44i6bWYGYSmmRQLnuUB0XUiv1QT8tNZMWJ5A?testcase_id=6299221377679360

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 10 by bradnelson@chromium.org, Jan 17 2017

Labels: Hotlist-Asm
Project Member

Comment 11 by sheriffbot@chromium.org, Mar 15 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment