Hi Dan,

Assigning this security bug to you, based on your CLs touching runtime-i18n.cc.

Thanks for your help!

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Reverting the patch in https://codereview.chromium.org/2601783002/. I've repro'd locally that the revert turns this bad cast into an "illegal access" exception. However, that's a spec violation--it should throw a TypeError. I'll reland the patch together with a fixed type check for this sort of case.

Landed the revert at https://codereview.chromium.org/2601783002/; reland out for review at https://codereview.chromium.org/2600913002/

ClusterFuzz has detected this issue as fixed in range 440760:440774.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5895840247054336

Fuzzer: v8_builtins_generator
Job Type: linux_ubsan_vptr_d8
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x7f6841b27fd0
Crash State:
  Bad-cast to icu_58::DateFormat from icu_58::DecimalFormat
  __RT_impl_Runtime_InternalDateFormatToParts
  v8::internal::Runtime_InternalDateFormatToParts
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_d8&range=440646:440653
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_d8&range=440760:440774

Minimized Testcase (0.14 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96ueLrSxn6OHxempAHuKizR3oZ4MjH_TneznCZqiwCwIhOnfGkRZPC3NPhzHnArNncms3CSdyhmGLmEf4PXVJlay-5mYvzRqGpJov0lNQHh69yps1FKAmAOBNkIHmz0wN3yH72fBFsH66fbG92LjZsM04ptGA?testcase_id=5895840247054336
 v5 = new Intl.NumberFormat(); 
 v9 = new Intl.DateTimeFormat(); 
 v52 = v9["formatToParts"]; 
var v55 = {};
 v74 = Reflect.apply(v52, v5, v55); 


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/aa8a2d2789f79c2c367db406e453b9044e594e25

commit aa8a2d2789f79c2c367db406e453b9044e594e25
Author: littledan <littledan@chromium.org>
Date: Sat Jan 07 02:54:48 2017

[intl] Remove redundant type checking system

Previously, the Intl implementation tracked types two ways:
 - In the intl_initialized_marker_symbol
 - In various named properties of the intl_impl_object_symbol value

As far as I can tell, these will never disagree with each other,
modulo bugs in Intl itself. This patch removes the second type
checking system.

This reland includes a fixed type check for
Intl.DateTimeFormat.prototype.formatToParts , which is the only Intl
method which is not bound. All future methods will follow this
pattern.

BUG= v8:5751 , chromium:677055 ,  v8:4962 
CQ_INCLUDE_TRYBOTS=master.tryserver.v8:v8_linux_noi18n_rel_ng

Review-Url: https://codereview.chromium.org/2600913002
Cr-Commit-Position: refs/heads/master@{#42118}

[modify] https://crrev.com/aa8a2d2789f79c2c367db406e453b9044e594e25/src/i18n.cc
[modify] https://crrev.com/aa8a2d2789f79c2c367db406e453b9044e594e25/src/js/i18n.js
[modify] https://crrev.com/aa8a2d2789f79c2c367db406e453b9044e594e25/src/runtime/runtime-i18n.cc
[add] https://crrev.com/aa8a2d2789f79c2c367db406e453b9044e594e25/test/intl/bad-target.js
[add] https://crrev.com/aa8a2d2789f79c2c367db406e453b9044e594e25/test/mjsunit/regress/regress-4962.js
[add] https://crrev.com/aa8a2d2789f79c2c367db406e453b9044e594e25/test/mjsunit/regress/regress-677055.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b1e4f79e66ae7305ad034dc57004bbbc78f31441

commit b1e4f79e66ae7305ad034dc57004bbbc78f31441
Author: machenbach <machenbach@chromium.org>
Date: Sat Jan 07 06:50:45 2017

Revert of [intl] Remove redundant type checking system (patchset #4 id:60001 of https://codereview.chromium.org/2600913002/ )

Reason for revert:
Breaks noi18n.

Original issue's description:
> [intl] Remove redundant type checking system
>
> Previously, the Intl implementation tracked types two ways:
>  - In the intl_initialized_marker_symbol
>  - In various named properties of the intl_impl_object_symbol value
>
> As far as I can tell, these will never disagree with each other,
> modulo bugs in Intl itself. This patch removes the second type
> checking system.
>
> This reland includes a fixed type check for
> Intl.DateTimeFormat.prototype.formatToParts , which is the only Intl
> method which is not bound. All future methods will follow this
> pattern.
>
> BUG= v8:5751 , chromium:677055 ,  v8:4962 
> CQ_INCLUDE_TRYBOTS=master.tryserver.v8:v8_linux_noi18n_rel_ng
>
> Review-Url: https://codereview.chromium.org/2600913002
> Cr-Commit-Position: refs/heads/master@{#42118}
> Committed: https://chromium.googlesource.com/v8/v8/+/aa8a2d2789f79c2c367db406e453b9044e594e25

TBR=yangguo@chromium.org,adamk@chromium.org,littledan@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG= v8:5751 , chromium:677055 ,  v8:4962 

Review-Url: https://codereview.chromium.org/2617323002
Cr-Commit-Position: refs/heads/master@{#42119}

[modify] https://crrev.com/b1e4f79e66ae7305ad034dc57004bbbc78f31441/src/i18n.cc
[modify] https://crrev.com/b1e4f79e66ae7305ad034dc57004bbbc78f31441/src/js/i18n.js
[modify] https://crrev.com/b1e4f79e66ae7305ad034dc57004bbbc78f31441/src/runtime/runtime-i18n.cc
[delete] https://crrev.com/aa8a2d2789f79c2c367db406e453b9044e594e25/test/intl/bad-target.js
[delete] https://crrev.com/aa8a2d2789f79c2c367db406e453b9044e594e25/test/mjsunit/regress/regress-4962.js
[delete] https://crrev.com/aa8a2d2789f79c2c367db406e453b9044e594e25/test/mjsunit/regress/regress-677055.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/788c96a95525f70f81e7b2786dff9f2f09ecad1c

commit 788c96a95525f70f81e7b2786dff9f2f09ecad1c
Author: littledan <littledan@chromium.org>
Date: Mon Jan 09 22:24:57 2017

[intl] Remove redundant type checking system

Previously, the Intl implementation tracked types two ways:
 - In the intl_initialized_marker_symbol
 - In various named properties of the intl_impl_object_symbol value

As far as I can tell, these will never disagree with each other,
modulo bugs in Intl itself. This patch removes the second type
checking system.

This reland includes a fixed type check for
Intl.DateTimeFormat.prototype.formatToParts , which is the only Intl
method which is not bound. All future methods will follow this
pattern.

The second reland ensures that a newly inserted test is only run
if Intl is present.

BUG= v8:5751 , chromium:677055 ,  v8:4962 
CQ_INCLUDE_TRYBOTS=master.tryserver.v8:v8_linux_noi18n_rel_ng

TBR=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2623683002
Cr-Commit-Position: refs/heads/master@{#42152}

[modify] https://crrev.com/788c96a95525f70f81e7b2786dff9f2f09ecad1c/src/i18n.cc
[modify] https://crrev.com/788c96a95525f70f81e7b2786dff9f2f09ecad1c/src/js/i18n.js
[modify] https://crrev.com/788c96a95525f70f81e7b2786dff9f2f09ecad1c/src/runtime/runtime-i18n.cc
[add] https://crrev.com/788c96a95525f70f81e7b2786dff9f2f09ecad1c/test/intl/bad-target.js
[add] https://crrev.com/788c96a95525f70f81e7b2786dff9f2f09ecad1c/test/mjsunit/regress/regress-4962.js
[add] https://crrev.com/788c96a95525f70f81e7b2786dff9f2f09ecad1c/test/mjsunit/regress/regress-677055.js

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot