Issue metadata
Sign in to add a comment
|
Heap-buffer-overflow in v8::internal::Simulator::DecodeType6CoprocessorIns |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6448067290333184 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 4 Crash Address: 0xdc937ee0 Crash State: v8::internal::Simulator::DecodeType6CoprocessorIns v8::internal::Simulator::InstructionDecode v8::internal::Simulator::CallInternal Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: V8: r37469:37470 Minimized Testcase (0.32 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94_4CiZhm6fKOBONWTpdeqJ94Bl_Tn3Gvg0681NS_59cBZZrw7shhv6TPsXfx7rA4tMRT92ORwHlafBQYtMZ3icMIgUydpIcXfLRP9YbeJo-Sl0Zd9Lq3t-oW7cCbiVkVuH5z8mDxL26i2r_CNyBt8zPDA17cFdWP8a6IZ3ng76TkhOjARHXhn569WxnB-44rX0ka2UYxaVS3M4K2L5wED4knfIDwA5W4e4N072zbqzKvmD88GOAd1WLuukCpCJOAbye9Wk3iRn7RvZQMrsrl2H0z4lWLbk21pNDnio45cfZGUX3Q5-usc83hd_fGxoN0UPlMXSmP-R1Rb3UPI4aDxv9FKSmiAPL_MMBPC4TFYxIWXerq33DmMszYYlj_ZM9yBoLMOewwiE2oklQDyLpx6D0kUXUA?testcase_id=6448067290333184 __v_8 = this; function __f_63(expected, __f_81, __f_7) { __f_81(__v_8, __f_7, new ArrayBuffer(1)).__f_21(); } __f_63(1.23, __f_59); function __f_59(__v_8, __v_37, heap) { "use asm"; var __v_9 = new __v_8.Float32Array(heap); function __f_81() { var __v_26 = 1.23; __v_9[0] = __v_26; } return {__f_21: __f_81}; } Issue manually filed by: ishell See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 15 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 15 2017
,
Jan 16 2017
,
Jan 17 2017
,
Jan 23 2017
A friendly reminder that M57 Beta launch is coming soon on February 2nd! Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix and get it merged into the release branch (2987) ASAP so it gets enough baking time in Dev (before Beta promotion). Thank you!
,
Jan 23 2017
No longer in M57.
,
Feb 6 2017
bradnelson: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 20 2017
bradnelson: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 9 2017
We're close to promoting M58 to Beta (next week March 16th). This bug is listed as RB-Beta-blocker. Can you please take a look at this bug and resolve before Beta promotion?
,
Mar 10 2017
,
Mar 13 2017
Friendly reminder - we're close to promoting M58 to Beta this Thursday. This bug is still listed as Release Blocking for Beta. Can you please take a look by Wednesday 3/15 5PM?
,
Mar 13 2017
We'll need to have the change merged into release branch (3029) by this Wednesday at 5pm.
,
Mar 15 2017
,
Mar 16 2017
We commit ourselves to a 60 day deadline for fixing for high severity vulnerabilities, and have exceeded it here. If you're unable to look into this soon, could you please find another owner or remove yourself so that this gets back into the security triage queue? For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 17 2017
,
Mar 17 2017
This issue tagged as RBS. Please try to resolve ASAP preferably before next M58 Beta RC cut scheduled on 03/21 at 5.00 PM PST.
,
Mar 22 2017
This is still behind a flag, moving to M59.
,
May 1 2017
Merging into a related issue with v2 validator.
,
May 5 2017
ClusterFuzz has detected this issue as fixed in range 45077:45078. Detailed report: https://clusterfuzz.com/testcase?key=6448067290333184 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 4 Crash Address: 0xdc937ee0 Crash State: v8::internal::Simulator::DecodeType6CoprocessorIns v8::internal::Simulator::InstructionDecode v8::internal::Simulator::CallInternal Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: V8: 37469:37470 Fixed: V8: 45077:45078 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6448067290333184 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 12 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jan 15 2017