New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 681386 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 681707
Owner:
Last visit > 30 days ago
Closed: Jan 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Crash in v8::internal::String::ToCString

Project Member Reported by ClusterFuzz, Jan 15 2017

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6301623937925120

Fuzzer: decoder_langfuzz
Job Type: linux_asan_chrome_v8_d8
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00011fff8001
Crash State:
  v8::internal::String::ToCString
  v8::internal::String::ToCString
  v8::internal::wasm::AsmTyper::ImportLookup
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: V8: r42212:42308

Minimized Testcase (10.65 Kb): https://cluster-fuzz.appspot.com/download/AMIfv973mfGONYw_8bj-JVJgUKr6s30MKo2FEZMnOImrE814-zmlM_RkpN4CpW-6PzlMFAGs4ICsCAWh_7O7Jx9wiKHI2XYi_9BBO-48LkCjglwYwLZ4bktXfUhRRiHZQKzU8IMEoZFh-UYrNXZw7L1HLa7KBCvJnV1KRcJv20sDnTwMYssFUHZeNU-hxziN84dOJbzJD-gZJkg2TMxQVQrZc1ZJNuQRpY5GQfn-lrKS1UNPzq-1fv3sbDSil-eFlczRJtJARl2TOjI8utnGnHjA2AIgRIf-FO-BDlnZSKyf4BtPsuBAKx5gCaKvE-dmlHu0KLMPvEQe-hdzqQVsmFexmWzTdyYbGjAXOonJF1haIFee7S6XAuo?testcase_id=6301623937925120

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Project Member

Comment 1 by sheriffbot@chromium.org, Jan 15 2017

Labels: M-57
Project Member

Comment 2 by sheriffbot@chromium.org, Jan 15 2017

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Jan 15 2017

Labels: Pri-1
Cc: ishell@chromium.org yangguo@chromium.org jkummerow@chromium.org
Status: Available (was: Untriaged)
Some string related changes in the ranges. Jakob's was reverted in the same range though.

Comment 5 by aarya@google.com, Jan 17 2017

Owner: ishell@chromium.org
Status: Assigned (was: Available)
Assigning to one of the v8 sheriffs to triage.

Comment 6 by ishell@chromium.org, Jan 17 2017

Owner: rossberg@chromium.org
Re-assigning to this week's CF sheriff.
Owner: bradnelson@chromium.org
Repro revision range is not useful, but the crash is in AsmTyper. @bradnelson, can you please have a look?
Mergedinto: 681707
Status: Duplicate (was: Assigned)
Project Member

Comment 9 by sheriffbot@chromium.org, Jan 18 2017

Labels: -reward-topanel reward-ineligible
Project Member

Comment 10 by ClusterFuzz, Jan 19 2017

ClusterFuzz has detected this issue as fixed in range 42432:42456.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6301623937925120

Fuzzer: decoder_langfuzz
Job Type: linux_asan_chrome_v8_d8
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00011fff8001
Crash State:
  v8::internal::String::ToCString
  v8::internal::String::ToCString
  v8::internal::wasm::AsmTyper::ImportLookup
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: V8: 42212:42308
Fixed: V8: 42432:42456

Minimized Testcase (10.65 Kb): https://cluster-fuzz.appspot.com/download/AMIfv973mfGONYw_8bj-JVJgUKr6s30MKo2FEZMnOImrE814-zmlM_RkpN4CpW-6PzlMFAGs4ICsCAWh_7O7Jx9wiKHI2XYi_9BBO-48LkCjglwYwLZ4bktXfUhRRiHZQKzU8IMEoZFh-UYrNXZw7L1HLa7KBCvJnV1KRcJv20sDnTwMYssFUHZeNU-hxziN84dOJbzJD-gZJkg2TMxQVQrZc1ZJNuQRpY5GQfn-lrKS1UNPzq-1fv3sbDSil-eFlczRJtJARl2TOjI8utnGnHjA2AIgRIf-FO-BDlnZSKyf4BtPsuBAKx5gCaKvE-dmlHu0KLMPvEQe-hdzqQVsmFexmWzTdyYbGjAXOonJF1haIFee7S6XAuo?testcase_id=6301623937925120

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Labels: -ReleaseBlock-Beta
Project Member

Comment 12 by sheriffbot@chromium.org, Apr 26 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment