New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 682909 link

Starred by 1 user
Status: Verified
Owner:
bradnelson@chromium.org
Last visit > 30 days ago
Closed: Jan 2017
Cc:
titzer@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Crash in v8::internal::StringCharacterStream::Reset

Project Member Reported by ClusterFuzz, Jan 20 2017 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4600150967451648

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: UNKNOWN READ
Crash Address: 0x00020005
Crash State:
  v8::internal::StringCharacterStream::Reset
  v8::internal::String::ToCString
  v8::internal::String::ToCString
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=444724:444758

Minimized Testcase (0.09 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96wea26DQV2_gm_NDS0Kth6EE__FT7oSIBbN5IzVr2-4JoXJYpMC-LUfXj7ubU7d9zMJYCXD__4SCYurY-xPmyRc5CYwMuzO8Ik1wJd3Hc_56bQT4Eh97pwjbiGaw2zT7TbRhkdEjlIj-3eDt8airwDvbYV--Wo5iHulqg6qnxIqoUDj4Aof7Wdd2mCmm4Q__wGG_rvbJvfgLlHsKBkM3LkozHQh6bqIWzDE7HYbdEhy67DL5ranCkSqxAXYKMPPTXWweN6apCv6DXkxdmyYKk98Fze3rNj0_YWcOg_WhMvkX5d7eQouReC9ZKtBHv2ry2IZ8aKtvRdqFGO9cj_iINbGSn8DFpQm06ktf8O0UkB5vaO9ko?testcase_id=4600150967451648
( {
})();
var __f_1 = (function(stdlib) {
  "use asm";
  var __v_2 = (stdlib[65535]);
})();


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 1 by sheriffbot@chromium.org, Jan 20 2017

Labels: M-57
Project Member

Comment 2 by sheriffbot@chromium.org, Jan 20 2017

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Jan 20 2017

Labels: Pri-1

Comment 4 by gov...@chromium.org, Jan 23 2017 


A friendly reminder that M57 Beta launch is coming soon on February 2nd! Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix and get it merged into the release branch (2987) ASAP so it gets enough baking time in Dev (before Beta promotion). Thank you!

Comment 5 by lgar...@chromium.org, Jan 23 2017

Cc: titzer@chromium.org
Owner: bradnelson@chromium.org
Status: Assigned (was: Untriaged)
Looks very similar to  Issue 682960 .

Comment 6 by bradnelson@chromium.org, Jan 23 2017

Labels: -M-57 Hotlist-Asm M-58
Project Member

Comment 7 by ClusterFuzz, Jan 24 2017 

ClusterFuzz has detected this issue as fixed in range 445054:445058.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4600150967451648

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: UNKNOWN READ
Crash Address: 0x00020005
Crash State:
  v8::internal::StringCharacterStream::Reset
  v8::internal::String::ToCString
  v8::internal::String::ToCString
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=444724:444758
Fixed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=445054:445058

Minimized Testcase (0.09 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96wea26DQV2_gm_NDS0Kth6EE__FT7oSIBbN5IzVr2-4JoXJYpMC-LUfXj7ubU7d9zMJYCXD__4SCYurY-xPmyRc5CYwMuzO8Ik1wJd3Hc_56bQT4Eh97pwjbiGaw2zT7TbRhkdEjlIj-3eDt8airwDvbYV--Wo5iHulqg6qnxIqoUDj4Aof7Wdd2mCmm4Q__wGG_rvbJvfgLlHsKBkM3LkozHQh6bqIWzDE7HYbdEhy67DL5ranCkSqxAXYKMPPTXWweN6apCv6DXkxdmyYKk98Fze3rNj0_YWcOg_WhMvkX5d7eQouReC9ZKtBHv2ry2IZ8aKtvRdqFGO9cj_iINbGSn8DFpQm06ktf8O0UkB5vaO9ko?testcase_id=4600150967451648
( {
})();
var __f_1 = (function(stdlib) {
  "use asm";
  var __v_2 = (stdlib[65535]);
})();


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by ClusterFuzz, Jan 24 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5147970388623360 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 9 by sheriffbot@chromium.org, Jan 24 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 10 by awhalley@chromium.org, Mar 13 2017

Labels: -ReleaseBlock-Beta
Project Member

Comment 11 by sheriffbot@chromium.org, May 2 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment