New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 682960 link

Starred by 1 user
Status: Duplicate
Merged: issue 682909
Owner:
bradnelson@chromium.org
Last visit > 30 days ago
Closed: Jan 2017
Cc:
adamk@chromium.org
titzer@chromium.org
dschuff@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Crash in v8::internal::String::ToCString

Project Member Reported by ClusterFuzz, Jan 20 2017 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5147970388623360

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: UNKNOWN READ
Crash Address: 0x18686000
Crash State:
  v8::internal::String::ToCString
  v8::internal::String::ToCString
  v8::internal::wasm::AsmTyper::ImportLookup
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=444758:444799

Minimized Testcase (0.08 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96jneSlL_pu0Mxh49d5hA1QtJW24StPtwFw7Dw0EKcJKte--c1CMojjZEyvEUzJ8zp54lPk26YB93SKDH4ShVUVc7JR_ySo-QyDN2rhWZaLh9dM1-mP-lJWkse06s6hC5AJyts3DQgIGYbtUEBMteKq7PCy98ezH_hZ2Ayghmq0vg_51nDgKJuDmOXNx2jycYGVodx7WM7b0dmkn8czkYuoPGl8-rDpsljxs3-SYlmSU3PubdExlW-qDHHaItCvl4NwkYzOyK8RmTHK9CUcmUahFzQHEGXsVdZdKJ201WzwZ1RNC8fDFPw3NeeTGKIzIWckT5ZaLp6SAcFTvN8n4mmruacEEhiyFv1eYFSa2HAASaJI7wc?testcase_id=5147970388623360
var __f_4 = (function(stdlib) {
  "use asm";
  var __v_5 = (stdlib[-2147483648]);
})();


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 1 by sheriffbot@chromium.org, Jan 20 2017

Labels: M-57
Project Member

Comment 2 by sheriffbot@chromium.org, Jan 20 2017

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Jan 20 2017

Labels: Pri-1

Comment 4 by gov...@chromium.org, Jan 23 2017 


A friendly reminder that M57 Beta launch is coming soon on February 2nd! Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix and get it merged into the release branch (2987) ASAP so it gets enough baking time in Dev (before Beta promotion). Thank you!

Comment 5 by lgar...@chromium.org, Jan 23 2017

Owner: bradnelson@chromium.org
Status: Assigned (was: Untriaged)
bradnelson@: Based on the stack trace, it seems you know about relevant parts of webasm; could you help triage this bug?

Comment 6 by lgar...@chromium.org, Jan 23 2017

Components: -Blink>JavaScript Blink>JavaScript>WebAssembly

Comment 7 by bradnelson@chromium.org, Jan 23 2017

Labels: -M-57 Hotlist-Asm M-58
Mergedinto: 682909
Status: Duplicate (was: Assigned)
Project Member

Comment 8 by ClusterFuzz, Jan 24 2017 

ClusterFuzz has detected this issue as fixed in range 445054:445058.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5147970388623360

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: UNKNOWN READ
Crash Address: 0x18686000
Crash State:
  v8::internal::String::ToCString
  v8::internal::String::ToCString
  v8::internal::wasm::AsmTyper::ImportLookup
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=444758:444799
Fixed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=445054:445058

Minimized Testcase (0.08 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96jneSlL_pu0Mxh49d5hA1QtJW24StPtwFw7Dw0EKcJKte--c1CMojjZEyvEUzJ8zp54lPk26YB93SKDH4ShVUVc7JR_ySo-QyDN2rhWZaLh9dM1-mP-lJWkse06s6hC5AJyts3DQgIGYbtUEBMteKq7PCy98ezH_hZ2Ayghmq0vg_51nDgKJuDmOXNx2jycYGVodx7WM7b0dmkn8czkYuoPGl8-rDpsljxs3-SYlmSU3PubdExlW-qDHHaItCvl4NwkYzOyK8RmTHK9CUcmUahFzQHEGXsVdZdKJ201WzwZ1RNC8fDFPw3NeeTGKIzIWckT5ZaLp6SAcFTvN8n4mmruacEEhiyFv1eYFSa2HAASaJI7wc?testcase_id=5147970388623360
var __f_4 = (function(stdlib) {
  "use asm";
  var __v_5 = (stdlib[-2147483648]);
})();


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by sheriffbot@chromium.org, May 3 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment