This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

mbarbella, do you think you could help me with this report? It doesn't look like the Clusterfuzz report contains any information.

+ awhalley@ (Security TPM)

Looks like it could be real. Punting it to the V8 CF sheriff's queue. They'll have a better idea of what's going on.

Please note that as this bug is marked as ReleaseBlock-Beta for M57, changes needs to be on trunk by this Friday, 1/27, to make the M57 branch. Please prioritise accordingly. Thanks!

Crash in WASM code created by WASM fuzzer.

It seems like there is a problem with bounds checks after grow memory. I attached a minimized test case. Deepti, could you take a look?

Deleted: testcase.js 1.0 KB

testcase.js 1.0 KB View Download

[Bulk edit]

A friendly reminder that M57 Beta launch is coming soon on February 2nd (in a week)! Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix and get it merged into the release branch (2987) ASAP so it gets enough baking time in Dev (before Beta promotion). Thank you!

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/2a78f2980b3dc56cde5a10b1b554b38d2cc9f4c0

commit 2a78f2980b3dc56cde5a10b1b554b38d2cc9f4c0
Author: ahaas <ahaas@chromium.org>
Date: Fri Jan 27 00:34:42 2017

[x64] Do not compact constants with attached reloc info.

Reloc info often means that the constant will be patched later, and for
this patching we have to make sure that there is enough space in the
code for the new value.

R=bmeurer@chromium.org, titzer@chromium.org, gdeepti@chromium.org
BUG= chromium:684407 
TEST=cctest/test-assembler-x64/Regression684407

Review-Url: https://codereview.chromium.org/2655213003
Cr-Commit-Position: refs/heads/master@{#42719}

[modify] https://crrev.com/2a78f2980b3dc56cde5a10b1b554b38d2cc9f4c0/src/x64/assembler-x64.cc
[modify] https://crrev.com/2a78f2980b3dc56cde5a10b1b554b38d2cc9f4c0/test/cctest/test-assembler-x64.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/f1bfcd709422234f35397f7a05a8233768c8da87

commit f1bfcd709422234f35397f7a05a8233768c8da87
Author: Brad Nelson <bradnelson@chromium.org>
Date: Fri Jan 27 00:54:04 2017

Merged: [x64] Do not compact constants with attached reloc info.

Revision: 2a78f2980b3dc56cde5a10b1b554b38d2cc9f4c0

BUG= chromium:684407 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=mtrofin@chromium.org

Review-Url: https://codereview.chromium.org/2663463002 .
Cr-Commit-Position: refs/branch-heads/5.7@{#30}
Cr-Branched-From: 975e9a320b6eaf9f12280c35df98e013beb8f041-refs/heads/5.7.492@{#1}
Cr-Branched-From: 8d76f0e3465a84bbf0bceab114900fbe75844e1f-refs/heads/master@{#42426}

[modify] https://crrev.com/f1bfcd709422234f35397f7a05a8233768c8da87/src/x64/assembler-x64.cc
[modify] https://crrev.com/f1bfcd709422234f35397f7a05a8233768c8da87/test/cctest/test-assembler-x64.cc

Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Pls merge your change to M57 branch 2987 before 5:00 PM PT Monday (01/30) so we can pick it up for next week Last M57  Dev release. Thank you.

ClusterFuzz has detected this issue as fixed in range 446542:446624.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6217690814611456

Fuzzer: libfuzzer_v8_wasm_code_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: UNKNOWN WRITE
Crash Address: 0x00004800001e
Crash State:
  NULL
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=427885:428102
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=446542:446624

Minimized Testcase (0.09 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94fwEHX2Qk5lsL4Hmc4TA2TN9vCIq_HmQ4hde3ugbdd6ko-kwf4cfeI-JhJP55MQQIVGYiTzTLg7NfV0XHRGEksjgNoLrZU854UU747N1UWnIL8wZ-_odWjQ4dzQo_4bjZG5DFsrO_jnZ_fQ__F42PCVkV2-F1qg1OXooxEQ58dkzQNYJpnMOIzyWoRMesvx1hf4qy-uKKwSS5pD7mKfUH9OuZRgW58FK_-2XJVKdkT629EmwmLH85J1KkcyXnT5CaeqteZdwD07AWjxK7eWOB68mr8_3S9qlwJeypTjjGKLQ9zUhL1E-y4xqkVkwOSqH7o4ple39fm-mpVGRTTRl8pwEJFzAe8pXGyN7xa4fZ-Wioogbo?testcase_id=6217690814611456

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Per comment #14, this is already merged to M57. Hence, removing "Merge-Approved-57" label. 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot