Issue metadata
Sign in to add a comment
|
Heap-buffer-overflow in blink::readVersionEnvelope |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4939506114625536 Fuzzer: libfuzzer_v8_serialized_script_value_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x608000006ff6 Crash State: blink::readVersionEnvelope blink::V8ScriptValueDeserializer::deserialize blink::SerializedScriptValueForModulesFactory::deserialize Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=454432:454473 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95v9-4NRInufgQEPVAMTmNfea1rEIJKBx10zpzUQJFt3rniAIcuj0bny0HOn12JTM4fJ1-fISrEaf6tCM1kjFqbNupwAHKdEqIEpi3TYGE4ggpasj2uqLd0mhR8gynaiBn-TJosz8RpyTRCXB1UgaNaJgs9Ge0ZMej2PRA739ZKuRsRHMLG4SX1B446ZUIhbXkt7fhINbcg5ojZhhaKoB2eyc_8Hmw97Yxo_dFsDWF3jsGaI3Qu_H8H0B7s9K8wee-JnFiVwgC0swdcHr3qUT96mGjOaDwBuROne1h8WyIRu_iNB56KzvYk2LUESEOKvbKIL_nvnWgt6PRfONxvyFYQvNCIcli5GTTTIuWx7si2Zfwi8Jk?testcase_id=4939506114625536 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Mar 3 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 3 2017
,
Mar 3 2017
Looks like caused by: https://codereview.chromium.org/2731533002
,
Mar 4 2017
,
Mar 4 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5bc43cef665b4180f278a893ad56ee4b27756c76 commit 5bc43cef665b4180f278a893ad56ee4b27756c76 Author: jbroman <jbroman@chromium.org> Date: Mon Mar 06 01:58:52 2017 V8ScriptValueDeserializer: Fix off-by-one issue in length comparison. BUG= 698141 Review-Url: https://codereview.chromium.org/2731183002 Cr-Commit-Position: refs/heads/master@{#454812} [modify] https://crrev.com/5bc43cef665b4180f278a893ad56ee4b27756c76/third_party/WebKit/Source/bindings/core/v8/serialization/V8ScriptValueDeserializer.cpp
,
Mar 6 2017
ClusterFuzz has detected this issue as fixed in range 454802:454817. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4939506114625536 Fuzzer: libfuzzer_v8_serialized_script_value_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x608000006ff6 Crash State: blink::readVersionEnvelope blink::V8ScriptValueDeserializer::deserialize blink::SerializedScriptValueForModulesFactory::deserialize Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=454432:454473 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=454802:454817 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95v9-4NRInufgQEPVAMTmNfea1rEIJKBx10zpzUQJFt3rniAIcuj0bny0HOn12JTM4fJ1-fISrEaf6tCM1kjFqbNupwAHKdEqIEpi3TYGE4ggpasj2uqLd0mhR8gynaiBn-TJosz8RpyTRCXB1UgaNaJgs9Ge0ZMej2PRA739ZKuRsRHMLG4SX1B446ZUIhbXkt7fhINbcg5ojZhhaKoB2eyc_8Hmw97Yxo_dFsDWF3jsGaI3Qu_H8H0B7s9K8wee-JnFiVwgC0swdcHr3qUT96mGjOaDwBuROne1h8WyIRu_iNB56KzvYk2LUESEOKvbKIL_nvnWgt6PRfONxvyFYQvNCIcli5GTTTIuWx7si2Zfwi8Jk?testcase_id=4939506114625536 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 6 2017
ClusterFuzz testcase 4939506114625536 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Mar 6 2017
,
Mar 13 2017
Fix is trivial. Requesting merge to 58, since the fix missed the branch and is only in 59 at present.
,
Mar 13 2017
Your change meets the bar and is auto-approved for M58. Please go ahead and merge the CL to branch 3029 manually. Please contact milestone owner if you have questions. Owners: amineer@(clank), cmasso@(bling), bhthompson@(cros), govind@(desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/85518c82a15af1ad4985e5e906fe3e78ffeb8824 commit 85518c82a15af1ad4985e5e906fe3e78ffeb8824 Author: Jeremy Roman <jbroman@chromium.org> Date: Mon Mar 13 19:40:50 2017 V8ScriptValueDeserializer: Fix off-by-one issue in length comparison. BUG= 698141 Review-Url: https://codereview.chromium.org/2731183002 Cr-Commit-Position: refs/heads/master@{#454812} (cherry picked from commit 5bc43cef665b4180f278a893ad56ee4b27756c76) Review-Url: https://codereview.chromium.org/2746763004 . Cr-Commit-Position: refs/branch-heads/3029@{#161} Cr-Branched-From: 939b32ee5ba05c396eef3fd992822fcca9a2e262-refs/heads/master@{#454471} [modify] https://crrev.com/85518c82a15af1ad4985e5e906fe3e78ffeb8824/third_party/WebKit/Source/bindings/core/v8/serialization/V8ScriptValueDeserializer.cpp
,
Mar 13 2017
,
Jun 12 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Mar 3 2017