Issue metadata
Sign in to add a comment
|
Heap-buffer-overflow in v8::internal::Simulator::DecodeType2 |
|||||||||||||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4887047853834240 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 4 Crash Address: 0xd99ff7fc Crash State: v8::internal::Simulator::DecodeType2 v8::internal::Simulator::InstructionDecode v8::internal::Simulator::CallInternal Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: V8: 40662:40663 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv967IEgHiNdrjgZB_Lbj4Z3BqfCe13XoInG_x85bG1mnrqsx576TjK6qLa0csSz6Eb7mf8N3dgTxi3Fm9XY1a6FdVofgu2GuXO3MfGXagOj6NCemexZXzMBdC_SnzvOwz9_XO0v6h4by1MaWGGoX_3ZDvkTDtTOtiYYh4gLXrubozNKl20GgSP-hEXs4KI2IN94DvzdXMGZhhiHFLKHfNgsSDM9r_4OOxQfTFLGwvjrQP0ovwyj2kDdGVIX6heyv8qPjKIX2fYOLfFSXD3v845hS3fo1_gHtKj-FrupsToJux5X9QtjFpPuNr4ATkuhnjKiTAFq_th8cSb22a5jy24VoftZn7zljbs1NRZ307Hj6mcgAXUw?testcase_id=4887047853834240 Issue manually filed by: rossberg See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 15 2017
,
Mar 15 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 15 2017
,
Mar 15 2017
,
Mar 16 2017
Issue 702137 has been merged into this issue.
,
Mar 16 2017
,
Mar 17 2017
,
Mar 17 2017
This issue tagged as RBS. Please try to resolve ASAP preferably before next M58 Beta RC cut scheduled on 03/21 at 5.00 PM PST.
,
Mar 20 2017
Andreas, please assign to TF sheriffs.
,
Mar 27 2017
Is simulator related stuff really a RB and has high impact?
,
Mar 29 2017
mvstanton: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 29 2017
Hmm, we don't ship the simulator...will have a look though...
,
Apr 5 2017
A friendly reminder that M58 Stable launch is coming soon! Your bug is labelled as Stable ReleaseBlock, please make sure to land the fix, verified in trunk and get it merged into the release branch ASAP.
,
Apr 5 2017
Yea, labels don't seem appropriate for sim issue. Fixing.
,
Jun 6 2017
,
Jun 9 2017
Simluator just gives us better stack and instrumentation. Why do you think this is simulator specific. Bringing back security labels.
,
Jun 10 2017
,
Jun 10 2017
We commit ourselves to a 60 day deadline for fixing for high severity vulnerabilities, and have exceeded it here. If you're unable to look into this soon, could you please find another owner or remove yourself so that this gets back into the security triage queue? For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 18 2017
It's just a simulator issue, I'll remove the blockers.
,
Jul 18 2017
,
Jul 18 2017
mvstanton@, did you see c#17, can you explain why is this a simulator only issue and not manifest in production ?
,
Jul 21 2017
Re-adding security labels since we don't know why this issue won't manifest in production.
,
Jul 22 2017
We commit ourselves to a 60 day deadline for fixing for high severity vulnerabilities, and have exceeded it here. If you're unable to look into this soon, could you please find another owner or remove yourself so that this gets back into the security triage queue? For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 26 2017
,
Aug 11 2017
ClusterFuzz testcase 4887047853834240 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Aug 11 2017
,
Aug 13 2017
,
Aug 13 2017
This bug requires manual review: M61 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), ketakid@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 13 2017
+awhalley@ for M61 merge review.
,
Aug 14 2017
hi mvstanton@, rmcilroy@ - it looks like this was fixed by https://chromium.googlesource.com/v8/v8/+/961a2c885d82502e7c90915883443435d27762d0 - what are your thoughts on an M61 merge for that?
,
Aug 15 2017
No we don't want to merge that CL to M61 - that removes the ability to revert back to the full-codegen compiler during m61 using finch in case we find a blocking error on the new asm.js verifier. I can't see the test case, however if the test case manually disables the new asm.js verifier (which is suggested by the fact that 961a2c fixes it) then that is another reason why this won't happen in production (as well as it being a simulator bug).
,
Aug 15 2017
As multiple people have pointed out before, the bug being a simulator bug does *not* mean it does not manifest in production. I can't view the testcase either to check if it disables any thing manually, I get "Invalid testcase" for the link.
,
Aug 16 2017
rmcilroy@, i have assigned you as owner, now you should able to see the report. Please check it out as we need to use your input to make the reward decision. Thanks!
,
Aug 17 2017
I'm still getting access denied when visiting https://clusterfuzz.com/testcase?key=4887047853834240 with either my google or chromium account.
,
Aug 17 2017
I'm still getting access denied when visiting https://clusterfuzz.com/testcase?key=4887047853834240 with either my google or chromium account.
,
Aug 24 2017
,
Aug 30 2017
Can you try signing in an incognito window with just your chromium account. i think we have seen trouble with multi-sign in before.
,
Sep 5 2017
I still get "You (email=rmcilroy@chromium.org) are not authorized to access this page!" even from an incognito window.
,
Sep 11 2017
The VRP Panel took a look and concluded that this is indeed mostly likely a simulator only bug. inferno@ - could you another look at the clusterfuzz access problem rmcilroy@ still seems to be having? mvstanton@, rmcilroy@ et al - when you note that a bug is simulator only, could you also provide a few more details as to why you think that? Will help us security folk learn to triage them better over time. Thanks!
,
Oct 17 2017
,
Nov 17 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||||||||||||||
Comment 1 by rossberg@chromium.org
, Mar 15 2017Owner: u...@chromium.org
Status: Assigned (was: Untriaged)