Heap-buffer-overflow in MemoryWrite<double, |
|||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6250588460548096 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 8 Crash Address: 0x603000013077 Crash State: MemoryWrite<double, v8::internal::Simulator::LoadStoreHelper ExecuteInstruction Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: V8: 39415:39416 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97RAMZtLFXgl_kbqGHFUi4p4qkEk--qZ4iOpM9STImYjY9p36IFwpCaNzUCoeStMomll-lZJCxWINOMmlyXZFK73S1UoMC4f-eDws54ERFUssNI7iHzs5ysBj1sWnrMJz4G7YGJD1BFo7Mkhwm66Zz2KrdYODuTnPNB2Vy1OHPRjpZdkCH0Qz9wts5SGnXus20Ky6mvXiYCmvUeIOf_xoCvz5KZ6IQUQLn36GaRAt9-BQA40bpO_SxxaRCYXcEB4hLHytW5QAChhHt15g8OflQowP6_5xDfoCMD-J75pTbla2dr3hX2w6k_8lnTMjDnyfX2WB6dgPGGnTgWmawT5h80cwKjLtyoz-ggNVNtS9pfxNGZDhcqxq8R8HA-PbJqVyvJsinskzG8TQOlIvBtduvrfE-3bQ?testcase_id=6250588460548096 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 19 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 19 2017
,
Mar 20 2017
aseemgarg - looks like you've done some work recently with arm simulator, could you please take a look, or re-assign as appropriate? Thanks!
,
Mar 20 2017
,
Mar 27 2017
Happening only in the simulator. I am not sure if this really is a high security impact?
,
Mar 27 2017
Most likely it's a --validate-asm issue.
,
Apr 2 2017
mstarzinger: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 7 2017
If this is simulator only then it's indeed not a security bug.
,
May 5 2017
ClusterFuzz has detected this issue as fixed in range 45077:45078. Detailed report: https://clusterfuzz.com/testcase?key=6250588460548096 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 8 Crash Address: 0x603000013077 Crash State: MemoryWrite<double, v8::internal::Simulator::LoadStoreHelper ExecuteInstruction Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: V8: 39415:39416 Fixed: V8: 45077:45078 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6250588460548096 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 5 2017
ClusterFuzz testcase 6250588460548096 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
May 5 2017
Yep, has been fixed by switching to new asm.js validator.
,
May 5 2017
,
Aug 11 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by sheriffbot@chromium.org
, Mar 19 2017