Stack-use-after-return in v8::internal::Simulator::DecodeType2 |
||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6055288781406208 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: Stack-use-after-return WRITE 4 Crash Address: 0xde374307 Crash State: v8::internal::Simulator::DecodeType2 v8::internal::Simulator::InstructionDecode v8::internal::Simulator::CallInternal Sanitizer: address (ASAN) Regressed: V8: 43697:43698 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97zfCWUwmTSnYM15LQ2aeWq2HfW4Q96J5nR_1-hovX_0QBgc5WbgZYG9JgrMcgfZfkLVdJv8m8QiMx7-IYg07tDhOBCzj7YH-VwcPZZHuTvmQeyDPQShIzgfxLQzESOBOe0EqYvMW9d-v5OaD5eqIw5WP95fJwp0kcu90_zWMQV4d9so5ibae_JM8cAsLjahSLBUzcGpcKtZH46M5xi9lIMs0Zg_p2tKXG1sc-NAx4x0mcRLCH9k-Vcf8cWO4WDC8oh1oH8sbH5Bpe_lZUataslKzWY055ytud4Aplg6rt3ktA4LIT9enFtsZwcaBq4FYSJVC4xdXAqupbhwa0_qLTmGIc3ChENKuwYbwds9xpS2t8KSanxOXYWI4qvmw4AbXSJw4mclk_ohavZu7L_umPiJuX7tQ?testcase_id=6055288781406208 Issue manually filed by: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 20 2017
Not a security issue since this only affects the simulator, which is not shipped. Fix coming up soon.
,
Mar 20 2017
,
Mar 20 2017
The bug can only occur in the interactive debugger of the simulator. The way this bug is triggered by clusterfuzz is interesting:
- The launcher python script feeds the script names to load via pipe.
- The driver script (in JS) reads from stdin.
- The first script loaded hits a stop, and the simulator drops into the interactive debugger.
- More scripts names are coming in through stdin, and are fed into the interactive debugger.
- The debugger triggers ASAN.
The reason the simulator drops into the interactive debugger in the first place is because this script runs into a CSA_ASSERT. Which also fails on other platforms.
function foo() {
return new Array(0);
}
var a = foo();
a[0] += 1.1;
// Emit a TransitionElementsKindStub which transitions from double to object.
function store(a,x) {
a[0] = x;
}
store([1.1], 'a');
store([1.1], 1.1);
// Use the TransitionElementsKindStub to transition from double to object.
var b = foo();
store(b, 'a');
,
Mar 20 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/58a7c23a3495da7ab744f93f26bb62dc13745a59 commit 58a7c23a3495da7ab744f93f26bb62dc13745a59 Author: Yang Guo <yangguo@chromium.org> Date: Mon Mar 20 12:47:40 2017 [simulator] remove skips after debug break instructions. Previously we used to add a string address after the stop instruction for description. This has been removed, but the skip in the simulator was not consistently removed in 0ca72de24c. BUG= chromium:703051 Change-Id: I3135d180bcef174bc5d9dd24f7737a4415732976 Reviewed-on: https://chromium-review.googlesource.com/457356 Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#43931} [modify] https://crrev.com/58a7c23a3495da7ab744f93f26bb62dc13745a59/src/arm/simulator-arm.cc [modify] https://crrev.com/58a7c23a3495da7ab744f93f26bb62dc13745a59/src/mips/assembler-mips.cc [modify] https://crrev.com/58a7c23a3495da7ab744f93f26bb62dc13745a59/src/mips/simulator-mips.cc [modify] https://crrev.com/58a7c23a3495da7ab744f93f26bb62dc13745a59/src/mips64/assembler-mips64.cc [modify] https://crrev.com/58a7c23a3495da7ab744f93f26bb62dc13745a59/src/mips64/simulator-mips64.cc
,
Mar 20 2017
Michael, could you reassign this bug for the issue in #4?
,
Mar 20 2017
Will re-triage, going on the back-log for now.
,
Mar 20 2017
If this is no longer a security issue following the fix in #5, please close this issue and file a follow-up non-security bug for any remaining work. Thanks !!!
,
Mar 21 2017
ClusterFuzz has detected this issue as fixed in range 43930:43931. Detailed report: https://clusterfuzz.com/testcase?key=6055288781406208 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: Stack-use-after-return WRITE 4 Crash Address: 0xde374307 Crash State: v8::internal::Simulator::DecodeType2 v8::internal::Simulator::InstructionDecode v8::internal::Simulator::CallInternal Sanitizer: address (ASAN) Regressed: V8: 43697:43698 Fixed: V8: 43930:43931 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97zfCWUwmTSnYM15LQ2aeWq2HfW4Q96J5nR_1-hovX_0QBgc5WbgZYG9JgrMcgfZfkLVdJv8m8QiMx7-IYg07tDhOBCzj7YH-VwcPZZHuTvmQeyDPQShIzgfxLQzESOBOe0EqYvMW9d-v5OaD5eqIw5WP95fJwp0kcu90_zWMQV4d9so5ibae_JM8cAsLjahSLBUzcGpcKtZH46M5xi9lIMs0Zg_p2tKXG1sc-NAx4x0mcRLCH9k-Vcf8cWO4WDC8oh1oH8sbH5Bpe_lZUataslKzWY055ytud4Aplg6rt3ktA4LIT9enFtsZwcaBq4FYSJVC4xdXAqupbhwa0_qLTmGIc3ChENKuwYbwds9xpS2t8KSanxOXYWI4qvmw4AbXSJw4mclk_ohavZu7L_umPiJuX7tQ?testcase_id=6055288781406208 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 21 2017
ClusterFuzz testcase 6055288781406208 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Mar 21 2017
,
Mar 28 2017
,
Mar 29 2017
Confirmed with the VRP panel that this isn't a security bug.
,
Jun 27 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||
►
Sign in to add a comment |
||||||||||||
Comment 1 by mstarzinger@chromium.org
, Mar 20 2017Owner: yangguo@chromium.org
Status: Assigned (was: Untriaged)