Issue metadata
Sign in to add a comment
|
Use-after-poison in v8::internal::wasm::ThreadImpl::DoStackTransfer |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4506703409446912 Fuzzer: libfuzzer_v8_wasm_call_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Use-after-poison WRITE 16 Crash Address: 0x62500001e410 Crash State: v8::internal::wasm::ThreadImpl::DoStackTransfer v8::internal::wasm::ThreadImpl::DoBreak v8::internal::wasm::ThreadImpl::Execute Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=467104:467179 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4506703409446912 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Apr 26 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 26 2017
,
Apr 26 2017
wasm fuzzers rock as usual!
,
Apr 26 2017
This would be a test case in test-run-wasm-interpreter.cc:
TEST(Regression_715454) {
WasmRunner<int32_t> r(kExecuteInterpreted);
BUILD(r, kExprLoop, 0x7e, // @1 i64
kExprBr, 0x00, // depth=0
kExprEnd, // @5
kExprUnreachable,
);
r.Call();
}
,
Apr 26 2017
,
Apr 26 2017
,
Apr 27 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/9bdabfd649470c2258a1831db524be94bfa065d6 commit 9bdabfd649470c2258a1831db524be94bfa065d6 Author: Clemens Hammacher <clemensh@chromium.org> Date: Thu Apr 27 16:04:47 2017 [wasm] [interpreter] Fix stack transfer to loop labels When branching to a loop header, we were trying to copy over {arity} values from the value stack. This is correct for block labels, but not for loops. When branching back to a loop header, no values need to be transferred. R=ahaas@chromium.org BUG= chromium:715454 Change-Id: I90d806de63d039abf8dcac1abec057860c8f69ca Reviewed-on: https://chromium-review.googlesource.com/488146 Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#44949} [modify] https://crrev.com/9bdabfd649470c2258a1831db524be94bfa065d6/src/wasm/wasm-interpreter.cc [modify] https://crrev.com/9bdabfd649470c2258a1831db524be94bfa065d6/test/cctest/wasm/test-run-wasm.cc
,
Apr 27 2017
,
Apr 28 2017
,
Apr 29 2017
ClusterFuzz has detected this issue as fixed in range 467851:467913. Detailed report: https://clusterfuzz.com/testcase?key=4506703409446912 Fuzzer: libfuzzer_v8_wasm_call_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Use-after-poison WRITE 16 Crash Address: 0x62500001e410 Crash State: v8::internal::wasm::ThreadImpl::DoStackTransfer v8::internal::wasm::ThreadImpl::DoBreak v8::internal::wasm::ThreadImpl::Execute Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=467104:467179 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=467851:467913 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4506703409446912 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 18 2017
,
Aug 4 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Apr 26 2017