New issue
Advanced search Search tips

Issue 724846 link

Starred by 1 user
Status: Fixed
Owner:
clemensh@chromium.org
Closed: May 2017
Cc:
ahaas@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

CHECK failure: new_memory->byte_length()->ToUint32(&mem_size) in wasm-debug.cc

Project Member Reported by ClusterFuzz, May 21 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5044593409392640

Fuzzer: inferno_js_fuzzer
Job Type: linux_cfi_d8
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  new_memory->byte_length()->ToUint32(&mem_size) in wasm-debug.cc
  
Sanitizer: cfi (CFI)

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=458403:458497

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5044593409392640


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by clemensh@chromium.org, May 22 2017

Cc: ahaas@chromium.org
Owner: clemensh@chromium.org
Status: Assigned (was: Untriaged)

Comment 2 by clemensh@chromium.org, May 22 2017

Status: Started (was: Assigned)
https://chromium-review.googlesource.com/509255
Project Member

Comment 3 by bugdroid1@chromium.org, May 22 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a5449b0fd65ab27f6ba6b5c95ba1328f24759230

commit a5449b0fd65ab27f6ba6b5c95ba1328f24759230
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Mon May 22 14:28:11 2017

[wasm] Stricter max memory check

If the maximum number of memory pages is raised using
--wasm-max-mem-pages, we might allocate more than kMaxInt bytes for
wasm memory. The byte length is stored as int in JSArrayBuffer, hence
this can lead to failures.
Thus, we now additially check against kMaxInt, and fail instantiation
if this check fails.

Drive-by: Add/fix more bounds checks.

R=ahaas@chromium.org
BUG= chromium:724846 

Change-Id: Id8e1a1e13e15f4aa355ab9414b4b950510e5e88a
Reviewed-on: https://chromium-review.googlesource.com/509255
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45465}
[modify] https://crrev.com/a5449b0fd65ab27f6ba6b5c95ba1328f24759230/src/wasm/wasm-module.cc
[modify] https://crrev.com/a5449b0fd65ab27f6ba6b5c95ba1328f24759230/src/wasm/wasm-objects.cc
[add] https://crrev.com/a5449b0fd65ab27f6ba6b5c95ba1328f24759230/test/mjsunit/regress/wasm/regression-724846.js

Comment 4 by clemensh@chromium.org, May 22 2017

Status: Fixed (was: Started)
Project Member

Comment 5 by ClusterFuzz, May 23 2017 

ClusterFuzz has detected this issue as fixed in range 473613:473716.

Detailed report: https://clusterfuzz.com/testcase?key=5044593409392640

Fuzzer: inferno_js_fuzzer
Job Type: linux_cfi_d8
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  new_memory->byte_length()->ToUint32(&mem_size) in wasm-debug.cc
  
Sanitizer: cfi (CFI)

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=458403:458497
Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=473613:473716

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5044593409392640


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment