Issue 725169 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue v8:6436
Owner:	ahaas@chromium.org
Closed:	May 2017
Cc:	haraken@chromium.org █ mtrofin@chromium.org █ bradnelson@chromium.org danno@chromium.org adamk@chromium.org titzer@chromium.org dschuff@chromium.org
Components:	Blink>JavaScript Blink>JavaScript>WebAssembly
EstimatedDays:	----
NextAction:	----
OS:	Windows
Pri:	1
Type:	Bug-Security
ReleaseBlock-Beta Reproducible Stability-Memory-AddressSanitizer Security_Impact-Head Security_Severity-High allpublic Clusterfuzz M-60

Heap-use-after-free in v8::internal::Zone::~Zone

Project Member Reported by ClusterFuzz, May 22 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6384294842073088

Fuzzer: inferno_js_fuzzer
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x0aa028c0
Crash State:
  v8::internal::Zone::~Zone
  v8::internal::wasm::WasmModule::~WasmModule
  AsyncCompileJob::PrepareAndStartCompile::`scalar deleting destructor'
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6384294842073088


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by wfh@chromium.org, May 23 2017

Cc: haraken@chromium.org bradnelson@chromium.org danno@chromium.org
Components: Blink>JavaScript>WebAssembly

Comment 2 by bradnelson@chromium.org, May 23 2017

Cc: mtrofin@chromium.org
Owner: ahaas@chromium.org

ahaas, please triage and assign.

Comment 3 by bradnelson@chromium.org, May 23 2017

Status: Assigned (was: Untriaged)

Project Member

Comment 4 by sheriffbot@chromium.org, May 23 2017

Labels: M-60

Project Member

Comment 5 by sheriffbot@chromium.org, May 23 2017

Labels: ReleaseBlock-Beta

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Project Member

Comment 6 by sheriffbot@chromium.org, May 23 2017

Labels: Pri-1

Comment 7 by mtrofin@chromium.org, May 23 2017

Let's disable async compilation for the time being.

Comment 8 by mtrofin@chromium.org, May 23 2017

Mergedinto: v8:6436
Status: Duplicate (was: Assigned)

Project Member

Comment 9 by sheriffbot@chromium.org, Aug 30 2017

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 725169 link

Issue metadata

Heap-use-after-free in v8::internal::Zone::~Zone

Issue description

Comment 1 by wfh@chromium.org, May 23 2017

Comment 1 Deleted

Comment 2 by bradnelson@chromium.org, May 23 2017

Comment 2 Deleted

Comment 3 by bradnelson@chromium.org, May 23 2017

Comment 3 Deleted

Comment 4 by sheriffbot@chromium.org, May 23 2017

Comment 4 Deleted

Comment 5 by sheriffbot@chromium.org, May 23 2017

Comment 5 Deleted

Comment 6 by sheriffbot@chromium.org, May 23 2017

Comment 6 Deleted

Comment 7 by mtrofin@chromium.org, May 23 2017

Comment 7 Deleted

Comment 8 by mtrofin@chromium.org, May 23 2017

Comment 8 Deleted

Comment 9 by sheriffbot@chromium.org, Aug 30 2017

Comment 9 Deleted

Sign in to add a comment