Applying security view restrictions to all v8 CHECK/DCHECK failures.

(CHECKs aren't security, but we have no way to distinguish these right now).

CF points to c5c0765ad918d3606d7711d9dc5e727981ec8dcf. Reproduces on TOT.

 Issue 726255  has been merged into this issue.

 Issue 727220  has been merged into this issue.

 Issue 727126  has been merged into this issue.

 Issue 727223  has been merged into this issue.

 Issue 726284  has been merged into this issue.

Mini repro:

var ta = new Float32Array(2);
ta.constructor = {
  [Symbol.species]: Float64Array
};
ta.slice(1);

This bug allows OOB writes on typed arrays

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/2f3f974f7443eb463c87773d584f0b890b77c19b

commit 2f3f974f7443eb463c87773d584f0b890b77c19b
Author: Peter Marshall <petermarshall@chromium.org>
Date: Mon May 29 14:25:44 2017

[builtins] Fix TypedArray slice for species constructor.

Bug:  chromium:725865 
Change-Id: I94006d45aefb969fb0cf98ec475c30c14b3837fa
Reviewed-on: https://chromium-review.googlesource.com/517488
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45567}
[modify] https://crrev.com/2f3f974f7443eb463c87773d584f0b890b77c19b/src/elements.cc
[modify] https://crrev.com/2f3f974f7443eb463c87773d584f0b890b77c19b/src/objects-inl.h
[modify] https://crrev.com/2f3f974f7443eb463c87773d584f0b890b77c19b/test/mjsunit/es6/typedarray-slice.js

ClusterFuzz has detected this issue as fixed in range 45566:45567.

Detailed report: https://clusterfuzz.com/testcase?key=4677692120367104

Fuzzer: inferno_js_fuzzer_c
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  (index >= 0) && (index < this->length()) in objects-inl.h
  v8::internal::FixedTypedArray<v8::internal::Float64ArrayTraits>::SetValue
  v8::internal::ElementsAccessorBase<v8::internal::TypedElementsAccessor<
  
Sanitizer: address (ASAN)

Regressed: V8: 44321:44322
Fixed: V8: 45566:45567

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4677692120367104


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4677692120367104 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Please consider this security critical bugfix. I don't think it has the baking time on canary yet, but I wanted to flag it now as the release is happening very soon.

Your change meets the bar and is auto-approved for M60. Please go ahead and merge the CL to branch 3112 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug requires manual review: Only 5 days from stable, we might already have a stable candidate build
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

+ awhalley@ for security review. 

Too late for 59 I'm afraid.

...though we're taking another look at this since it might both be easily exploitable and easy to find. Further analysis forthcoming. 

This looks very exploitable (non linear oob write) and an attacker can presumably allocate stuff after the typedarray we're oob writing in the species constructor. This leads to very easy RCE.

Thanks for details - can we please get this in M60 Dev tomorrow and test it there first before merging it to 59. If all looks good, then we can consider it for Monday's M59 Stable Release. 

I've merged this to the 6.0 branch following the regular process: https://chromium.googlesource.com/v8/v8/+/b0967fa478141cdf98719a25656c50fb634d847b

I have a CL for the merge to 5.9 *without* the DCHECK -> CHECK change as discussed. It can be submitted by a V8 committer if it is decided that we will merge the fix for the M59 Stable Release. It lives here: https://chromium-review.googlesource.com/c/521165

This fix did not make it into 60.0.3112.10 Dev, which included V8 6.0.286.5 rather than Version 6.0.286.7 or later. What can we do to get it into the M59 stable release?

Looking at canary data, are you confident this is a safe merge and not introducing any new regressions?

Confirmed with peter, it's a safe fix and it's verified in canary. Approving for M59 merge. 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b64cbfa6a5928288ab4f9a5fb67750a4d7ef929a

commit b64cbfa6a5928288ab4f9a5fb67750a4d7ef929a
Author: Peter Marshall <petermarshall@chromium.org>
Date: Fri Jun 02 21:10:50 2017

Merged: [builtins] Fix TypedArray slice for species constructor.

Revision: 2f3f974f7443eb463c87773d584f0b890b77c19b

Modified version of the original fix to revert DCHECK -> CHECK change.

NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
TBR=jochen@chromium.org

Bug:  chromium:725865 
Change-Id: I880a95b03dbd9a1bde8e08745ddfb1df4ed3e13f
Reviewed-on: https://chromium-review.googlesource.com/521165
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/branch-heads/5.9@{#65}
Cr-Branched-From: fe9bb7e6e251159852770160cfb21dad3cf03523-refs/heads/5.9.211@{#1}
Cr-Branched-From: 70ad23791a21c0dd7ecef8d4d8dd30ff6fc291f6-refs/heads/master@{#44591}
[modify] https://crrev.com/b64cbfa6a5928288ab4f9a5fb67750a4d7ef929a/src/elements.cc
[modify] https://crrev.com/b64cbfa6a5928288ab4f9a5fb67750a4d7ef929a/test/mjsunit/es6/typedarray-slice.js

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot