New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 732836 link

Starred by 3 users
Status: Fixed
Owner:
petermarshall@chromium.org
OOO until 2019-02-10
Closed: Jun 2017
Cc:
decoder...@googlemail.com
cbruni@chromium.org
mstarzinger@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

CHECK failure: size <= kMaxRegularHeapObjectSize in runtime-internal.cc

Project Member Reported by ClusterFuzz, Jun 13 2017 
Detailed report: https://clusterfuzz.com/testcase?key=6566713058656256

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  size <= kMaxRegularHeapObjectSize in runtime-internal.cc
  v8::internal::__RT_impl_Runtime_AllocateInNewSpace
  v8::internal::Runtime_AllocateInNewSpace
  
Sanitizer: address (ASAN)

Regressed: V8: 45896:45897

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6566713058656256


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mstarzinger@chromium.org, Jun 14 2017

Cc: cbruni@chromium.org
Owner: petermarshall@chromium.org
Status: Assigned (was: Untriaged)
Regression range points to 5b427ad2d1e2c21a1a2ffafeaebb1593c70fc5b5. Extracted repro is ...

function boom() {
  var args = [];
  for (var i = 0; i < 125000; i++)
    args.push(140737220444159, 524287);
  return Array.apply(Array, args);
}
var array = boom();

Comment 2 by mstarzinger@chromium.org, Jun 14 2017 

 Issue 733132  has been merged into this issue.
Project Member

Comment 3 by sheriffbot@chromium.org, Jun 14 2017

Labels: M-61
Project Member

Comment 4 by sheriffbot@chromium.org, Jun 14 2017

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by sheriffbot@chromium.org, Jun 14 2017

Labels: Pri-1

Comment 6 by petermarshall@chromium.org, Jun 14 2017

Status: Started (was: Assigned)
Fix is in flight

Comment 7 by petermarshall@chromium.org, Jun 14 2017

Labels: -Security_Severity-High Security_Severity-Low
Reducing severity, this is not exploitable as far as I can tell.
Project Member

Comment 8 by sheriffbot@chromium.org, Jun 15 2017

Labels: -Pri-1 Pri-2
Project Member

Comment 9 by ClusterFuzz, Jun 16 2017 

Detailed report: https://clusterfuzz.com/testcase?key=5394296642732032

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  size <= kMaxRegularHeapObjectSize in runtime-internal.cc
  __RT_impl_Runtime_AllocateInNewSpace
  v8::internal::Runtime_AllocateInNewSpace
  
Sanitizer: address (ASAN)

Regressed: V8: 45896:45897

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5394296642732032


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 10 by infe...@chromium.org, Jun 18 2017

Labels: -Type-Bug-Security -reward-topanel -Restrict-View-SecurityTeam -Security_Severity-Low -Security_Impact-Head Type-Bug
Looks like regular check failure hard crash, removing from security queue.

Comment 11 by ajha@chromium.org, Jun 19 2017

Labels: -ReleaseBlock-Beta
Removing the blocker label as this is P2 and no longer in security queue. Feel free to add it back if someone feels otherwise.
Project Member

Comment 12 by ClusterFuzz, Jun 20 2017 

ClusterFuzz has detected this issue as fixed in range 45998:45999.

Detailed report: https://clusterfuzz.com/testcase?key=6566713058656256

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  size <= kMaxRegularHeapObjectSize in runtime-internal.cc
  v8::internal::__RT_impl_Runtime_AllocateInNewSpace
  v8::internal::Runtime_AllocateInNewSpace
  
Sanitizer: address (ASAN)

Regressed: V8: 45896:45897
Fixed: V8: 45998:45999

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6566713058656256


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 13 by ClusterFuzz, Jun 20 2017 

ClusterFuzz has detected this issue as fixed in range 45998:45999.

Detailed report: https://clusterfuzz.com/testcase?key=5394296642732032

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  size <= kMaxRegularHeapObjectSize in runtime-internal.cc
  __RT_impl_Runtime_AllocateInNewSpace
  v8::internal::Runtime_AllocateInNewSpace
  
Sanitizer: address (ASAN)

Regressed: V8: 45896:45897
Fixed: V8: 45998:45999

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5394296642732032


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 14 by petermarshall@chromium.org, Jun 20 2017

Status: Fixed (was: Started)

Comment 15 by mstarzinger@chromium.org, Jun 21 2017

Cc: mstarzinger@chromium.org
 Issue 735277  has been merged into this issue.

Sign in to add a comment