This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Detailed report: https://clusterfuzz.com/testcase?key=6454997494792192

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  ONE_BYTE == state_ in string.h
  
Sanitizer: address (ASAN)

Regressed: V8: 46303:46304

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6454997494792192


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

mstarzinger: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

CF points to f0e95769dbc3c209f513c68e2aa7c9433c4cd934. PTAL

Minimal repro:

const s0 = "external string turned into two byte";
const s1 = s0.substring(1);
externalizeString(s0, true);
 
s1.toLowerCase();

The issue is that prior to the CL in #9, we branched on String::FlatContent::IsOneByte(), and afterwards on String::IsOneByteRepresentation(). But it's possible for a string to have a one-byte representation, but still contain a two-byte flat content.

Any security implications from bug mentioned in c#11. Otherwise, we can remove security tags and change to Type-Bug.

I don't think there are security implications. The effect of this bug is that we can potentially access the uint16_t array (i.e. the two-byte string backing store) as if it were a uint8_t array, but no OOB accesses should be possible.

A friendly reminder that M61 branch is coming soon on 07/20! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix ASAP to trunk. This way we branch M61 from a high quality trunk. Thank you.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/3c260762da0836134e602055d5fff03b9960b844

commit 3c260762da0836134e602055d5fff03b9960b844
Author: jgruber <jgruber@chromium.org>
Date: Wed Jul 12 06:25:26 2017

[string] Handle two-byte contents in String.p.toLowerCase

Previously (since f0e95769), this toLowerCase fast-path assumed
it would only see one-byte flat contents. Unfortunately, it's 
possible to have a one-byte sliced string that has a two-byte parent.

This CL ensures that String.p.toLowerCase handles such cases
correctly.

BUG= chromium:736451 

Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: Iae056b3db5535bb5665439a5cc8282a51571a548
Reviewed-on: https://chromium-review.googlesource.com/565559
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46574}
[modify] https://crrev.com/3c260762da0836134e602055d5fff03b9960b844/src/intl.cc
[add] https://crrev.com/3c260762da0836134e602055d5fff03b9960b844/test/mjsunit/regress/regress-crbug-736451.js

This bug requires manual review: We are only 12 days from stable.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz has detected this issue as fixed in range 46573:46574.

Detailed report: https://clusterfuzz.com/testcase?key=6643690037837824

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  ONE_BYTE == state_ in string.h
  v8::internal::ConvertOneByteToLower
  v8::internal::ConvertToLower
  
Sanitizer: address (ASAN)

Regressed: V8: 45140:45141
Fixed: V8: 46573:46574

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6643690037837824


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Approving merge to M60. 

ClusterFuzz has detected this issue as fixed in range 46573:46574.

Detailed report: https://clusterfuzz.com/testcase?key=6454997494792192

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  ONE_BYTE == state_ in string.h
  
Sanitizer: address (ASAN)

Regressed: V8: 46303:46304
Fixed: V8: 46573:46574

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6454997494792192


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b4b844b93a3622c82c0e862fd90e40ad9fe0d8f2

commit b4b844b93a3622c82c0e862fd90e40ad9fe0d8f2
Author: jgruber <jgruber@chromium.org>
Date: Fri Jul 14 07:19:33 2017

Merged: [string] Handle two-byte contents in String.p.toLowerCase

Revision: 3c260762da0836134e602055d5fff03b9960b844

BUG= chromium:736451 
TBR=yangguo@chromium.org
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true

Change-Id: I5d778a752bb7d471e2c7383ec2e994801f254109
Reviewed-on: https://chromium-review.googlesource.com/571701
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.0@{#73}
Cr-Branched-From: 97dbf624a5eeffb3a8df36d24cdb2a883137385f-refs/heads/6.0.286@{#1}
Cr-Branched-From: 12e6f1cb5cd9616da7b9d4a7655c088778a6d415-refs/heads/master@{#45439}
[modify] https://crrev.com/b4b844b93a3622c82c0e862fd90e40ad9fe0d8f2/src/intl.cc
[add] https://crrev.com/b4b844b93a3622c82c0e862fd90e40ad9fe0d8f2/test/mjsunit/regress/regress-crbug-736451.js

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot