This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Assigning to sheriff for triage.

mstarzinger: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Caused by table switches with a humongous value range. Simplified repro ...

function f() {
  switch (undeclared | 0) {
    case 0:
    case 1:
    case 3:
    case -2147483644:
    case 2147483647:
  }
}
assertThrows(f, ReferenceError);
assertThrows(f, ReferenceError);
%OptimizeFunctionOnNextCall(f);
assertThrows(f, ReferenceError);

Reproduces on ia32 only (not in x64), haven't tried other 32-bit architectures yet. I suspect an overflow in the heuristics within the {InstructionSelector::VisitSwitch} method, due to {sw.value_range} being pretty close to an overflow at that point. Will discuss with Benedikt tomorrow.

Fix is in flight ...

A friendly reminder that M61 branch is coming soon on 07/20! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix ASAP to trunk. This way we branch M61 from a high quality trunk. Thank you.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/4a4bcda388e77475dc3cce3bd0a2e0509169a789

commit 4a4bcda388e77475dc3cce3bd0a2e0509169a789
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Wed Jul 12 08:35:26 2017

[turbofan] Introduce upper limit for table switch size.

This introduces 2^16 as an upper limit for the allowed value range of a
table switch on all architectures. It also fixes several overflows in
the table size calculation.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-736633
BUG= chromium:736633 

Change-Id: I931bd226c99eb8a1ae1770c159fc314ff650bf57
Reviewed-on: https://chromium-review.googlesource.com/566829
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46575}
[modify] https://crrev.com/4a4bcda388e77475dc3cce3bd0a2e0509169a789/src/compiler/arm/instruction-selector-arm.cc
[modify] https://crrev.com/4a4bcda388e77475dc3cce3bd0a2e0509169a789/src/compiler/arm64/instruction-selector-arm64.cc
[modify] https://crrev.com/4a4bcda388e77475dc3cce3bd0a2e0509169a789/src/compiler/ia32/instruction-selector-ia32.cc
[modify] https://crrev.com/4a4bcda388e77475dc3cce3bd0a2e0509169a789/src/compiler/instruction-selector.cc
[modify] https://crrev.com/4a4bcda388e77475dc3cce3bd0a2e0509169a789/src/compiler/mips/instruction-selector-mips.cc
[modify] https://crrev.com/4a4bcda388e77475dc3cce3bd0a2e0509169a789/src/compiler/mips64/instruction-selector-mips64.cc
[modify] https://crrev.com/4a4bcda388e77475dc3cce3bd0a2e0509169a789/src/compiler/ppc/instruction-selector-ppc.cc
[modify] https://crrev.com/4a4bcda388e77475dc3cce3bd0a2e0509169a789/src/compiler/s390/instruction-selector-s390.cc
[modify] https://crrev.com/4a4bcda388e77475dc3cce3bd0a2e0509169a789/src/compiler/x64/instruction-selector-x64.cc
[modify] https://crrev.com/4a4bcda388e77475dc3cce3bd0a2e0509169a789/src/compiler/x87/instruction-selector-x87.cc
[add] https://crrev.com/4a4bcda388e77475dc3cce3bd0a2e0509169a789/test/mjsunit/regress/regress-crbug-736633.js

ClusterFuzz has detected this issue as fixed in range 485940:486007.

Detailed report: https://clusterfuzz.com/testcase?key=5465207894966272

Fuzzer: inferno_js_fuzzer_c
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: Use-after-poison WRITE 8
Crash Address: 0x0d1248f8
Crash State:
  v8::internal::compiler::InstructionSelector::EmitTableSwitch
  v8::internal::compiler::InstructionSelector::VisitSwitch
  v8::internal::compiler::InstructionSelector::VisitControl
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=455700:456019
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=485940:486007

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5465207894966272


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot