New issue
Advanced search Search tips

Issue 743215 link

Starred by 1 user
Status: Fixed
Owner:
mstarzinger@chromium.org
Closed: Jul 2017
Cc:
gdeepti@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

CHECK failure: is_neuterable() in objects.cc

Project Member Reported by ClusterFuzz, Jul 14 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5867945795518464

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  is_neuterable() in objects.cc
  v8::internal::JSArrayBuffer::Neuter
  v8::internal::__RT_impl_Runtime_ArrayBufferNeuter
  
Sanitizer: address (ASAN)

Regressed: V8: 42266:42267

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5867945795518464


Issue manually filed by: aarya

See https://github.com/google/clusterfuzz-tools for more information.

Comment 1 by infe...@chromium.org, Jul 14 2017

Owner: mstarzinger@chromium.org
Status: Assigned (was: Untriaged)
Project Member

Comment 2 by sheriffbot@chromium.org, Jul 15 2017

Labels: M-61
Project Member

Comment 3 by sheriffbot@chromium.org, Jul 15 2017

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Jul 15 2017

Labels: Pri-1

Comment 5 by mstarzinger@chromium.org, Jul 17 2017

Labels: -Type-Bug-Security -Security_Impact-Head -Security_Severity-High Type-Bug
Not a security issue. Same as  issue v8:6534 .
Project Member

Comment 6 by bugdroid1@chromium.org, Jul 17 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/4c50af9358bdcbfeffa863e1104bbf9ffb70da95

commit 4c50af9358bdcbfeffa863e1104bbf9ffb70da95
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Mon Jul 17 14:34:04 2017

[runtime] Make %ArrayBufferNeuter fuzzable.

This makes sure Runtime_ArrayBufferNeuter fails gracefully on array
buffers that are non-neuterable. Note that this runtime function is
whitelisted on ClusterFuzz and otherwise only used for testing.

R=cbruni@chromium.org
BUG= chromium:743215 , v8:6534 

Change-Id: I5069e615468f8789bf4fd87bb1e093a18bfd0347
Reviewed-on: https://chromium-review.googlesource.com/574168
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46710}
[modify] https://crrev.com/4c50af9358bdcbfeffa863e1104bbf9ffb70da95/src/runtime/runtime-typedarray.cc

Comment 7 by mstarzinger@chromium.org, Jul 17 2017

Status: Fixed (was: Assigned)

Comment 8 by clemensh@chromium.org, Jul 17 2017

Cc: gdeepti@chromium.org
 Issue 738369  has been merged into this issue.
Project Member

Comment 9 by sheriffbot@chromium.org, Jul 18 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 10 by sheriffbot@chromium.org, Oct 24 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment