Issue metadata
Sign in to add a comment
|
Security: WebAssembly signature map is racy |
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS An internal implementation of WebAssembly indirect tables is vulnerable to a race condition. VERSION 57+ REPRODUCTION CASE Instantiate a module that calls indirectly through a table, where the call of the signature is not used otherwise.
,
Jul 24 2017
Ben already has a fix for this.
,
Jul 24 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/1bbbc8cc61d8243dacba0061432d73db9e24050e commit 1bbbc8cc61d8243dacba0061432d73db9e24050e Author: titzer <titzer@chromium.org> Date: Mon Jul 24 19:21:28 2017 [wasm] More extensive indirect dispatch signature mismatch tests. BUG= chromium:747995 Review-Url: https://codereview.chromium.org/2981883002 Cr-Commit-Position: refs/heads/master@{#46848} [modify] https://crrev.com/1bbbc8cc61d8243dacba0061432d73db9e24050e/src/wasm/signature-map.cc [modify] https://crrev.com/1bbbc8cc61d8243dacba0061432d73db9e24050e/src/wasm/signature-map.h [add] https://crrev.com/1bbbc8cc61d8243dacba0061432d73db9e24050e/test/mjsunit/wasm/indirect-sig-mismatch.js [modify] https://crrev.com/1bbbc8cc61d8243dacba0061432d73db9e24050e/test/mjsunit/wasm/wasm-module-builder.js
,
Jul 24 2017
,
Jul 24 2017
,
Jul 25 2017
,
Jul 25 2017
Your change meets the bar and is auto-approved for M61. Please go ahead and merge the CL to branch 3163 manually. Please contact milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), ketakid @(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 26 2017
Please merge your change to M61 branch #3163 before 4: 00 PM PT, Wednesday (07/26) in order to make it to last M61 dev release. Thank you.
,
Jul 26 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/4e2ec8b0c3b0fd7842c8f3177990f9a4013214f0 commit 4e2ec8b0c3b0fd7842c8f3177990f9a4013214f0 Author: Ben L. Titzer <titzer@google.com> Date: Wed Jul 26 09:08:27 2017 Merged: [wasm] More extensive indirect dispatch signature mismatch tests. Revision: 1bbbc8cc61d8243dacba0061432d73db9e24050e BUG= chromium:747995 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=clemensh@chromium.org Change-Id: I944029ee9498cb970ea8bf21d00b433b24abbc9d Reviewed-on: https://chromium-review.googlesource.com/585533 Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/branch-heads/6.1@{#16} Cr-Branched-From: 1bf2e10ddb194d4c2871a87a4732613419de892d-refs/heads/6.1.534@{#1} Cr-Branched-From: e825c4318eb2065ffdf9044aa6a5278635c36427-refs/heads/master@{#46746} [modify] https://crrev.com/4e2ec8b0c3b0fd7842c8f3177990f9a4013214f0/src/wasm/signature-map.cc [modify] https://crrev.com/4e2ec8b0c3b0fd7842c8f3177990f9a4013214f0/src/wasm/signature-map.h [add] https://crrev.com/4e2ec8b0c3b0fd7842c8f3177990f9a4013214f0/test/mjsunit/wasm/indirect-sig-mismatch.js [modify] https://crrev.com/4e2ec8b0c3b0fd7842c8f3177990f9a4013214f0/test/mjsunit/wasm/wasm-module-builder.js
,
Jul 26 2017
,
Oct 31 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Jul 24 2017