Issue metadata
Sign in to add a comment
|
Crash in Append |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5963309538082816 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: UNKNOWN WRITE Crash Address: 0x7f0cf1880000 Crash State: Append void v8::internal::JsonStringifier::SerializeStringUnchecked_<unsigned char, uns void v8::internal::JsonStringifier::SerializeString_<unsigned char, unsigned cha Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: V8: 46837:46838 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5963309538082816 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jul 24 2017
Issue 748072 has been merged into this issue.
,
Jul 25 2017
Mini repro: var a = 'a'.repeat(1 << 28); JSON.stringify(a);
,
Jul 25 2017
There is an overflow in a calculation involving the string length in src/json-stringifier.cc:642
,
Jul 25 2017
,
Jul 25 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 25 2017
,
Jul 25 2017
,
Jul 26 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/8315422762131921022c63e80179d7df828822fb commit 8315422762131921022c63e80179d7df828822fb Author: Peter Marshall <petermarshall@chromium.org> Date: Wed Jul 26 11:40:56 2017 [runtime] Check for overflow when serializing Strings for JSON. Previously we would shift the length of the string by three, which could overflow with the new larger string length limit. Now we check that the length will fit without extra allocation before and after the shift, because really large strings will never fit, and will always go to the Checked case. Bug: chromium:748069 , v8:6148 Change-Id: I41cac14b0fde6c5e8ca92305a052cbb743111554 Reviewed-on: https://chromium-review.googlesource.com/584611 Commit-Queue: Peter Marshall <petermarshall@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#46896} [modify] https://crrev.com/8315422762131921022c63e80179d7df828822fb/src/json-stringifier.cc [modify] https://crrev.com/8315422762131921022c63e80179d7df828822fb/src/string-builder.h [add] https://crrev.com/8315422762131921022c63e80179d7df828822fb/test/mjsunit/regress/regress-748069.js
,
Jul 26 2017
,
Jul 26 2017
URGENT - PTAL. Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the M61 branch #3163 ASAP to have enough baking time in Beta before Stable promotion. Thank you! Know that this issue shouldn't block the release? Remove the ReleaseBlock-Stable label.
,
Jul 26 2017
Looks like the regression range is in M62, changing milestone.
,
Jul 27 2017
ClusterFuzz testcase 6210267540357120 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jul 27 2017
Yes, this issue is only in relevant for M62, now fixed
,
Jul 27 2017
ClusterFuzz has detected this issue as fixed in range 46895:46896. Detailed report: https://clusterfuzz.com/testcase?key=5963309538082816 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: UNKNOWN WRITE Crash Address: 0x7f0cf1880000 Crash State: Append void v8::internal::JsonStringifier::SerializeStringUnchecked_<unsigned char, uns void v8::internal::JsonStringifier::SerializeString_<unsigned char, unsigned cha Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: V8: 46837:46838 Fixed: V8: 46895:46896 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5963309538082816 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 27 2017
,
Sep 15 2017
,
Sep 15 2017
This bug requires manual review: M62 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 15 2017
This is already in M62.
,
Nov 2 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mstarzinger@chromium.org
, Jul 24 2017Owner: petermarshall@chromium.org
Status: Assigned (was: Untriaged)