DCHECK failure in offset_ <= offset_ + length_ in wasm-module.h |
||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4561472863862784 Fuzzer: libFuzzer_v8_wasm_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: offset_ <= offset_ + length_ in wasm-module.h v8::internal::wasm::ModuleDecoder::DecodeSection DecodeModule Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=486145:486256 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4561472863862784 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Aug 6 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 6 2017
,
Aug 7 2017
,
Aug 8 2017
Taking a look.
,
Aug 8 2017
Not security relevant, we are just creating an object before checking for errors, instead of the other way around. The object won't be used anyway if later the error is detected. Fix here: https://chromium-review.googlesource.com/605894
,
Aug 24 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/ad014fb61c9c8c28a9efa7b9e067bf47a52fd8d7 commit ad014fb61c9c8c28a9efa7b9e067bf47a52fd8d7 Author: Clemens Hammacher <clemensh@chromium.org> Date: Thu Aug 24 07:06:17 2017 [wasm] Avoid constructing OOB WireBytesRef The {WireBytesRef} constructor checks that {offset + length} does not overflow. Hence we need to check for illegal sizes before constructing the {WireBytesRef}. The {consume_bytes} function already does that, so remove the redundant hand-written checking. R=titzer@chromium.org Bug: chromium:752781 Change-Id: If3a2946a62fa38cc668695ed7186b9751a1f356f Reviewed-on: https://chromium-review.googlesource.com/605894 Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Reviewed-by: Ben Titzer <titzer@chromium.org> Cr-Commit-Position: refs/heads/master@{#47563} [modify] https://crrev.com/ad014fb61c9c8c28a9efa7b9e067bf47a52fd8d7/src/wasm/module-decoder.cc [modify] https://crrev.com/ad014fb61c9c8c28a9efa7b9e067bf47a52fd8d7/test/unittests/wasm/module-decoder-unittest.cc
,
Aug 24 2017
,
Aug 25 2017
ClusterFuzz has detected this issue as fixed in range 496995:497013. Detailed report: https://clusterfuzz.com/testcase?key=4561472863862784 Fuzzer: libFuzzer_v8_wasm_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: offset_ <= offset_ + length_ in wasm-module.h v8::internal::wasm::ModuleDecoder::DecodeSection DecodeModule Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=486145:486256 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=496995:497013 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4561472863862784 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 25 2017
ClusterFuzz testcase 4561472863862784 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by sheriffbot@chromium.org
, Aug 6 2017