New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 761654 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Last visit > 30 days ago
Closed: Sep 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

CHECK failure: len->ToUint32(&int_l) in builtins-typedarray.cc

Project Member Reported by ClusterFuzz, Sep 3 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4807813510725632

Fuzzer: v8_builtins_generator
Job Type: linux_msan_d8
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  len->ToUint32(&int_l) in builtins-typedarray.cc
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=499264:499268

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4807813510725632

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by sheriffbot@chromium.org, Sep 3 2017

Labels: M-62
Project Member

Comment 2 by sheriffbot@chromium.org, Sep 3 2017

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Sep 3 2017

Labels: Pri-1
Cc: fran...@chromium.org
This looks like it came in with https://chromium.googlesource.com/v8/v8/+/7d60f78ac7fac85857edad9f0a1a58717a0f0410 ?
Cc: -fran...@chromium.org bmeu...@chromium.org
Owner: fran...@chromium.org
Status: Assigned (was: Untriaged)
Bisects to 71ac9e0eee8c8ef53a058d853f63662d9346c7fa, still Franzi :)
Status: Started (was: Assigned)
Project Member

Comment 7 by bugdroid1@chromium.org, Sep 4 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/f31af9746ee1481837f31a8d02150917b501c9d7

commit f31af9746ee1481837f31a8d02150917b501c9d7
Author: Franziska Hinkelmann <franzih@chromium.org>
Date: Mon Sep 04 13:11:42 2017

[builtins] Throw when setting typed arrays from large sources

When setting a typed array from an array like object, the 
length of the source can only be converted to a unit32 if 
it is not too large. 

Bug:  v8:6704 ,  chromium:761654 
Change-Id: I8f89aa348093d8bd4d54aa16d6b5f255d3cb7adc
Reviewed-on: https://chromium-review.googlesource.com/648976
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47798}
[modify] https://crrev.com/f31af9746ee1481837f31a8d02150917b501c9d7/src/builtins/builtins-typedarray.cc
[modify] https://crrev.com/f31af9746ee1481837f31a8d02150917b501c9d7/test/mjsunit/es6/typedarray.js

Project Member

Comment 8 by ClusterFuzz, Sep 5 2017

Labels: OS-Windows
Cc: machenb...@chromium.org
Status: Fixed (was: Started)
CF can't verify since we just moved to standalone builds, yay to not building inside chromium src for these job types. previously it used to be only asan, not includes everything, thanks to Michael.
Cc: infe...@chromium.org
@inferno: I didn't rewire the jobs yet, or did you? + I thought you said we'd migrate the old test cases in a way that fixed verification + regression detection works? Otherwise, I had the suggestion of having a separate job type in parallel for a while. And keeping the old around just for fixed-testing...
I rewrote the jobs, also for these non-asan job types, it was only 1-2 testcases, migrated them all. most of them don't reproduce on trunk since you guys fix bugs too fast. but i verified that job works with hello world upload e.g.
https://clusterfuzz.com/v2/testcase-detail/6190225239048192?noredirect=1
https://clusterfuzz.com/v2/testcase-detail/5987181733871616?noredirect=1
Cc: fran...@chromium.org
 Issue 762082  has been merged into this issue.
Project Member

Comment 13 by ClusterFuzz, Sep 6 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 5473829379112960 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 14 by sheriffbot@chromium.org, Sep 6 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -M-62 M-63
Labels: -ReleaseBlock-Stable
Project Member

Comment 17 by sheriffbot@chromium.org, Dec 13 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 18 by sheriffbot@chromium.org, Mar 27 2018

Labels: -Security_Impact-Head -M-63 M-65 Security_Impact-Stable

Sign in to add a comment