New issue
Advanced search Search tips

Issue 763294 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 763297
Owner:
Closed: Sep 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in type

Project Member Reported by ClusterFuzz, Sep 8 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5599349005615104

Fuzzer: libFuzzer_v8_wasm_async_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  type
  Push
  InitFrame
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=500422:500485

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5599349005615104

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 
Components: Blink>JavaScript
Labels: Test-Predator-Wrong-CLs M-63
Cc: clemensh@chromium.org
Components: -Blink>JavaScript Blink>JavaScript>WebAssembly
Owner: ahaas@chromium.org
Status: Assigned (was: Untriaged)
Nullptr deref in the wasm async fuzzer.
Mergedinto: 763297
Status: Duplicate (was: Assigned)
Project Member

Comment 4 by bugdroid1@chromium.org, Sep 8 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/3ced15cb037dabb05139b8c069aeadc858194ec1

commit 3ced15cb037dabb05139b8c069aeadc858194ec1
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Fri Sep 08 19:12:27 2017

[wasm] [fuzzer] Fix segfault

Even though we were generating additional arguments with default value
in the case that the caller was not providing enough, we then passed
the original pointer, leading to potential out-of-bounds accesses.

R=ahaas@chromium.org

Bug:  chromium:763294 , chromium:763297 
Change-Id: Id18622d0d40e0408e26a5fc6f97494b5f9e18d17
Reviewed-on: https://chromium-review.googlesource.com/657699
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47930}
[modify] https://crrev.com/3ced15cb037dabb05139b8c069aeadc858194ec1/test/common/wasm/wasm-module-runner.cc

Project Member

Comment 5 by ClusterFuzz, Sep 9 2017

ClusterFuzz has detected this issue as fixed in range 500678:500748.

Detailed report: https://clusterfuzz.com/testcase?key=5599349005615104

Fuzzer: libFuzzer_v8_wasm_async_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  type
  Push
  InitFrame
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=500422:500485
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=500678:500748

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5599349005615104

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment