Null-dereference READ in v8::internal::wasm::ThreadImpl::Push |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5778539336171520 Fuzzer: libFuzzer_v8_wasm_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: v8::internal::wasm::ThreadImpl::Push v8::internal::wasm::ThreadImpl::InitFrame v8::internal::wasm::testing::InterpretWasmModuleForTesting Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=500374:500444 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5778539336171520 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Sep 8 2017
Another nullptr deref. Might have the same cause as 763294, and was probably caused by https://chromium-review.googlesource.com/c/v8/v8/+/651046. We can have a look together next week if you like.
,
Sep 8 2017
Oh, what a silly bug! Fix here: https://chromium-review.googlesource.com/657699
,
Sep 8 2017
,
Sep 8 2017
Issue 763355 has been merged into this issue.
,
Sep 8 2017
re #3: this was not meant to be offensive. I was the reviewer of that code before it landed ;)
,
Sep 8 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/3ced15cb037dabb05139b8c069aeadc858194ec1 commit 3ced15cb037dabb05139b8c069aeadc858194ec1 Author: Clemens Hammacher <clemensh@chromium.org> Date: Fri Sep 08 19:12:27 2017 [wasm] [fuzzer] Fix segfault Even though we were generating additional arguments with default value in the case that the caller was not providing enough, we then passed the original pointer, leading to potential out-of-bounds accesses. R=ahaas@chromium.org Bug: chromium:763294 , chromium:763297 Change-Id: Id18622d0d40e0408e26a5fc6f97494b5f9e18d17 Reviewed-on: https://chromium-review.googlesource.com/657699 Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#47930} [modify] https://crrev.com/3ced15cb037dabb05139b8c069aeadc858194ec1/test/common/wasm/wasm-module-runner.cc
,
Sep 9 2017
ClusterFuzz has detected this issue as fixed in range 500695:500770. Detailed report: https://clusterfuzz.com/testcase?key=5778539336171520 Fuzzer: libFuzzer_v8_wasm_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: v8::internal::wasm::ThreadImpl::Push v8::internal::wasm::ThreadImpl::InitFrame v8::internal::wasm::testing::InterpretWasmModuleForTesting Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=500374:500444 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=500695:500770 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5778539336171520 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 10 2017
ClusterFuzz testcase 5546860881379328 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by msrchandra@chromium.org
, Sep 8 2017Labels: Test-Predator-Wrong-CLs M-63