New issue
Advanced search Search tips

Issue 763297 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Sep 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in v8::internal::wasm::ThreadImpl::Push

Project Member Reported by ClusterFuzz, Sep 8 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5778539336171520

Fuzzer: libFuzzer_v8_wasm_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::wasm::ThreadImpl::Push
  v8::internal::wasm::ThreadImpl::InitFrame
  v8::internal::wasm::testing::InterpretWasmModuleForTesting
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=500374:500444

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5778539336171520

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 
Components: Blink>JavaScript
Labels: Test-Predator-Wrong-CLs M-63
Cc: clemensh@chromium.org
Components: -Blink>JavaScript Blink>JavaScript>WebAssembly
Owner: ahaas@chromium.org
Status: Assigned (was: Untriaged)
Another nullptr deref. Might have the same cause as 763294, and was probably caused by https://chromium-review.googlesource.com/c/v8/v8/+/651046.
We can have a look together next week if you like.
Cc: -clemensh@chromium.org ahaas@chromium.org
Owner: clemensh@chromium.org
Status: Started (was: Assigned)
Oh, what a silly bug!
Fix here: https://chromium-review.googlesource.com/657699
Cc: clemensh@chromium.org
 Issue 763294  has been merged into this issue.
 Issue 763355  has been merged into this issue.
re #3: this was not meant to be offensive. I was the reviewer of that code before it landed ;)
Project Member

Comment 7 by bugdroid1@chromium.org, Sep 8 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/3ced15cb037dabb05139b8c069aeadc858194ec1

commit 3ced15cb037dabb05139b8c069aeadc858194ec1
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Fri Sep 08 19:12:27 2017

[wasm] [fuzzer] Fix segfault

Even though we were generating additional arguments with default value
in the case that the caller was not providing enough, we then passed
the original pointer, leading to potential out-of-bounds accesses.

R=ahaas@chromium.org

Bug:  chromium:763294 , chromium:763297 
Change-Id: Id18622d0d40e0408e26a5fc6f97494b5f9e18d17
Reviewed-on: https://chromium-review.googlesource.com/657699
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47930}
[modify] https://crrev.com/3ced15cb037dabb05139b8c069aeadc858194ec1/test/common/wasm/wasm-module-runner.cc

Project Member

Comment 8 by ClusterFuzz, Sep 9 2017

ClusterFuzz has detected this issue as fixed in range 500695:500770.

Detailed report: https://clusterfuzz.com/testcase?key=5778539336171520

Fuzzer: libFuzzer_v8_wasm_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::wasm::ThreadImpl::Push
  v8::internal::wasm::ThreadImpl::InitFrame
  v8::internal::wasm::testing::InterpretWasmModuleForTesting
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=500374:500444
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=500695:500770

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5778539336171520

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Sep 10 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 5546860881379328 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment