Eric, Mircea, Deepti, can you take a look at this.

+gzobqq@gmail.com, the original reporter.

Can we get access to the quoted 766253?

Yes, I CCed you.

I assume we want this backported to 60 and 61, as well as 62, correct?

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/1bc42ab44cd62b860153249e281e8d3b40314cc3

commit 1bc42ab44cd62b860153249e281e8d3b40314cc3
Author: Mircea Trofin <mtrofin@chromium.org>
Date: Tue Sep 19 02:45:11 2017

[wasm] Sanitize imports

Sanitize imports before we start the instance building process. This
avoids the possibility of exiting to JS while building instances,
and allowing JS to observe an inconsistent state of the wasm world -
e.g. incomplete specialization chains.

We now validate we never exit to JS during that process.

Bug:  chromium:766260 

Change-Id: I34930c8b70bdac16af464b3f62a2b6a38107acb3
Reviewed-on: https://chromium-review.googlesource.com/671480
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48074}
[modify] https://crrev.com/1bc42ab44cd62b860153249e281e8d3b40314cc3/src/wasm/module-compiler.cc
[modify] https://crrev.com/1bc42ab44cd62b860153249e281e8d3b40314cc3/src/wasm/module-compiler.h
[modify] https://crrev.com/1bc42ab44cd62b860153249e281e8d3b40314cc3/src/wasm/wasm-objects.cc
[modify] https://crrev.com/1bc42ab44cd62b860153249e281e8d3b40314cc3/src/wasm/wasm-objects.h

Pls apply appropriate OSs label.

This bug requires manual review: Less than 24 days to go before AppStore submit on M62
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

+  awhalley@ for merge review

Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

+ Release TPMs as FYI (awhalley@ is currently looking).

Note that this (and the other bugs split from  issue 766253 ) were responsibly disclosed, so while these should be picked up if we respin for other issues I don't consider them a driver for a respin.

Approving this for M62 (branch: 3202)

M62 merge done: https://chromium-review.googlesource.com/c/v8/v8/+/673549

Approving merge to M61.

ketakid@ - 

ketakid@ - this has had very little bake time, I'd be very hesitant to take in 61, is there a particular driver?

(and sorry if the reason was my (now deleted) comment 23, which was intended for a different bug) 

Folks, are we ready to merge this in M61?

Removing request for M60 since there are no more M60 planned releases

Ketaki to confirm on M61 merge timing/approval 

What is the business/urgent case to merge this? I'd prefer to target M-62 which is targeted few weeks from now 

Feel free to re request if there is a very strong reason that can't wait few weeks 

The only source of urgency is the security aspect - a malicious program can access random data in the same process (renderer).

M62 has it already, see #21.

Let's target M62

+hablich

I don't understand why this was merge rejected from 61. This is a security vulnerability that I believe affects 61 as well. 

See https://bugs.chromium.org/p/chromium/issues/detail?id=766260#c19. Retrospectively I would also have preferred to merge this but not respin for it.

We are branching for 6.3 today so 6.1 is obsolete.