New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 767816 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 765301
Owner:
Closed: Sep 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Crash in v8::internal::Invoke

Project Member Reported by ClusterFuzz, Sep 22 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4542853924782080

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000100000008
Crash State:
  v8::internal::Invoke
  v8::internal::Execution::New
  v8::internal::SliceHelper
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4542853924782080

Issue manually filed by: ishell

See https://github.com/google/clusterfuzz-tools for more information.
 

Comment 1 by ishell@chromium.org, Sep 22 2017

Owner: ishell@chromium.org
Status: Assigned (was: Untriaged)
Project Member

Comment 2 by sheriffbot@chromium.org, Sep 22 2017

Labels: Pri-1

Comment 3 by palmer@chromium.org, Sep 22 2017

ishell: Any chance this is a duplicate of  Issue 767052  ?
Cc: albertnetymk@google.com mstarzinger@chromium.org
Labels: Security_Impact-Head M-63
Lets just track this here, 767052 was auto-closed.

[heap] Turn on v8_enable_csa_write_barrier by albertnetymk@google.com
The suspect is the only cl in the regression range.

ishell@, does this cl look like culprit ?

Comment 5 by ishell@chromium.org, Sep 26 2017

Status: Started (was: Assigned)
Project Member

Comment 6 by sheriffbot@chromium.org, Sep 27 2017

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: ishell@chromium.org
Owner: u...@chromium.org
Assigning ulan@ because ishell@ is on vacation.

Comment 8 by u...@chromium.org, Sep 29 2017

Cc: jarin@chromium.org danno@chromium.org
Mergedinto: 765301
Status: Duplicate (was: Started)
I debugged this locally. The crash is happening in DeserializeLazy builtin for write barrier stub. It was fixed last week in https://chromium-review.googlesource.com/668454.

danno@, jarin@, this is the Invoke crasher we talked about.
Project Member

Comment 9 by sheriffbot@chromium.org, Jan 5 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment