New issue
Advanced search Search tips
Starred by 1 user
link

Issue 770450: Stack-buffer-overflow in Runtime_CanonicalizeLanguageTag

Reported by scdengy...@gmail.com, Sep 30 2017

Issue description

VULNERABILITY DETAILS
//uloc_tag.cpp


2412:
uloc_forLanguageTag(const char* langtag,
                    char* localeID,
                    int32_t localeIDCapacity,
                    int32_t* parsedLength,
                    UErrorCode* status) {
2524:
        len = _appendKeywords(lt, localeID + reslen, localeIDCapacity - reslen, status); // integer overflow
        
_appendKeywords(ULanguageTag* langtag, char* appendAt, int32_t capacity, UErrorCode* status) {
    int32_t kwdBufLength = capacity;
1519:
    kwdBuf = (char*)uprv_malloc(kwdBufLength);

VERSION
Version 60.0.3112.113 (Official Build) (64-bit)
Operating System: [Mac OS, 10.12.6]

REPRODUCTION CASE
var date0 = new Date('1995-12-17T03:24:00');
var dateti1 = new Intl.DateTimeFormat("iw-up-a-caiaup-araup-ai-pdu-sp-bs-up-arscna-zeieiaup-araup-arscia-rews-us-up-arscna-zeieiaup-araup-arsciap-arscna-zeieiaup-araup-arscie-u-sp-bs-uaup-arscia");
d = dateti1.format(date0);



FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
$ ~/v8/out/Debug/d8 poc.js
=================================================================
==30991==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd3d946acd at pc 0x0000004343c4 bp 0x7ffd3d9464d0 sp 0x7ffd3d945c78
READ of size 159 at 0x7ffd3d946acd thread T0
    #0 0x4343c3 in __interceptor_strlen (/home/scdeny/v8/out/Debug/d8+0x4343c3)
    #1 0x41262ea in uloc_toLanguageTag_59 /home/scdeny/v8/out/Debug/../../third_party/icu/source/common/uloc_tag.cpp:2347:9
    #2 0x3804793 in v8::internal::__RT_impl_Runtime_CanonicalizeLanguageTag(v8::internal::Arguments, v8::internal::Isolate*) /home/scdeny/v8/out/Debug/../../src/runtime/runtime-intl.cc:85:3
    #3 0x3803886 in v8::internal::Runtime_CanonicalizeLanguageTag(int, v8::internal::Object**, v8::internal::Isolate*) /home/scdeny/v8/out/Debug/../../src/runtime/runtime-intl.cc:58:1
    #4 0x7f071adced7e  (<unknown module>)

Address 0x7ffd3d946acd is located in stack of thread T0 at offset 461 in frame
    #0 0x3803def in v8::internal::__RT_impl_Runtime_CanonicalizeLanguageTag(v8::internal::Arguments, v8::internal::Isolate*) /home/scdeny/v8/out/Debug/../../src/runtime/runtime-intl.cc:58

  This frame has 14 object(s):
    [32, 48) 'args'
    [64, 88) 'scope' (line 59)
    [128, 136) 'locale_id_str' (line 63)
    [160, 176) 'locale_id' (line 65)
    [192, 200) 'agg.tmp'
    [224, 232) 'agg.tmp15'
    [256, 264) 'agg.tmp16'
    [288, 292) 'error' (line 72)
    [304, 461) 'icu_result' (line 73)
    [528, 532) 'icu_length' (line 74) <== Memory access at offset 461 partially underflows this variable
    [544, 552) 'coerce' <== Memory access at offset 461 partially underflows this variable
    [576, 733) 'result' (line 82) <== Memory access at offset 461 partially underflows this variable
    [800, 808) 'coerce40'
    [832, 840) 'coerce47'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/scdeny/v8/out/Debug/d8+0x4343c3) in __interceptor_strlen
Shadow bytes around the buggy address:
  0x100027b20d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027b20d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027b20d20: f1 f1 f1 f1 00 00 f2 f2 00 00 00 f2 f2 f2 f2 f2
  0x100027b20d30: 00 f2 f2 f2 00 00 f2 f2 00 f2 f2 f2 00 f2 f2 f2
  0x100027b20d40: 00 f2 f2 f2 04 f2 00 00 00 00 00 00 00 00 00 00
=>0x100027b20d50: 00 00 00 00 00 00 00 00 00[05]f2 f2 f2 f2 f2 f2
  0x100027b20d60: f2 f2 04 f2 00 f2 f2 f2 00 00 00 00 00 00 00 00
  0x100027b20d70: 00 00 00 00 00 00 00 00 00 00 00 05 f2 f2 f2 f2
  0x100027b20d80: f2 f2 f2 f2 00 f2 f2 f2 00 f3 f3 f3 00 00 00 00
  0x100027b20d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027b20da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==30991==ABORTING
 

Comment 1 by scdengy...@gmail.com, Sep 30 2017

patch.diff
493 bytes Download

Comment 2 by ClusterFuzz, Sep 30 2017

Project Member
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5411230931222528.

Comment 3 by ClusterFuzz, Sep 30 2017

Project Member
Labels: Security_Severity-Medium Security_Impact-Head
Summary: Stack-buffer-overflow in uloc_toLanguageTag_59 (was: Security: Runtime_CanonicalizeLanguageTag_stack_overflow)
Detailed report: https://clusterfuzz.com/testcase?key=5411230931222528

Job Type: linux_asan_d8_dbg
Crash Type: Stack-buffer-overflow READ {*}
Crash Address: 0x7ff13f79552d
Crash State:
  uloc_toLanguageTag_59
  v8::internal::__RT_impl_Runtime_CanonicalizeLanguageTag
  v8::internal::Runtime_CanonicalizeLanguageTag
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=39415:39416

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5411230931222528

See https://github.com/google/clusterfuzz-tools for more information.

A recommended severity was added to this bug. Please change the severity if it is inaccurate.

Comment 4 by infe...@chromium.org, Sep 30 2017

Cc: js...@chromium.org
Components: Blink>JavaScript
Labels: M-62 Pri-1
Owner: rossberg@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 5 by ClusterFuzz, Oct 1 2017

Project Member
Components: Blink>JavaScript>Runtime
Labels: Test-Predator-AutoComponents
Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 6 by sheriffbot@chromium.org, Oct 1 2017

Project Member
Labels: -Security_Impact-Head Security_Impact-Beta

Comment 7 by sheriffbot@chromium.org, Oct 1 2017

Project Member
Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 8 by infe...@chromium.org, Oct 1 2017

Labels: -Security_Impact-Beta -M-62 Security_Impact-Head M-63

Comment 9 by candr...@chromium.org, Oct 2 2017

Please add appropriate OSs.

Comment 10 Deleted

Comment 11 by sheriffbot@chromium.org, Oct 3 2017

Project Member
This issue is marked as a release blocker with no OS labels associated. Please add an appropriate OS label.

All release blocking issues should have OS labels associated to it, so that the issue can tracked and promptly verified, once it gets fixed.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 12 by sheriffbot@chromium.org, Oct 6 2017

Project Member
This issue is marked as a release blocker with no OS labels associated. Please add an appropriate OS label.

All release blocking issues should have OS labels associated to it, so that the issue can tracked and promptly verified, once it gets fixed.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 13 by gov...@chromium.org, Oct 9 2017

Please apply appropriate OSs label.

Comment 14 by rossberg@chromium.org, Oct 10 2017

Cc: -js...@chromium.org
Owner: js...@chromium.org
This is a failure in the Intl library. @jshin, can you please investigate?

Comment 15 by gov...@chromium.org, Oct 10 2017

Please apply appropriate OSs label. Thank you.

Comment 16 by js...@chromium.org, Oct 10 2017

Labels: OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows
Status: Started (was: Assigned)
Sorry that I missed this one. Looking into it.

Comment 17 by js...@chromium.org, Oct 10 2017

Summary: Stack-buffer-overflow in Runtime_CanonicalizeLanguageTag (was: Stack-buffer-overflow in uloc_toLanguageTag_59)

Comment 18 by js...@chromium.org, Oct 11 2017

Cc: littledan@chromium.org adamk@chromium.org

Comment 19 by bugdroid1@chromium.org, Oct 12 2017

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/69bd294affaf0dd567d8649f5c02e891473f3e1f

commit 69bd294affaf0dd567d8649f5c02e891473f3e1f
Author: Jungshik Shin <jshin@chromium.org>
Date: Thu Oct 12 06:33:35 2017

Correct the misuse of uloc_{to,from}LanguageTag

- remove unused Runtime_GetLanguageTagVariants
- add test for another related bug (chromium:770452) as well as for 
chromium:770450 . 

Bug:  chromium:770450 ,  chromium:770452 
Test: intl/general/invalid-locale.js
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I4496a4a5421000faa0e37aed85fea21ceb487998
Reviewed-on: https://chromium-review.googlesource.com/710816
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48483}
[modify] https://crrev.com/69bd294affaf0dd567d8649f5c02e891473f3e1f/src/runtime/runtime-intl.cc
[modify] https://crrev.com/69bd294affaf0dd567d8649f5c02e891473f3e1f/src/runtime/runtime.h
[add] https://crrev.com/69bd294affaf0dd567d8649f5c02e891473f3e1f/test/intl/general/invalid-locale.js

Comment 20 by ClusterFuzz, Oct 12 2017

Project Member
ClusterFuzz has detected this issue as fixed in range 48482:48483.

Detailed report: https://clusterfuzz.com/testcase?key=5411230931222528

Job Type: linux_asan_d8_dbg
Crash Type: Stack-buffer-overflow READ {*}
Crash Address: 0x7ff13f79552d
Crash State:
  uloc_toLanguageTag_59
  v8::internal::__RT_impl_Runtime_CanonicalizeLanguageTag
  v8::internal::Runtime_CanonicalizeLanguageTag
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=39415:39416
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=48482:48483

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5411230931222528

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 21 by js...@chromium.org, Oct 12 2017

Cc: infe...@chromium.org
The fix was landed in time for M63 branch cut. 

inferno@ :  You changed the target from M62 to M63. Do you think it's ok not to merge to M62?

Comment 22 by ClusterFuzz, Oct 12 2017

Project Member
Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 5411230931222528 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 23 by sheriffbot@chromium.org, Oct 12 2017

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 24 by mmoroz@chromium.org, Oct 13 2017

Labels: reward-topanel

Comment 25 by js...@chromium.org, Oct 13 2017

Cc: hablich@chromium.org
Labels: M-62
I believe this should go to M-62 as well. 

Will wait for the canary coverage. 
 
./tools/release/mergeinfo.py 69bd29 says that it does not yet have a canary coverage.

Comment 26 by js...@chromium.org, Oct 13 2017

Labels: Merge-Request-63
This is a v8 fix so that it need to be merged to v8's branch that is used in Chrome M63 branch (even though the patch was landed before Chromium's M63 branch cut). 
Requesting for Merging to M63 (v8's 6.3(?) branch). 

Will ask for merging to M62 later.

Comment 27 Deleted

Comment 28 by sheriffbot@chromium.org, Oct 14 2017

Project Member
Labels: -Merge-Request-63 Hotlist-Merge-Approved Merge-Approved-63
Your change meets the bar and is auto-approved for M63. Please go ahead and merge the CL to branch 3239 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 29 by gov...@chromium.org, Oct 16 2017

** Bulk Edit **

Please merge your change to M63 branch 3239 before 5:00 PM PT Monday (10/16) so we can take it in for next dev release. Thank you.

Comment 30 by awhalley@google.com, Oct 16 2017

Labels: -ReleaseBlock-Stable -M-62

Comment 31 by bugdroid1@chromium.org, Oct 16 2017

Project Member
Labels: merge-merged-6.3
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/593b0d895d9adea24ab0a0a51d8a5e891485674c

commit 593b0d895d9adea24ab0a0a51d8a5e891485674c
Author: Jungshik Shin <jshin@chromium.org>
Date: Mon Oct 16 20:56:39 2017

Merged: Correct the misuse of uloc_{to,from}LanguageTag

Revision: 69bd294affaf0dd567d8649f5c02e891473f3e1f

Merge to 6.3 branch

- remove unused Runtime_GetLanguageTagVariants
- add test for another related bug (chromium:770452) as well as for
chromium:770450 .

BUG= chromium:770450 , chromium:770452 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=adamk@chromium.org

Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: Ia2c6dd2156c51995fb18228fc3062a86e78d719c
Reviewed-on: https://chromium-review.googlesource.com/721844
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.3@{#9}
Cr-Branched-From: 094a7c93dcdcd921de3883ba4674b7e1a0feffbe-refs/heads/6.3.292@{#1}
Cr-Branched-From: 18b8fbb528a8021e04a029e06eafee50b918bce0-refs/heads/master@{#48432}
[modify] https://crrev.com/593b0d895d9adea24ab0a0a51d8a5e891485674c/src/runtime/runtime-intl.cc
[modify] https://crrev.com/593b0d895d9adea24ab0a0a51d8a5e891485674c/src/runtime/runtime.h
[add] https://crrev.com/593b0d895d9adea24ab0a0a51d8a5e891485674c/test/intl/general/invalid-locale.js

Comment 32 by gov...@chromium.org, Oct 16 2017

Labels: -Merge-Approved-63
Per comment #31, this is already merged to M63.

Comment 33 by js...@chromium.org, Oct 17 2017

Labels: Merge-Request-62 M-62
The fix missed the 1st train for M62 stable. Asking for merge approval to M62 (v8 6.2 branch) for a respin of M62 stable.

Comment 34 by sheriffbot@chromium.org, Oct 17 2017

Project Member
Labels: -Merge-Request-62 Merge-Review-62 Hotlist-Merge-Review
This bug requires manual review: Request affecting a post-stable build
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 35 by bugdroid1@chromium.org, Oct 17 2017

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/9a132a9e7208a042a4c7cc2b71248573f74a4e3e

commit 9a132a9e7208a042a4c7cc2b71248573f74a4e3e
Author: Michael Hablich <hablich@chromium.org>
Date: Tue Oct 17 16:10:36 2017

Revert "Merged: Correct the misuse of uloc_{to,from}LanguageTag"

This reverts commit 593b0d895d9adea24ab0a0a51d8a5e891485674c.

Reason for revert: broke some branch builders like https://build.chromium.org/p/client.v8.branches/builders/V8%20arm%20-%20sim%20-%20beta%20branch%20-%20debug

Original change's description:
> Merged: Correct the misuse of uloc_{to,from}LanguageTag
> 
> Revision: 69bd294affaf0dd567d8649f5c02e891473f3e1f
> 
> Merge to 6.3 branch
> 
> - remove unused Runtime_GetLanguageTagVariants
> - add test for another related bug (chromium:770452) as well as for
> chromium:770450 .
> 
> BUG= chromium:770450 , chromium:770452 
> LOG=N
> NOTRY=true
> NOPRESUBMIT=true
> NOTREECHECKS=true
> R=​adamk@chromium.org
> 
> Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
> Change-Id: Ia2c6dd2156c51995fb18228fc3062a86e78d719c
> Reviewed-on: https://chromium-review.googlesource.com/721844
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Commit-Queue: Jungshik Shin <jshin@chromium.org>
> Cr-Commit-Position: refs/branch-heads/6.3@{#9}
> Cr-Branched-From: 094a7c93dcdcd921de3883ba4674b7e1a0feffbe-refs/heads/6.3.292@{#1}
> Cr-Branched-From: 18b8fbb528a8021e04a029e06eafee50b918bce0-refs/heads/master@{#48432}

TBR=adamk@chromium.org,hablich@chromium.org,jshin@chromium.org

Change-Id: I37018f8241efe1431f453ff55cf8216a5daa66de
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug:  chromium:770450 ,  chromium:770452 
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/723323
Reviewed-by: Michael Hablich <hablich@chromium.org>
Commit-Queue: Michael Hablich <hablich@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.3@{#17}
Cr-Branched-From: 094a7c93dcdcd921de3883ba4674b7e1a0feffbe-refs/heads/6.3.292@{#1}
Cr-Branched-From: 18b8fbb528a8021e04a029e06eafee50b918bce0-refs/heads/master@{#48432}
[modify] https://crrev.com/9a132a9e7208a042a4c7cc2b71248573f74a4e3e/src/runtime/runtime-intl.cc
[modify] https://crrev.com/9a132a9e7208a042a4c7cc2b71248573f74a4e3e/src/runtime/runtime.h
[delete] https://crrev.com/f435a180d199eda0c6777be153aa0ca5541ef599/test/intl/general/invalid-locale.js

Comment 36 by bugdroid1@chromium.org, Oct 17 2017

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/bb1e70a61fbf93488ce9e4e6e943e549732ed65d

commit bb1e70a61fbf93488ce9e4e6e943e549732ed65d
Author: Jungshik Shin <jshin@chromium.org>
Date: Tue Oct 17 20:58:47 2017

Revert "Revert "Merged: Correct the misuse of uloc_{to,from}LanguageTag""

This reverts commit 9a132a9e7208a042a4c7cc2b71248573f74a4e3e.

Reason for revert: ICU was not rolled in 6.3 branch leading invalid-locale test failure (that was added to test an ICU fix). Now, ICU is rolled in 6.3 branch ( https://chromium-review.googlesource.com/c/v8/v8/+/723564 ). 


Original change's description:
> Revert "Merged: Correct the misuse of uloc_{to,from}LanguageTag"
> 
> This reverts commit 593b0d895d9adea24ab0a0a51d8a5e891485674c.
> 
> Reason for revert: broke some branch builders like https://build.chromium.org/p/client.v8.branches/builders/V8%20arm%20-%20sim%20-%20beta%20branch%20-%20debug
> 
> Original change's description:
> > Merged: Correct the misuse of uloc_{to,from}LanguageTag
> > 
> > Revision: 69bd294affaf0dd567d8649f5c02e891473f3e1f
> > 
> > Merge to 6.3 branch
> > 
> > - remove unused Runtime_GetLanguageTagVariants
> > - add test for another related bug (chromium:770452) as well as for
> > chromium:770450 .
> > 
> > BUG= chromium:770450 , chromium:770452 
> > LOG=N
> > NOTRY=true
> > NOPRESUBMIT=true
> > NOTREECHECKS=true
> > R=​adamk@chromium.org
> > 
> > Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
> > Change-Id: Ia2c6dd2156c51995fb18228fc3062a86e78d719c
> > Reviewed-on: https://chromium-review.googlesource.com/721844
> > Reviewed-by: Adam Klein <adamk@chromium.org>
> > Commit-Queue: Jungshik Shin <jshin@chromium.org>
> > Cr-Commit-Position: refs/branch-heads/6.3@{#9}
> > Cr-Branched-From: 094a7c93dcdcd921de3883ba4674b7e1a0feffbe-refs/heads/6.3.292@{#1}
> > Cr-Branched-From: 18b8fbb528a8021e04a029e06eafee50b918bce0-refs/heads/master@{#48432}
> 
> TBR=adamk@chromium.org,hablich@chromium.org,jshin@chromium.org
> 
> Change-Id: I37018f8241efe1431f453ff55cf8216a5daa66de
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Bug:  chromium:770450 ,  chromium:770452 
> Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
> Reviewed-on: https://chromium-review.googlesource.com/723323
> Reviewed-by: Michael Hablich <hablich@chromium.org>
> Commit-Queue: Michael Hablich <hablich@chromium.org>
> Cr-Commit-Position: refs/branch-heads/6.3@{#17}
> Cr-Branched-From: 094a7c93dcdcd921de3883ba4674b7e1a0feffbe-refs/heads/6.3.292@{#1}
> Cr-Branched-From: 18b8fbb528a8021e04a029e06eafee50b918bce0-refs/heads/master@{#48432}

TBR=adamk@chromium.org,hablich@chromium.org,jshin@chromium.org

Change-Id: Ie7eac96859c8053c4f1b41b0a9b4f79a44883295
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug:  chromium:770450 ,  chromium:770452 
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/723608
Reviewed-by: Michael Hablich <hablich@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.3@{#23}
Cr-Branched-From: 094a7c93dcdcd921de3883ba4674b7e1a0feffbe-refs/heads/6.3.292@{#1}
Cr-Branched-From: 18b8fbb528a8021e04a029e06eafee50b918bce0-refs/heads/master@{#48432}
[modify] https://crrev.com/bb1e70a61fbf93488ce9e4e6e943e549732ed65d/src/runtime/runtime-intl.cc
[modify] https://crrev.com/bb1e70a61fbf93488ce9e4e6e943e549732ed65d/src/runtime/runtime.h
[add] https://crrev.com/bb1e70a61fbf93488ce9e4e6e943e549732ed65d/test/intl/general/invalid-locale.js

Comment 37 by abdulsyed@chromium.org, Oct 19 2017

Can you confirm if this is still required for M62 (unclear if fix was reverted or not)? How critical is this and what is the full impact if we wait until M63? This seems to be touching all platforms as well and we're already at stable ramp-up for M62.

Comment 38 by awhalley@chromium.org, Oct 19 2017

Labels: -reward-topanel reward-unpaid reward-1000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Comment 39 by awhalley@google.com, Oct 20 2017

And $1000 for this one - thanks!

Comment 40 by awhalley@chromium.org, Oct 20 2017

Labels: -reward-unpaid reward-inprocess

Comment 41 by abdulsyed@chromium.org, Oct 23 2017

+hablich@/adamk@ - can you please review this merge from V8 perspective?

Comment 42 by js...@chromium.org, Oct 23 2017

Sorry for the late reply. What needs to be done (after approval from Michael) is:


1. Roll ICU in 6.2 branch (of v8) as was done for 6.3 branch
( https://chromium-review.googlesource.com/c/v8/v8/+/723564 )

2. Cherry-pick in 6.2 branch
https://chromium.googlesource.com/v8/v8.git/+/bb1e70a61fbf93488ce9e4e6e943e549732ed65d

Comment 43 by js...@chromium.org, Oct 23 2017

For 6.2 branch, I'll make two CLs above and ask for the approval.

Comment 44 by hablich@chromium.org, Oct 24 2017

Labels: -Merge-Review-62 Merge-Approved-62

Comment 45 by bugdroid1@chromium.org, Oct 24 2017

Project Member
Labels: merge-merged-6.2
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/dad541bf46354b0ce2cf40b9419673f5edc3564a

commit dad541bf46354b0ce2cf40b9419673f5edc3564a
Author: Jungshik Shin <jshin@chromium.org>
Date: Tue Oct 24 20:45:07 2017

Merged: Correct the misuse of uloc_{to,from}LanguageTag

Merge to 6.2 branch

Revision: 69bd294affaf0dd567d8649f5c02e891473f3e1f

In addition, roll ICU to  21d33b1a09

There are only two changes in the roll. This is to match
Chromium M62's ICU in v8's 6.2 branch

 https://chromium.googlesource.com/chromium/deps/icu/+log/08cb9568..21d33b1a

BUG= chromium:770450 , chromium:770452 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=hablich@chromium.org

Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I79123ff567b822dc9afd9f1a4ebd007353033d8a
Reviewed-on: https://chromium-review.googlesource.com/736032
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.2@{#70}
Cr-Branched-From: efa2ac4129d30c7c72e84c16af3d20b44829f990-refs/heads/6.2.414@{#1}
Cr-Branched-From: a861ebb762a60bf5cc2a274faee3620abfb06311-refs/heads/master@{#47693}
[modify] https://crrev.com/dad541bf46354b0ce2cf40b9419673f5edc3564a/DEPS
[modify] https://crrev.com/dad541bf46354b0ce2cf40b9419673f5edc3564a/src/runtime/runtime-intl.cc
[modify] https://crrev.com/dad541bf46354b0ce2cf40b9419673f5edc3564a/src/runtime/runtime.h
[add] https://crrev.com/dad541bf46354b0ce2cf40b9419673f5edc3564a/test/intl/general/invalid-locale.js

Comment 46 by abdulsyed@chromium.org, Oct 25 2017

Labels: -Merge-Approved-62
Since it was merged, removing Merge-Approved

Comment 47 by scdengy...@gmail.com, Oct 26 2017

thx @awhalley, :)

Comment 48 by mbarbe...@chromium.org, Nov 7 2017

Labels: -Test-Predator-AutoComponents Test-Predator-Auto-Components

Comment 49 by awhalley@google.com, Nov 17 2017

Labels: -Security_Impact-Head Security_Impact-Stable

Comment 50 by awhalley@google.com, Nov 17 2017

Labels: CVE-2017-15406

Comment 51 by awhalley@google.com, Nov 17 2017

Labels: Release-1-M62

Comment 52 by sheriffbot@chromium.org, Jan 18 2018

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 53 by ofrobots@google.com, Mar 7 2018

Labels: NodeJS-Backport-Review
Node.js backport triage: seems to be present on Node 6.x (V8 4.5) only (ASAN build).

Comment 54 by sheriffbot@chromium.org, Mar 27 2018

Project Member
Labels: -M-62 -M-63 M-65

Comment 55 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-missing

Comment 56 by awhalley@google.com, Oct 5

Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment