New issue
Advanced search Search tips

Issue 786362 link

Starred by 3 users
Status: Verified
Owner:
ahaas@chromium.org
Closed: May 2018
Cc:
mathias@chromium.org
mstarzinger@chromium.org
clemensh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Prevent fuzzers from using disallowed runtime functions through `eval('%FooBar()')`

Project Member Reported by ClusterFuzz, Nov 17 2017 
Detailed report: https://clusterfuzz.com/testcase?key=6716331964760064

Fuzzer: ochang_js_fuzzer
Job Type: linux_cfi_d8
Platform Id: linux

Crash Type: Ill
Crash Address: 0x7f159ab40612
Crash State:
  NULL
Sanitizer: cfi (CFI)

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=48565:48566

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6716331964760064

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Comment 1 by clemensh@chromium.org, Nov 17 2017

Cc: clemensh@chromium.org mathias@chromium.org ahaas@chromium.org mstarzinger@chromium.org
Status: Available (was: Untriaged)
Oh damn, the fuzzer is starting to abuse assertPromiseResult, resulting in AbortJS being called...

Including Andreas and Mathias who wanted to refactor this anyway. Maybe now is the time?

Comment 2 by mstarzinger@chromium.org, Nov 17 2017 

Yeah, I have seen the fuzzer finding the eval("%FooBar()") pattern before and hence side-stepping the fuzzer white-list of allowed runtime functions. This has happened even before assertPromiseResult a couple of times. But wasn't annoying enough yet for anyone to take action. :/

Comment 3 by ahaas@chromium.org, Nov 17 2017

Cc: -ahaas@chromium.org
Owner: ahaas@chromium.org
I have it on my list, I will do it latest at the next Cleanup Friday.

Comment 4 by ahaas@chromium.org, Nov 17 2017

Labels: -Pri-1 Pri-2

Comment 5 by mathias@chromium.org, Nov 18 2017

Labels: -OS-Linux

Comment 6 by mathias@chromium.org, Nov 18 2017

Summary: Prevent fuzzers from using disallowed runtime functions through `eval('%FooBar()')`
Project Member

Comment 7 by ClusterFuzz, Nov 18 2017

Labels: OS-Linux
Project Member

Comment 8 by ClusterFuzz, Jan 13 2018

Labels: OS-Mac

Comment 9 by ishell@chromium.org, Jan 31 2018

Status: Assigned (was: Available)
Project Member

Comment 10 by ClusterFuzz, Mar 21 2018

Labels: OS-Android
Project Member

Comment 11 by ClusterFuzz, May 17 2018 

ClusterFuzz has detected this issue as fixed in range 53203:53204.

Detailed report: https://clusterfuzz.com/testcase?key=6716331964760064

Fuzzer: ochang_js_fuzzer
Job Type: linux_cfi_d8
Platform Id: linux

Crash Type: Ill
Crash Address: 0x55c945585a42
Crash State:
  NULL
Sanitizer: cfi (CFI)

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=48565:48566
Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=53203:53204

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6716331964760064

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 12 by ClusterFuzz, May 17 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6716331964760064 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment