New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Verified
Owner:
Vacation till Sep 3rd
Closed: Nov 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Use-after-poison in parameter_count

Project Member Reported by ClusterFuzz, Nov 22 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5827211323244544

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: Use-after-poison READ 8
Crash Address: 0x6250000ac958
Crash State:
  parameter_count
  v8::internal::compiler::WasmGraphBuilder::WasmGraphBuilder
  v8::internal::compiler::CompileCWasmEntry
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=49507:49508

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5827211323244544

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Nov 22 2017

Components: Blink>JavaScript>Compiler
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Nov 22 2017

Labels: Test-Predator-Auto-Owner
Owner: clemensh@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/3380e9a4d92a67881c4ff9d83e6d7d5b85a79750 (Reland "[wasm] Unify deoptimization data").

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Comment 3 by mea...@chromium.org, Nov 22 2017

Labels: Security_Impact-Head
Status: Started (was: Assigned)
CL: https://chromium-review.googlesource.com/#/c/v8/v8/+/787312
Project Member

Comment 5 by bugdroid1@chromium.org, Nov 23 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/0bc1b967f2b91779abf1f5b209ac1b4114dfe4c6

commit 0bc1b967f2b91779abf1f5b209ac1b4114dfe4c6
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Thu Nov 23 12:33:51 2017

[wasm] [interpreter] Fix cross-instance indirect calls

The existing access to the signatures is plain wrong. This CL fixes
this.
Note that cross-instance indirect calls are only enabled since a few
days (https://crrev.com/c/778159), which is why this bug was not
detected before.

R=titzer@chromium.org

Bug:  chromium:787910 
Change-Id: Iaac4d1d85840c921eb8554c5094933ec8d987802
Reviewed-on: https://chromium-review.googlesource.com/787312
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49607}
[modify] https://crrev.com/0bc1b967f2b91779abf1f5b209ac1b4114dfe4c6/src/wasm/wasm-interpreter.cc
[modify] https://crrev.com/0bc1b967f2b91779abf1f5b209ac1b4114dfe4c6/test/mjsunit/wasm/interpreter.js

Status: Fixed (was: Started)
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 23 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 8 by ClusterFuzz, Nov 24 2017

ClusterFuzz has detected this issue as fixed in range 49606:49607.

Detailed report: https://clusterfuzz.com/testcase?key=5827211323244544

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: Use-after-poison READ 8
Crash Address: 0x6250000ac958
Crash State:
  parameter_count
  v8::internal::compiler::WasmGraphBuilder::WasmGraphBuilder
  v8::internal::compiler::CompileCWasmEntry
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=49507:49508
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=49606:49607

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5827211323244544

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Nov 24 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 5827211323244544 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 10 by sheriffbot@chromium.org, Mar 1

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 11 by sheriffbot@chromium.org, Jul 28

Labels: Pri-1

Sign in to add a comment