Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Reproduces nicely locally when built with ASAN. Here is the result of a local bisect ...

5aaeb2fd1c5fb08bf1f96563d5f891621a428a0b is the first bad commit
commit 5aaeb2fd1c5fb08bf1f96563d5f891621a428a0b
Author: Clemens Hammacher <clemensh@chromium.org>
Date:   Wed Dec 13 10:53:39 2017 +0100

    [wasm] Simplify bounds check
    
    We really just need one check instead of three. This also unifies the
    error message to be the same on 32 and 64 bit systems.
    
    Drive-by: Fix potential overflow in {validate_size}.
    
    R=titzer@chromium.org
    
    Bug:  chromium:794353 
    Change-Id: I63c1f5ef53c1f245b9e82bcbf86a5d9ac0d2725e
    Reviewed-on: https://chromium-review.googlesource.com/824082
    Reviewed-by: Ben Titzer <titzer@chromium.org>
    Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#50071}

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

 Issue 795489  has been merged into this issue.

 Issue 795496  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/6633ad56d8e7d5393130121a099164444c4c857a

commit 6633ad56d8e7d5393130121a099164444c4c857a
Author: Andreas Haas <ahaas@chromium.org>
Date: Tue Dec 19 12:45:06 2017

[wasm] Stop decoding operands after error.

When we decode operands of WebAssembly instructions, we do not use the
current pc but a pc of the instruction plus some offset. However, the
pc of the instruction + offset can become invalid in case of a decoder
error. Therefore we have to stop decoding operands explicitly in case
of an error.

R=clemensh@chromium.org

Bug:  chromium:795131 
Change-Id: I3b7b45782c71a70364adf930bee3e94a1be88fea
Reviewed-on: https://chromium-review.googlesource.com/832867
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50196}
[modify] https://crrev.com/6633ad56d8e7d5393130121a099164444c4c857a/src/wasm/decoder.h
[modify] https://crrev.com/6633ad56d8e7d5393130121a099164444c4c857a/src/wasm/function-body-decoder-impl.h
[modify] https://crrev.com/6633ad56d8e7d5393130121a099164444c4c857a/test/unittests/wasm/function-body-decoder-unittest.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/8ae67cf18e843051fa7bd55b80ad1cafd98137b3

commit 8ae67cf18e843051fa7bd55b80ad1cafd98137b3
Author: Michael Achenbach <machenbach@chromium.org>
Date: Tue Dec 19 13:42:37 2017

Revert "[wasm] Stop decoding operands after error."

This reverts commit 6633ad56d8e7d5393130121a099164444c4c857a.

Reason for revert:
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/builds/18850

Original change's description:
> [wasm] Stop decoding operands after error.
> 
> When we decode operands of WebAssembly instructions, we do not use the
> current pc but a pc of the instruction plus some offset. However, the
> pc of the instruction + offset can become invalid in case of a decoder
> error. Therefore we have to stop decoding operands explicitly in case
> of an error.
> 
> R=​clemensh@chromium.org
> 
> Bug:  chromium:795131 
> Change-Id: I3b7b45782c71a70364adf930bee3e94a1be88fea
> Reviewed-on: https://chromium-review.googlesource.com/832867
> Commit-Queue: Andreas Haas <ahaas@chromium.org>
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#50196}

TBR=ahaas@chromium.org,clemensh@chromium.org

Change-Id: I5a67f77285fdedc7f4645f8efaaf0087b4046011
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug:  chromium:795131 
Reviewed-on: https://chromium-review.googlesource.com/832650
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50199}
[modify] https://crrev.com/8ae67cf18e843051fa7bd55b80ad1cafd98137b3/src/wasm/decoder.h
[modify] https://crrev.com/8ae67cf18e843051fa7bd55b80ad1cafd98137b3/src/wasm/function-body-decoder-impl.h
[modify] https://crrev.com/8ae67cf18e843051fa7bd55b80ad1cafd98137b3/test/unittests/wasm/function-body-decoder-unittest.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/ca199ef87270312d83eb3beb739f612bfb0723e9

commit ca199ef87270312d83eb3beb739f612bfb0723e9
Author: Andreas Haas <ahaas@chromium.org>
Date: Tue Dec 19 17:29:00 2017

Reland [wasm] Stop decoding operands after error.

The problem was that parts of Simd8x16ShuffleOperand were uninitialized.

Original message:

[wasm] Stop decoding operands after error.

When we decode operands of WebAssembly instructions, we do not use the
current pc but a pc of the instruction plus some offset. However, the
pc of the instruction + offset can become invalid in case of a decoder
error. Therefore we have to stop decoding operands explicitly in case
of an error.

R=clemensh@chromium.org

Bug:  chromium:795131 
Change-Id: I732bc23547dbe531019d81a4397d22165a26d46b
Reviewed-on: https://chromium-review.googlesource.com/833934
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50211}
[modify] https://crrev.com/ca199ef87270312d83eb3beb739f612bfb0723e9/src/wasm/decoder.h
[modify] https://crrev.com/ca199ef87270312d83eb3beb739f612bfb0723e9/src/wasm/function-body-decoder-impl.h
[modify] https://crrev.com/ca199ef87270312d83eb3beb739f612bfb0723e9/test/unittests/wasm/function-body-decoder-unittest.cc

ClusterFuzz testcase 4677507399024640 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 525188:525196.

Detailed report: https://clusterfuzz.com/testcase?key=4561017198870528

Fuzzer: libFuzzer_v8_wasm_async_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x607000000761
Crash State:
  unsigned char v8::internal::ReadUnalignedValue<unsigned char>
  v8::internal::wasm::CallIndirectOperand<
  v8::internal::wasm::WasmFullDecoder<
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=524055:524066
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=525188:525196

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4561017198870528

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot