Use-of-uninitialized-value in v8::internal::Serializer<v8::internal::DefaultSerializerAllocator>::ObjectSerial |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5714112219447296 Fuzzer: mbarbella_js_mutation Job Type: linux_msan_d8 Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: v8::internal::Serializer<v8::internal::DefaultSerializerAllocator>::ObjectSerial v8::internal::Serializer<v8::internal::DefaultSerializerAllocator>::ObjectSerial v8::internal::Serializer<v8::internal::DefaultSerializerAllocator>::ObjectSerial Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=51672:51673 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5714112219447296 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Mar 2 2018
,
Mar 2 2018
,
Mar 2 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/824358f07bacb4a4d5d58defbae8490cfa0fa85c commit 824358f07bacb4a4d5d58defbae8490cfa0fa85c Author: Jakob Kummerow <jkummerow@chromium.org> Date: Fri Mar 02 20:06:57 2018 [bigint] Make MSan happy: zero-initialize unused bits There are some unused bits in a BigInt's bit field. We never read their their values explicitly, but whenever the entire object is moved around (for serialization, or GC), this uninitialized memory is accessed. This patch fixes that by initializing the entire field after allocation of a BigInt, not just the bits we actually use. Bug: chromium:818109 Change-Id: I5a4d24c3240242157b902c696fa9bb779799280d Reviewed-on: https://chromium-review.googlesource.com/946676 Reviewed-by: Adam Klein <adamk@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#51708} [modify] https://crrev.com/824358f07bacb4a4d5d58defbae8490cfa0fa85c/src/objects/bigint.cc
,
Mar 2 2018
Should be fixed by #4.
,
Mar 2 2018
For the record, this did not have security implications.
,
Mar 3 2018
ClusterFuzz has detected this issue as fixed in range 51707:51708. Detailed report: https://clusterfuzz.com/testcase?key=5714112219447296 Fuzzer: mbarbella_js_mutation Job Type: linux_msan_d8 Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: v8::internal::Serializer<v8::internal::DefaultSerializerAllocator>::ObjectSerial v8::internal::Serializer<v8::internal::DefaultSerializerAllocator>::ObjectSerial v8::internal::Serializer<v8::internal::DefaultSerializerAllocator>::ObjectSerial Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=51672:51673 Fixed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=51707:51708 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5714112219447296 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 3 2018
ClusterFuzz testcase 5714112219447296 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ishell@chromium.org
, Mar 2 2018Owner: jkummerow@chromium.org
Status: Assigned (was: Untriaged)