Closed
Bug 621419
Opened 14 years ago
Closed 12 years ago
Use-after-free Crash [@ JSObject::lookupProperty] after gc()
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 621375
People
(Reporter: alexander.miller, Unassigned)
References
Details
(Keywords: testcase, Whiteboard: [sg:dupe 621375])
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 Build Identifier: A use-after-free issue exists in the js shell. Testcase: function z() { return evalcx('split').Object.__lookupGetter__; } var a = z(); gc(); a(); Reproducible: Always Steps to Reproduce: 1. Load that testcase 2. Use-after-free crash (trying to access 0xdadadb32) Actual Results: Crash due to invalid (possibly arbitrary) memory access. (Not a crash reading freed memory) Expected Results: Syntax error or exception of sorts... Anything but an exploitable crash. Faulting instruction: mov eax,dword ptr [eax]
Reporter | ||
Comment 1•14 years ago
|
||
Just by looking at the testcase, I think the following is happening: evalcx('split') is splitting the returned value of the function. Because one half of the split object is a null property (or whatever it's called), that half is collected by gc() because gc() doesn't seem to collect split objects correctly. Then when the function is finally called, the half of the object containing the properties was freed, which leads to accessing freed memory.
Comment 2•14 years ago
|
||
Dup of bug 619004 / bug 621375? The testcase seems very similar to the one in bug 621375.
Reporter | ||
Comment 3•14 years ago
|
||
(In reply to comment #2) > Dup of bug 619004 / bug 621375? The testcase seems very similar to the one in > bug 621375. Yeah, it is pretty similar. I would say not quite a dup because of the different crash signature, different changeset (a6438d91ca4d), and the fact that this occurs regardless of any JITs that are enabled.
Comment 4•14 years ago
|
||
I assume this is a dupe of bug 621375 and will be fixed with it, but just in case not leaving open and "depends on" 621375 so this testcase can be separately verified.
Reporter | ||
Updated•13 years ago
|
Whiteboard: [sg:dupe 621375] if not fixed by 621375 probably sg:critical → [sg:dupe 621375]
Updated•12 years ago
|
Group: core-security
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•