Closed Bug 691299 (CVE-2011-3661) Opened 13 years ago Closed 13 years ago

Crash at js::RegExp::executeInternal

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
7 Branch
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla11
Tracking Flags:
Tracking Status
firefox8 - wontfix
firefox9 + fixed
firefox10 + fixed
firefox11 + fixed
status1.9.2 --- unaffected

People

(Reporter: aki.helin, Assigned: cdleary)

References

(
URL
)

Details

(4 keywords, Whiteboard: [sg:critical?][qa!])

Attachments

(2 files, 1 obsolete file)

regex.html
157 bytes, text/html
Details
Error check regexp quantifier in parser and alternative offset in emitter.
8.06 KB, patch
dmandelin
: review+
akeybl
: approval-mozilla-aurora+
akeybl
: approval-mozilla-beta+
Details | Diff | Splinter Review
Attached file regex.html 
User Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20100101 Firefox/8.0
Build ID: 20110928060149

Steps to reproduce:

I stumbled into another regexp issue similar to https://bugzilla.mozilla.org/show_bug.cgi?id=653672. That one was fixed in Firefox 7.0, but this one remains in it and 8.0 beta. Filing as a security bug based on the high crash address and probability of there being a similar integer error.


Actual results:

Firefox 7.0 / Linux (64-bit Debian 6.0.2) -> https://crash-stats.mozilla.com/report/index/2b6d78d1-df97-4497-bbcc-b3fae2111003

Firefox 8.0 beta / ditto-> https://crash-stats.mozilla.com/report/index/bp-82827ac7-07c6-4f97-a697-5f1202111003


Expected results:

Firefox shouldn't have crashed and I should have caught this earlier.
Open the attached file to reproduce. Firefox usually appears to get stuck for a few seconds and then crashes. Some pages exhibiting this crash instantly. I tried to make a small repro that crashes most of the time on different versions.

Firefox 8.0 on 32-bit Debian crashed with a slightly different signature [@ JSC::Yarr::execute ] -> https://crash-stats.mozilla.com/report/index/bp-180837cb-6a6f-440f-a900-b859c2111003
Using Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:10.0a1) Gecko/20111003 Firefox/10.0a1 I don't crash, but Nightly stops responding and I have to force quit.
Firefox 7.0.1 / Windows 7 -> https://crash-stats.mozilla.com/report/index/bbba3892-7e36-40d5-963e-93b422111004
OS: Linux → All
Haven't tested nightly yet, but have we updated YARR since Fx8?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:critical?]
Assignee: nobody → cdleary
Status: NEW → ASSIGNED

        Attachment #565697 -
        Flags: review?(dmandelin)
Assignee: cdleary → general
Component: General → JavaScript Engine
Product: Firefox → Core
QA Contact: general → general

    
    

    
  
Can you report this to WebKit and attach that patch to see if they want to upstream it?

    
    

    
  
(In reply to David Mandelin from comment #7)
> Can you report this to WebKit and attach that patch to see if they want to
> upstream it?

Will do. I actually missed one shell test failure as well. Will post the link when I fix that and submit to their tracker.
Assignee: general → cdleary

    
    

    
  
Can we get the webkit bug link added to this bug?
Keywords: crash, 
          
            testcase

    
    

    
  
Comment on attachment 565697 [details] [diff] [review]
Error check regexp quantifier in parser and alternative offset in emitter.

Review of attachment 565697 [details] [diff] [review]:
-----------------------------------------------------------------

Chris says the patch has a problem and needs refreshing.

        Attachment #565697 -
        Flags: review?(dmandelin)

    
    

    
  


  
Fixes the problem. Will post to webkit bug tracker now.

        Attachment #565697 -
        Attachment is obsolete: true

    
    

    
  
Too late for 8 given the complexity of this patch.

          status-firefox8:
          affectedwontfix

          tracking-firefox8:
          +-

    
    

    
  
Do we want this for 9?

    
    

    
  
Yes please.

    
    

    
  
Chris, what's left here?

    
    

    
  
Comment on attachment 568767 [details] [diff] [review]
Error check regexp quantifier in parser and alternative offset in emitter.

No feedback from WebKit. Requesting approval for aurora / beta landing ASAP.

        Attachment #568767 -
        Flags: review?(dmandelin)

        Attachment #568767 -
        Flags: approval-mozilla-beta?

        Attachment #568767 -
        Flags: approval-mozilla-aurora?

        Attachment #568767 -
        Flags: review?(dmandelin) → review+

    
    

    
  
Comment on attachment 568767 [details] [diff] [review]
Error check regexp quantifier in parser and alternative offset in emitter.

[Triage Comment]
Please re-nominate for approval once this has landed on m-c.

        Attachment #568767 -
        Flags: approval-mozilla-beta?

        Attachment #568767 -
        Flags: approval-mozilla-beta-

        Attachment #568767 -
        Flags: approval-mozilla-aurora?

        Attachment #568767 -
        Flags: approval-mozilla-aurora-

        Attachment #568767 -
        Flags: approval-mozilla-beta?

        Attachment #568767 -
        Flags: approval-mozilla-beta-

        Attachment #568767 -
        Flags: approval-mozilla-aurora?

        Attachment #568767 -
        Flags: approval-mozilla-aurora-

    
    

    
  
Marking FIXED since this landed on m-c.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED

    
  
Whiteboard: [sg:critical?] → [sg:critical?][qa+]

    
    

    
  
Comment on attachment 568767 [details] [diff] [review]
Error check regexp quantifier in parser and alternative offset in emitter.

[Triage Comment]
Let's take this on both aurora and beta - this is critical and we expect to find any regressions quickly (if there are any).

        Attachment #568767 -
        Flags: approval-mozilla-beta?

        Attachment #568767 -
        Flags: approval-mozilla-beta+

        Attachment #568767 -
        Flags: approval-mozilla-aurora?

        Attachment #568767 -
        Flags: approval-mozilla-aurora+

        Attachment #564162 -
        Attachment mime type: text/plain → text/html

    
    

    
  
Crash no longer reproducible with 2011-12-08 Nightly and Aurora, and Firefox 9.0b5.
Status: RESOLVED → VERIFIED
Keywords: verified-aurora, 
          
            verified-beta
Whiteboard: [sg:critical?][qa+] → [sg:critical?][qa!]
Alias: CVE-2011-3661
Group: core-security

    
    

    
  
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug691299-regexp.js.
Flags: in-testsuite+

    
    

    
  
rforbes-bugspam-for-setting-that-bounty-flag-20130719
Flags: sec-bounty+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: