Closed Bug 749620 Opened 12 years ago Closed 12 years ago

Invalid stack memory access in CompareLexicographicInt32

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla15

People

(Reporter: decoder, Assigned: evilpie)

Details

(Keywords: testcase, Whiteboard: [asan] js-triage-needed)

Attachments

(1 file)

The following test causes an invalid stack memory access on mozilla-central revision 83ef3c9a64b5 (run with no options):


var v = [ 0, 0x7fffffff ];
for (var i = 0; i < 10 ; ++i) 
  for (var j = 0; j < v.length; ++j) 
    [v[i], v[j]].sort()


The test is minimized from a jit-test failure I encountered during make check of asan builds. Here's the backtrace:

$ /srv/repos/browser/mozilla-central/objdir-ff-asan64dbg/js/src/js test.js 2>&1 | asan_symbolize.py | c++filt 
=================================================================
==30819== ERROR: AddressSanitizer global-buffer-overflow on address 0x0000029b87e8 at pc 0x85aa3c bp 0x7fff849554f0 sp 0x7fff849554e8
READ of size 4 at 0x0000029b87e8 thread T0
    #0 0x85aa3c in CompareLexicographicInt32 /srv/repos/browser/mozilla-central/js/src/jsarray.cpp:2112
    #1 0x85800e in (anonymous namespace)::SortComparatorLexicographicInt32::operator()(JS::Value const&, JS::Value const&, bool*) /srv/repos/browser/mozilla-central/js/src/jsarray.cpp:2153
    #2 0x7efc1e in MergeSort /srv/repos/browser/mozilla-central/js/src/ds/Sort.h:133
    #3 0x7e7a84 in js::array_sort(JSContext*, unsigned int, JS::Value*) /srv/repos/browser/mozilla-central/js/src/jsarray.cpp:2335
    #4 0xeaae3d in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), js::CallArgs const&) /srv/repos/browser/mozilla-central/js/src/jscntxtinlines.h:314
    #5 0xea7e03 in js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) /srv/repos/browser/mozilla-central/js/src/jsinterp.cpp:519
    #6 0xe54586 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) /srv/repos/browser/mozilla-central/js/src/jsinterp.cpp:2757
    #7 0xe22792 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) /srv/repos/browser/mozilla-central/js/src/jsinterp.cpp:475
    #8 0xeb2ff6 in js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) /srv/repos/browser/mozilla-central/js/src/jsinterp.cpp:674
    #9 0xeb4fdd in js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) /srv/repos/browser/mozilla-central/js/src/jsinterp.cpp:715
    #10 0x6f67bc in JS_ExecuteScript /srv/repos/browser/mozilla-central/js/src/jsapi.cpp:5255
    #11 0x47ec48 in Process /srv/repos/browser/mozilla-central/js/src/shell/js.cpp:478
    #12 0x46ee63 in ProcessArgs /srv/repos/browser/mozilla-central/js/src/shell/js.cpp:4696
    #13 0x46c3df in Shell(JSContext*, js::cli::OptionParser*, char**) /srv/repos/browser/mozilla-central/js/src/shell/js.cpp:4779
    #14 0x4711df in main /srv/repos/browser/mozilla-central/js/src/shell/js.cpp:4988
    #15 0x7fafa28e930d in __libc_start_main /build/buildd/eglibc-2.13/csu/libc-start.c:258
0x0000029b87e8 is located 0 bytes to the right of global variable '(anonymous namespace)::powersOf10 (/srv/repos/browser/mozilla-central/js/src/jsarray.cpp)' (0x29b87c0) of size 40

Shadow byte and word:
  0x1000005370fd: f9
  0x1000005370f8: 00 00 00 00 00 f9 f9 f9


Marking s-s until triaged and confirmed to be not exploitable in some way.
So somebody just forgot to handle the biggest difference, which is 0 to 0x7fffffff. v8 doesn't need to do this for example, because they only handle SMIs with 31 bit.

I doubt this is s-s, because in the worst case we sort some arrays in the wrong way. But I rather have somebody else check that.
Assignee: general → evilpies
Status: NEW → ASSIGNED
Attachment #619337 - Flags: review?(luke)
Comment on attachment 619337 [details] [diff] [review]
Add some required power of 10

Phew, thanks!
Attachment #619337 - Flags: review?(luke) → review+
Group: core-security
https://hg.mozilla.org/mozilla-central/rev/d3cf8d638b05
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla15
You need to log in before you can comment on or make changes to this bug.