ASan heap-use-after-free crash [@ js::types::ConstraintTypeSet::sweep] with OOM

VERIFIED FIXED in Firefox 30, Firefox OS v1.4

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
3 years ago
2 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 2 bugs, 5 keywords)

Trunk
mozilla31
x86_64
Linux
crash, csectype-uaf, regression, sec-critical, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox29 unaffected, firefox30 verified, firefox31 verified, firefox-esr24 unaffected, b2g-v1.2 unaffected, b2g-v1.3 unaffected, b2g-v1.4 fixed, b2g-v2.0 fixed)

Details

(Whiteboard: [jsbugmon:update,bisect], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
The following testcase crashes on mozilla-central revision 1ab07aa4d004 (run with --fuzzing-safe):


function generate_big_object_graph() {
  var root = {};
  f(root, 17);
  function f(parent, depth) {
    if (depth == 0)
      return;
    --depth;
    f(parent.a = {}, depth);
    f(parent.b = {}, depth);
  }
}
function outer() { 
  var x = arguments; 
  return function inner() { return x }; 
}
var f = outer(generate_big_object_graph());
oomAfterAllocations(100);
gc();
(Reporter)

Comment 1

3 years ago
Crash trace:


==53875==ERROR: AddressSanitizer: heap-use-after-free on address 0x62500001bca8 at pc 0xf8eb0b bp 0x7fff7ac5b570 sp 0x7fff7ac5b568
READ of size 8 at 0x62500001bca8 thread T0
    #0 0xf8eb0a in js::types::ConstraintTypeSet::sweep(JS::Zone*, bool*) js/src/jsinfer.cpp:4019
    #1 0xde68e7 in js::types::TypeScript::Sweep(js::FreeOp*, JSScript*, bool*) js/src/jsinfer.cpp:4244
    #2 0xde68e7 in js::types::TypeZone::sweep(js::FreeOp*, bool, bool*) js/src/jsinfer.cpp:4352
    #3 0x6ad5b7 in JS::Zone::sweep(js::FreeOp*, bool, bool*) js/src/gc/Zone.cpp:119
    #4 0xf7658d in BeginSweepingZoneGroup(JSRuntime*) js/src/jsgc.cpp:3976
    #5 0xf701b8 in BeginSweepPhase(JSRuntime*, bool) js/src/jsgc.cpp:4080
    #6 0xf701b8 in IncrementalCollectSlice(JSRuntime*, long, JS::gcreason::Reason, js::JSGCInvocationKind) js/src/jsgc.cpp:4686
    #7 0xf69a2b in GCCycle(JSRuntime*, bool, long, js::JSGCInvocationKind, JS::gcreason::Reason) js/src/jsgc.cpp:4822
    #8 0xdb416f in Collect(JSRuntime*, bool, long, js::JSGCInvocationKind, JS::gcreason::Reason) js/src/jsgc.cpp:4955
    #9 0xccbed6 in js::DestroyContext(JSContext*, js::DestroyContextMode) js/src/jscntxt.cpp:264
    [...]

0x62500001bca8 is located 936 bytes inside of 8192-byte region [0x62500001b900,0x62500001d900)
freed by thread T1 (JS GC Helper) here:
    #0 0x460bff in __interceptor_free /srv/repos/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x5d44e4 in js_free(void*) js/src/opt64asan-oom/js/src/../../dist/include/js/Utility.h:128
    #2 0x5d44e4 in js::detail::BumpChunk::delete_(js::detail::BumpChunk*) js/src/ds/LifoAlloc.cpp:45
    #3 0x5d44e4 in js::LifoAlloc::freeAll() js/src/ds/LifoAlloc.cpp:66
    #4 0xdb04d3 in js::GCHelperThread::doSweep() js/src/jsgc.cpp:2731
    #5 0xdafa64 in js::GCHelperThread::threadLoop() js/src/jsgc.cpp:2558
    [...]

previously allocated by thread T0 here:
    #0 0x460e37 in __interceptor_malloc /srv/repos/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x5d47b3 in js_malloc(unsigned long) js/src/opt64asan-oom/js/src/../../dist/include/js/Utility.h:105
    #2 0x5d47b3 in js::detail::BumpChunk::new_(unsigned long) js/src/ds/LifoAlloc.cpp:23
    #3 0x5d47b3 in js::LifoAlloc::getOrCreateChunk(unsigned long) js/src/ds/LifoAlloc.cpp:105
    #4 0x926ca1 in js::LifoAlloc::alloc(unsigned long) js/src/ds/LifoAlloc.h:263
    #5 0x926ca1 in js::ExclusiveContext::typeLifoAlloc() js/src/ds/LifoAlloc.h:387
    #6 0x926ca1 in js::types::TypeObject::getProperty(js::ExclusiveContext*, jsid) js/src/jsinferinlines.h:1247
    #7 0xdd6294 in InlineAddTypeProperty(js::ExclusiveContext*, js::types::TypeObject*, jsid, js::types::Type) js/src/jsinfer.cpp:2844:26
    #8 0xe39b4c in js::ThreadSafeContext::asExclusiveContext() const js/src/jsobjinlines.h:612:5
    #9 0xe39b4c in _ZL23UpdateShapeTypeAndValueILN2js13ExecutionModeE0EEbNS0_19ExecutionModeTraitsIXT_EE20ExclusiveContextTypeEP8JSObjectPNS0_5ShapeERKN2JS5ValueE js/src/jsobj.cpp:3656
    #10 0xe39084 in _ZL23DefinePropertyOrElementILN2js13ExecutionModeE0EEbNS0_19ExecutionModeTraitsIXT_EE20ExclusiveContextTypeEN2JS6HandleIP8JSObjectEENS6_I4jsidEEPFbP9JSContextS9_SB_NS5_13MutableHandleINS5_5ValueEEEEPFbSD_S9_SB_bSG_EjjNS6_ISF_EEbb js/src/jsobj.cpp:3756
    #11 0xf9cc42 in bool js::baseops::SetPropertyHelper<(js::ExecutionMode)0>(js::ExecutionModeTraits<(js::ExecutionMode)0>::ContextType, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, unsigned int, JS::MutableHandle<JS::Value>, bool) js/src/jsobj.cpp:5103:16
    #12 0x10cefb6 in JSObject::setGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, bool) js/src/jsobj.h:1020
    #13 0x10cefb6 in SetPropertyOperation(JSContext*, JS::Handle<JSScript*>, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) js/src/vm/Interpreter.cpp:339
    [...]


This looks very much like the thing we saw in pwn2own, marking s-s and sec-critical based on that. Jan pointed out that this might have been regressed by bug 988619. Needinfo on Brian based on that :)
status-firefox31: --- → affected
Flags: needinfo?(bhackett1024)
Keywords: csectype-uaf, sec-critical
Whiteboard: [jsbugmon:update,bisect]
(Reporter)

Updated

3 years ago
Blocks: 912928
(Assignee)

Comment 2

3 years ago
Created attachment 8411227 [details] [diff] [review]
patch

Yes, this was regressed by bug 988619 (man, I suck at writing this OOM handling code).
Assignee: general → bhackett1024
Attachment #8411227 - Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
(Assignee)

Updated

3 years ago
Blocks: 988619
Keywords: regression
status-firefox30: --- → unaffected
status-firefox-esr24: --- → unaffected

Updated

3 years ago
Attachment #8411227 - Flags: review?(jdemooij) → review+
(Assignee)

Comment 3

3 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/496007a2b3ae
Duplicate of this bug: 1000996
It looks like we want bug 988619 on Aurora, which means we'll want this one too.
status-firefox29: --- → unaffected
status-firefox30: unaffected → ?
status-firefox30: ? → unaffected
https://hg.mozilla.org/mozilla-central/rev/496007a2b3ae
Status: NEW → RESOLVED
Last Resolved: 3 years ago
status-firefox31: affected → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla31
Bug 988619 was pushed to Aurora with this fix rolled in.
status-b2g-v1.2: --- → unaffected
status-b2g-v1.3: --- → unaffected
status-b2g-v1.4: --- → fixed
status-b2g-v2.0: --- → fixed
status-firefox30: unaffected → fixed
Confirmed crash on 2014-04-04, Fx30.
Verified fixed on 2014-06-04, Fx30 and Fx31.
Status: RESOLVED → VERIFIED
status-firefox30: fixed → verified
status-firefox31: fixed → verified
Group: core-security
You need to log in before you can comment on or make changes to this bug.