Crash [@ js::irregexp::ActionNode::FillInBMInfo]

RESOLVED FIXED in Firefox 32, Firefox OS v2.0

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: gkw, Assigned: bhackett)

Tracking

(Blocks: 1 bug, {crash, regression, testcase})

Trunk
mozilla34
x86_64
Mac OS X
crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
qe-verify -

Firefox Tracking Flags

(firefox31 unaffected, firefox32 fixed, firefox33 fixed, firefox34 fixed, firefox-esr24 unaffected, firefox-esr31 unaffected, b2g-v1.4 unaffected, b2g-v2.0 fixed, b2g-v2.1 fixed)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

3 years ago
Created attachment 8472858 [details]
debug and opt stacks

RegExp("(||(w{2147483648}){4})*1").test()

crashes js debug and opt shells on m-c changeset d7e78f0c1465 with --ion-eager --ion-offthread-compile=off --no-threads at js::irregexp::ActionNode::FillInBMInfo

My configure flags are: (debug)

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-gczeal --enable-debug-symbols --disable-tests --enable-more-deterministic --with-ccache --enable-nspr-build

Opt:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --disable-debug --enable-optimize --enable-gczeal --enable-debug-symbols --disable-tests --enable-more-deterministic --with-ccache --enable-nspr-build

Guessing this is related to irregexp, so setting needinfo? from Brian. Setting s-s and guessing sec-high as a start.
Flags: needinfo?(bhackett1024)
(Reporter)

Updated

3 years ago
status-firefox34: --- → affected
(Assignee)

Comment 1

3 years ago
Created attachment 8473111 [details] [diff] [review]
patch

This is a simple overrecursion --- FillInBMInfo implementations freely recurse into each other with no stack checks.  I'm not sure how v8 avoids the need for overrecursion checks in this case, but it seems better to make these checks explicit.
Assignee: nobody → bhackett1024
Attachment #8473111 - Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)

Updated

3 years ago
Attachment #8473111 - Flags: review?(jdemooij) → review+
(Reporter)

Updated

3 years ago
Crash Signature: [@ js::irregexp::ActionNode::FillInBMInfo]
(Assignee)

Comment 2

3 years ago
Comment on attachment 8473111 [details] [diff] [review]
patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Not exploitable --- overrecursion crash.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

The problem is kind of obvious from the patch.

Which older supported branches are affected by this flaw?

32+

If not all supported branches, which bug introduced the flaw?

bug 976446

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

trivial

How likely is this patch to cause regressions; how much testing does it need?

none

Approval Request Comment
[Feature/regressing bug #]: bug 976446
[User impact if declined]: potential non-exploitable crash
[Describe test coverage new/current, TBPL]: none
[Risks and why]: none
Attachment #8473111 - Flags: sec-approval?
Attachment #8473111 - Flags: approval-mozilla-beta?
Attachment #8473111 - Flags: approval-mozilla-aurora?
Group: core-security, javascript-core-security
Keywords: sec-high
Attachment #8473111 - Flags: sec-approval?
status-firefox31: --- → unaffected
status-firefox32: --- → affected
status-firefox33: --- → affected
status-firefox-esr24: --- → unaffected
status-firefox-esr31: --- → unaffected
Attachment #8473111 - Flags: approval-mozilla-beta?
Attachment #8473111 - Flags: approval-mozilla-beta+
Attachment #8473111 - Flags: approval-mozilla-aurora?
Attachment #8473111 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/integration/mozilla-inbound/rev/e826a3acc243

Comment 4

3 years ago
https://hg.mozilla.org/mozilla-central/rev/e826a3acc243
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
https://hg.mozilla.org/releases/mozilla-aurora/rev/afbb49c2e22c
https://hg.mozilla.org/releases/mozilla-beta/rev/c6e134b4ed52
status-b2g-v1.4: --- → unaffected
status-b2g-v2.0: --- → affected
status-b2g-v2.1: --- → fixed
status-firefox32: affected → fixed
status-firefox33: affected → fixed
status-firefox34: affected → fixed
https://hg.mozilla.org/releases/mozilla-b2g32_v2_0/rev/c6e134b4ed52
status-b2g-v2.0: affected → fixed
Flags: qe-verify-
You need to log in before you can comment on or make changes to this bug.