Closed Bug 1065362 Opened 10 years ago Closed 10 years ago

Crash [@ getClass] with poisoned crash pattern

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
ARM
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1066659
Tracking Flags:
Tracking Status
firefox35 --- affected

People

(Reporter: decoder, Unassigned)

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect])

Crash Data

The following testcase crashes on mozilla-central revision 152ef25e89ae (run with --fuzzing-safe --no-threads --ion-regalloc=backtracking --ion-eager):


gczeal(2,1);
function printStatus (msg) {}
function reportCompare (expected, actual) {
  printStatus(typeof expected);
  printStatus("x" + typeof actual);
  expected != actual;
}
var obj2 = {};
var patterns = new Array();
patterns[0] = '';
patterns[1] = 0;
test();
function test() {
  for (i in patterns)
    reportCompare (this ? new Date() : 'y', obj2 + '');
}
This looks pretty bad:


Program received signal SIGSEGV, Segmentation fault.
0x0866551e in getClass (this=<optimized out>) at js/src/vm/RegExpObject.cpp:971
971     }
#0  0x0866551e in getClass (this=<optimized out>) at js/src/vm/RegExpObject.cpp:971
#1  is<js::StringObject> (this=<optimized out>) at js/src/jsobj.h:1165
#2  js::ToPrimitive (cx=cx@entry=0x95c5378, vp=$jsval(-nan(0xfff88f6b00000))) at js/src/jsobjinlines.h:861
#3  0x08665a03 in js::LooselyEqual (cx=0x95c5378, lval=..., rval=..., result=0xf6afed5c) at js/src/vm/Interpreter.cpp:730
#4  0x084998e7 in js::jit::LooselyEqual<false> (cx=cx@entry=0x95c5378, lhs=lhs@entry=$jsval(-nan(0xfff88f6b00000)), rhs=rhs@entry=$jsval(-nan(0xfff85f6712860)), res=res@entry=0xf6afed5c) at js/src/jit/VMFunctions.cpp:238
#5  0x08484cc0 in js::jit::Simulator::softwareInterrupt (this=0x95c4920, instr=0x96413fc) at js/src/jit/arm/Simulator-arm.cpp:2162
#6  0x08481b0d in js::jit::Simulator::instructionDecode (this=this@entry=0x95c4920, instr=instr@entry=0x96413fc) at js/src/jit/arm/Simulator-arm.cpp:4043
#7  0x084a25f4 in js::jit::Simulator::execute<false> (this=0x95c4920) at js/src/jit/arm/Simulator-arm.cpp:4096
eax     0x2b2b2b2b      724249387
=> 0x866551e <js::ToPrimitive(JSContext*, JS::MutableHandleValue)+78>:  mov    (%eax),%ecx


Judging from the crash pattern, I assume this is some form of use-after-free?
status-firefox35: --- → affected
Keywords: csectype-uaf, sec-critical
Whiteboard: [jsbugmon:update,bisect]
Christian, can you do a bisection on this?
Actually I suspect this is the same bug as 1066659, needinfo from Hannes to confirm that.
Flags: needinfo?(hv1989)
Same regression range:

changeset:   183175:8c234572141a
user:        Terrence Cole <terrence@mozilla.com>
date:        Mon May 05 17:10:29 2014 -0700
summary:     Bug 989414 - Always allocate lambda objects in the nursery; r=jonco
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(hv1989)
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.