Closed Bug 1277866 Opened 3 years ago Closed 3 years ago

Out-of-bounds write to unboxed object in arm64 backend

Categories

(Core :: JavaScript Engine: JIT, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla50
Tracking Status
firefox47 --- unaffected
firefox-esr45 --- unaffected
firefox50 --- fixed

People

(Reporter: jonco, Assigned: jonco)

References

Details

(Keywords: csectype-other, sec-high, Whiteboard: [post-critsmash-triage][adv-main50+])

Attachments

(1 file)

The arm64 MacroAssembler method storeUnboxedPayload calls storePtr to do a four byte write, which AIUI writes eight bytes.  This can result in writing past the end of the object.

I'm not sure whether arm64 is used in production yet, but marking this s-s to be safe.
Group: core-security → javascript-core-security
Duplicate of this bug: 1277868
Attachment #8759687 - Flags: review?(nicolas.b.pierron)
Blocks: 1276908
Fwiw, we're not testing ARM64 yet in fuzzing (at least I don't). If it's supposed to be tested, it would be good to know.
Attachment #8759687 - Flags: review?(nicolas.b.pierron) → review+
Comment on attachment 8759687 [details] [diff] [review]
arm64-unboxed-store

[Security approval request comment]

I'm still not sure whether arm64 is used in any shipping product but I'm requesting approval just in case.

How easily could an exploit be constructed based on the patch? Difficult but possible.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? If you know what you're looking for then it's pretty obvious from the patch.

Which older supported branches are affected by this flaw? Everything back to 41.

If not all supported branches, which bug introduced the flaw? Bug 1166527.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? The same patch should apply.

How likely is this patch to cause regressions; how much testing does it need? Unlikley.
Attachment #8759687 - Flags: sec-approval?
Comment on attachment 8759687 [details] [diff] [review]
arm64-unboxed-store

sec-approval+ for trunk.
Attachment #8759687 - Flags: sec-approval? → sec-approval+
https://hg.mozilla.org/mozilla-central/rev/551541092f09
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Group: javascript-core-security → core-security-release
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main50+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.