Closed
Bug 1306444
Opened 8 years ago
Closed 8 years ago
Read out-of-bounds in JSShell
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1300445
People
(Reporter: gustavo.grieco, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Build ID: 20151210085006 Steps to reproduce: Hi, We found a read out-of-bounds when a Javascript file is piped into JSShell. It was tested in mozilla-aurora (rev 1474249578). To reproduce: $ wget https://ftp.mozilla.org/pub/firefox/tinderbox-builds/mozilla-aurora-linux64-asan/1474249578/jsshell-linux-x86_64-asan.zip $ unzip jsshell-linux-x86_64-asan.zip $ python -c "print '\x12'" | ./js Actual results: ==23881==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000319c at pc 0x0000005abe4b bp 0x7fffffffcb80 sp 0x7fffffffcb78 READ of size 1 at 0x60600000319c thread T0 #0 0x5abe4a (/home/g/Codigo/mujs/js+0x5abe4a) #1 0x5aeb9d (/home/g/Codigo/mujs/js+0x5aeb9d) #2 0x5aa2af (/home/g/Codigo/mujs/js+0x5aa2af) #3 0x5a918e (/home/g/Codigo/mujs/js+0x5a918e) #4 0x55a954 (/home/g/Codigo/mujs/js+0x55a954) #5 0x5163af (/home/g/Codigo/mujs/js+0x5163af) #6 0x7ffff659cec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #7 0x43cc84 (/home/g/Codigo/mujs/js+0x43cc84) 0x60600000319c is located 4 bytes to the left of 64-byte region [0x6060000031a0,0x6060000031e0) allocated by thread T0 here: #0 0x4d36eb (/home/g/Codigo/mujs/js+0x4d36eb) #1 0x5a8ebc (/home/g/Codigo/mujs/js+0x5a8ebc) #2 0x55a954 (/home/g/Codigo/mujs/js+0x55a954) #3 0x5163af (/home/g/Codigo/mujs/js+0x5163af) #4 0x7ffff659cec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/g/Codigo/mujs/js+0x5abe4a) Shadow bytes around the buggy address: 0x0c0c7fff85e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff85f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff8600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff8610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff8620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c0c7fff8630: fa fa fa[fa]00 00 00 00 00 00 00 00 fa fa fa fa 0x0c0c7fff8640: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 0x0c0c7fff8650: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fd 0x0c0c7fff8660: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa 0x0c0c7fff8670: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 0x0c0c7fff8680: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==23881==ABORTING Program received signal SIGABRT, Aborted. 0x00007ffff65b1cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No existe el archivo o el directorio. (gdb) bt #0 0x00007ffff65b1cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007ffff65b50d8 in __GI_abort () at abort.c:89 #2 0x00000000004f25e6 in __sanitizer::Abort() () at /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cc:124 #3 0x00000000004e03c5 in __sanitizer::Die() () at /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:147 #4 0x00000000004da282 in ~ScopedInErrorReport () at /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_report.cc:709 #5 0x00000000004d9c31 in ReportGenericError () at /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_report.cc:1111 #6 0x00000000004da476 in __asan_report_load1 () at /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_rtl.cc:129 #7 0x00000000005abe4b in ceol () at /builds/slave/m-aurora-l64-asan-000000000000/build/src/js/src/editline/editline.c:414 #8 0x00000000005aeb9e in clear_line () at /builds/slave/m-aurora-l64-asan-000000000000/build/src/js/src/editline/editline.c:434 #9 h_search () at /builds/slave/m-aurora-l64-asan-000000000000/build/src/js/src/editline/editline.c:625 #10 0x00000000005aa2b0 in emacs () at /builds/slave/m-aurora-l64-asan-000000000000/build/src/js/src/editline/editline.c:860 #11 editinput () at /builds/slave/m-aurora-l64-asan-000000000000/build/src/js/src/editline/editline.c:920 #12 0x00000000005a918f in readline () at /builds/slave/m-aurora-l64-asan-000000000000/build/src/js/src/editline/editline.c:999 #13 0x000000000055a955 in GetLine () at /builds/slave/m-aurora-l64-asan-000000000000/build/src/js/src/shell/js.cpp:355 #14 ReadEvalPrintLoop () at /builds/slave/m-aurora-l64-asan-000000000000/build/src/js/src/shell/js.cpp:786 #15 Process () at /builds/slave/m-aurora-l64-asan-000000000000/build/src/js/src/shell/js.cpp:871 #16 0x00000000005163b0 in ProcessArgs () at /builds/slave/m-aurora-l64-asan-000000000000/build/src/js/src/shell/js.cpp:6751 #17 Shell () at /builds/slave/m-aurora-l64-asan-000000000000/build/src/js/src/shell/js.cpp:7143 #18 main () at /builds/slave/m-aurora-l64-asan-000000000000/build/src/js/src/shell/js.cpp:7515 Expected results: It should not produce a read out-of-bounds.
Comment 1•8 years ago
|
||
We don't ship the js shell, so this doesn't need to be sec-sensitive. Looks like a dupe of (public) bug 1300445 to me. Jan, am I right?
Group: firefox-core-security
Component: Untriaged → JavaScript Engine
Flags: needinfo?(jdemooij)
Product: Firefox → Core
Comment 2•8 years ago
|
||
(In reply to :Gijs Kruitbosch from comment #1) > Looks like a dupe of (public) bug 1300445 to me. Jan, am I right? Yes, same 0x12 byte causing readline crashes.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•