Closed Bug 1343245 Opened 7 years ago Closed 7 years ago

AddressSanitizer: heap-buffer-overflow [@ ExpressionDecompiler::decompilePC] with READ of size 1 or Assertion failure: index < size_t(parser.stackDepthAtPC(current)), at jsopcode.cpp:2262 or Crash

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla54
Tracking Status
firefox-esr45 --- unaffected
firefox52 --- unaffected
firefox-esr52 --- unaffected
firefox53 --- unaffected
firefox54 --- fixed

People

(Reporter: decoder, Assigned: arai)

References

(Blocks 1 open bug)

Details

(6 keywords, Whiteboard: [jsbugmon:])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 1bc2ad020aee (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --disable-debug --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2, run with --fuzzing-safe):

var o = {
    __iterator__: function() {
        return {};
    }
};
for (var j in o) {}



Backtrace:

==31315==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000b549 at pc 0x00000134d577 bp 0x7ffec8f38310 sp 0x7ffec8f38308
READ of size 1 at 0x60d00000b549 thread T0
    #0 0x134d576 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char) js/src/jsopcode.cpp:1711:21
    #1 0x12c2ded in DecompileExpressionFromStack(JSContext*, int, int, JS::Handle<JS::Value>, char**) js/src/jsopcode.cpp:2312:10
    #2 0x12c2ded in js::DecompileValueGenerator(JSContext*, int, JS::Handle<JS::Value>, JS::Handle<JSString*>, int) js/src/jsopcode.cpp:2325
    #3 0x1139117 in js::ReportValueErrorFlags(JSContext*, unsigned int, unsigned int, int, JS::Handle<JS::Value>, JS::Handle<JSString*>, char const*, char const*) js/src/jscntxt.cpp:1021:13
    #4 0x74c8ed in js::ReportIsNotFunction(JSContext*, JS::Handle<JS::Value>, int, js::MaybeConstruct) js/src/vm/Interpreter.cpp:281:5
    #5 0x74c8ed in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp:435
    #6 0x74d842 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:512:10
    #7 0x1273f0d in js::IteratorMore(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) js/src/jsiter.cpp:1458:10
    #8 0x726678 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:2153:10
[...]

0x60d00000b549 is located 35 bytes to the right of 134-byte region [0x60d00000b4a0,0x60d00000b526)
allocated by thread T0 here:
    #0 0x515be8 in __interceptor_malloc compiler-rt/lib/asan/asan_malloc_linux.cc:52
    #1 0x82293b in js_malloc(unsigned long) dist/include/js/Utility.h:229:12
    #2 0x82293b in unsigned char* js_pod_malloc<unsigned char>(unsigned long) dist/include/js/Utility.h:420
    #3 0x82293b in unsigned char* js::MallocProvider<JS::Zone>::maybe_pod_malloc<unsigned char>(unsigned long) js/src/vm/MallocProvider.h:56
    #4 0x82293b in unsigned char* js::MallocProvider<JS::Zone>::pod_malloc<unsigned char>(unsigned long) js/src/vm/MallocProvider.h:89
    #5 0x132cd50 in js::SharedScriptData::new_(JSContext*, unsigned int, unsigned int, unsigned int) js/src/jsscript.cpp:2251:54
    #6 0x132cd50 in JSScript::createScriptData(JSContext*, unsigned int, unsigned int, unsigned int) js/src/jsscript.cpp:2279
    #7 0x132cd50 in JSScript::fullyInitFromEmitter(JSContext*, JS::Handle<JSScript*>, js::frontend::BytecodeEmitter*) js/src/jsscript.cpp:2788
    #8 0x14538a9 in js::frontend::BytecodeEmitter::emitScript(js::frontend::ParseNode*) js/src/frontend/BytecodeEmitter.cpp:4923:10
    #9 0x1452a9d in BytecodeCompiler::compileScript(JS::Handle<JSObject*>, js::frontend::SharedContext*) js/src/frontend/BytecodeCompiler.cpp:379:18
    #10 0x1457de8 in BytecodeCompiler::compileGlobalScript(js::ScopeKind) js/src/frontend/BytecodeCompiler.cpp:408:12
    #11 0x1457de8 in js::frontend::CompileGlobalScript(JSContext*, js::LifoAlloc&, js::ScopeKind, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, js::SourceCompressionTask*, js::ScriptSourceObject**) js/src/frontend/BytecodeCompiler.cpp:602
    #12 0x1164090 in Compile(JSContext*, JS::ReadOnlyCompileOptions const&, js::ScopeKind, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) js/src/jsapi.cpp:3993:16
    #13 0x1164090 in Compile(JSContext*, JS::ReadOnlyCompileOptions const&, js::ScopeKind, char16_t const*, unsigned long, JS::MutableHandle<JSScript*>) js/src/jsapi.cpp:4002
    #14 0x1164090 in Compile(JSContext*, JS::ReadOnlyCompileOptions const&, js::ScopeKind, char const*, unsigned long, JS::MutableHandle<JSScript*>) js/src/jsapi.cpp:4017
    #15 0x11645d7 in Compile(JSContext*, JS::ReadOnlyCompileOptions const&, js::ScopeKind, _IO_FILE*, JS::MutableHandle<JSScript*>) js/src/jsapi.cpp:4028:12
    #16 0x11645d7 in JS::Compile(JSContext*, JS::ReadOnlyCompileOptions const&, _IO_FILE*, JS::MutableHandle<JSScript*>) js/src/jsapi.cpp:4068
[...]

SUMMARY: AddressSanitizer: heap-buffer-overflow js/src/jsopcode.cpp:1711:21 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)
Shadow bytes around the buggy address:
  0x0c1a7fff9690: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1a7fff96a0: 00 00 00 00 06 fa fa fa fa[fa]fa fa fa fa 00 00
  0x0c1a7fff96b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa


Marking s-s and sec-high based on crash with invalid read.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
This report seems to suggest that we freed the JSScript while the expression decompiler is reading the bytes.

Also, I would expect the Rooting Analysis to catch these issues ahead.
Flags: needinfo?(sphink)
Flags: needinfo?(arai.unmht)
Sorry, I forgot to read "buffer-overflow".  So this is not something caught by the rooting analysis.
Flags: needinfo?(sphink)
apparently we finally hit the `index >= size_t(parser.stackDepthAtPC(current))` case.
(bug 1322019 comment #31)
I'll revert the change.
Flags: needinfo?(arai.unmht)
surely we push a value before throwing an exception.

https://dxr.mozilla.org/mozilla-central/rev/e1135c6fdc9bcd80d38f7285b269e030716dcb72/js/src/vm/Interpreter.cpp#2140-2142
> PUSH_NULL();
> ReservedRooted<JSObject*> obj(&rootObject0, &REGS.sp[-2].toObject());
> if (!IteratorMore(cx, obj, REGS.stackHandleAt(-1)))
reverted the change to FindStartPC, with additional comment that points JSOP_MOREITER.
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
Attachment #8842033 - Flags: review?(nicolas.b.pierron)
How far back does this issue go?
Flags: needinfo?(arai.unmht)
it's a regression from bug 1322019
Flags: needinfo?(arai.unmht)
Comment on attachment 8842033 [details] [diff] [review]
Handle the case that trying to decompile a value pushed by current bytecode.

Review of attachment 8842033 [details] [diff] [review]:
-----------------------------------------------------------------

Stealing as requested.
Attachment #8842033 - Flags: review?(nicolas.b.pierron) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/7a20a634742e88d1f364987ddc8b9221bf6e4697
Bug 1343245 - Handle the case that trying to decompile a value pushed by current bytecode. r=jandem
https://hg.mozilla.org/mozilla-central/rev/7a20a634742e
https://hg.mozilla.org/mozilla-central/rev/5d5f51eff438
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Group: javascript-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.