"clone" shell-only testing function should check the type of arguments

NEW
Unassigned

Status

()

Core
JavaScript Engine
P3
minor
10 months ago
5 months ago

People

(Reporter: Iris, Unassigned)

Tracking

({triage-deferred})

unspecified
x86_64
Linux
triage-deferred
Points:
---
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

10 months ago
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36

Steps to reproduce:

The following testcase crashes on mozilla-central  revision b1c31c4a0a67.
I build  with:./mach build in linux Ubuntu 14.04.5 LTS 

testcase.js:
clone(RangeError, Float64Array.type, RegExp, Intl.DateTimeFormat.type, Proxy, Uint32Array, Int32Array);  





Actual results:

Backtrace:

program received signal SIGSEGV, Segmentation fault.
0x000000000044fdf2 in registerWithRootLists (roots=..., this=0x7fffffffcc90)
    at /firefox/js/src/build_DBG.OBJ/dist/include/js/RootingAPI.h:761

#0  0x000000000044fdf2 in registerWithRootLists (roots=..., this=0x7fffffffcc90)
    at /firefox/js/src/build_DBG.OBJ/dist/include/js/RootingAPI.h:761
#1  Rooted<JSContext*, JS::GCVector<JSObject*, 8ul> > (
    initial=<unknown type in /b1c31c4a0a67/js, CU 0x0, DIE 0x1bb472>, 
    cx=<synthetic pointer>, this=0x7fffffffcc90)
    at /firefox/js/src/build_DBG.OBJ/dist/include/js/RootingAPI.h:791
#2  AutoObjectVector (cx=0x7ffff694c000, this=0x7fffffffcc90)
    at /firefox/js/src/jsapi.h:243
#3  Clone (cx=0x7ffff694c000, argc=7, vp=0x7fffdfdff090)
    at /firefox/js/src/shell/js.cpp:3072
#4  0x00000000004d73f0 in CallJSNative (args=..., 
    native=0x44fbe0 <Clone(JSContext*, unsigned int, JS::Value*)>, cx=0x7ffff694c000)
    at /firefox/js/src/jscntxtinlines.h:239
#5  js::InternalCallOrConstruct (cx=0x7ffff694c000, args=..., construct=<optimized out>)
    at /firefox/js/src/vm/Interpreter.cpp:457
#6  0x00000000004ca2e0 in CallFromStack (args=..., cx=<optimized out>)
    at /firefox/js/src/vm/Interpreter.cpp:508
#7  Interpret (cx=0x7ffff694c000, state=...)
    at /firefox/js/src/vm/Interpreter.cpp:2919
#8  0x00000000004d6f36 in js::RunScript (cx=cx@entry=0x7ffff694c000, state=...)
    at /firefox/js/src/vm/Interpreter.cpp:403
#9  0x00000000004d8f7e in ExecuteKernel (result=<optimized out>, evalInFrame=..., 
    newTargetValue=..., envChainArg=..., script=..., cx=0x7ffff694c000)
    at /firefox/js/src/vm/Interpreter.cpp:684
#10 js::Execute (cx=0x7ffff694c000, script=..., envChainArg=..., rval=<optimized out>)
    at /firefox/js/src/vm/Interpreter.cpp:717
#11 0x0000000000737e30 in JS_ExecuteScript (cx=cx@entry=0x7ffff694c000, 
    scriptArg=scriptArg@entry=...) at /firefox/js/src/jsapi.cpp:4443
#12 0x000000000042a00f in RunFile (compileOnly=false, file=0x7fffdfde8000, 
    filename=<optimized out>, cx=0x7ffff694c000)
    at /firefox/js/src/shell/js.cpp:647
#13 Process (cx=cx@entry=0x7ffff694c000, filename=<optimized out>, forceTTY=forceTTY@entry=false, 
    kind=kind@entry=FileScript) at /firefox/js/src/shell/js.cpp:1078
#14 0x0000000000430fbb in ProcessArgs (op=0x7fffffffdcc0, cx=0x7ffff694c000)
    at /firefox/js/src/shell/js.cpp:7207
#15 Shell (envp=<optimized out>, op=0x7fffffffdcc0, cx=0x7ffff694c000)
    at /firefox/js/src/shell/js.cpp:7569
#16 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>)
    at /firefox/js/src/shell/js.cpp:7947

register info:
rax            0x0	0
rbx            0x7ffff694c000	140737330331648
rcx            0x7fffffffd668	140737488344680
rdx            0x7fffdfdf4010	140736949338128
rsi            0x4511c0	4526528
rdi            0x7fffffffcb80	140737488341888
rbp            0x7fffffffcd40	0x7fffffffcd40
rsp            0x7fffffffcbc0	0x7fffffffcbc0
r8             0x7fffdfdff0d8	140736949383384
r9             0x7fffffffffff	140737488355327
r10            0x7ffff6982000	140737330552832
r11            0xfffdffffffffffff	-562949953421313
r12            0x7fffdfdff090	140736949383312
r13            0x7fffffffcc90	140737488342160
r14            0x7	7
r15            0x7fffffffcbf0	140737488342000
rip            0x44fdf2	0x44fdf2 <Clone(JSContext*, unsigned int, JS::Value*)+530>

$pc info :
0x44fdf2 <Clone(JSContext*, unsigned int, JS::Value*)+530>:	mov    (%rax),%rdx
   0x44fdf5 <Clone(JSContext*, unsigned int, JS::Value*)+533>:	mov    (%rdx),%rdx
   0x44fdf8 <Clone(JSContext*, unsigned int, JS::Value*)+536>:	testb  $0x2,0xa(%rdx)
   0x44fdfc <Clone(JSContext*, unsigned int, JS::Value*)+540>:	je     0x44ff98 <Clone(JSContext*, unsigned int, JS::Value*)+952>
   0x44fe02 <Clone(JSContext*, unsigned int, JS::Value*)+546>:	lea    0x10(%r15),%rsi
   0x44fe06 <Clone(JSContext*, unsigned int, JS::Value*)+550>:	mov    %r13,%rdx
   0x44fe09 <Clone(JSContext*, unsigned int, JS::Value*)+553>:	mov    %rbx,%rdi
   0x44fe0c <Clone(JSContext*, unsigned int, JS::Value*)+556>:	callq  0x7407a0 <JS::CloneFunctionObject(JSContext*, JS::Handle<JSObject*>, JS::AutoObjectVector&)>
   0x44fe11 <Clone(JSContext*, unsigned int, JS::Value*)+561>:	test   %rax,%rax
   0x44fe14 <Clone(JSContext*, unsigned int, JS::Value*)+564>:	je     0x44ffc8 <Clone(JSContext*, unsigned int, JS::Value*)+1000>




Expected results:

js should catche the exception and handle it without crashing.
(Reporter)

Updated

10 months ago
Component: Untriaged → JavaScript Engine
OS: Unspecified → Linux
Priority: -- → P1
Product: Firefox → Core
Hardware: Unspecified → x86_64

Comment 1

10 months ago
note that "clone" is shell-only testing function and it's unsafe function that can easily crash the shell.

Comment 2

10 months ago
https://dxr.mozilla.org/mozilla-central/rev/f229b7e5d91eb70d23d3e31db7caff9d69a2ef04/js/src/shell/js.cpp#3216
>     if (args.length() > 1) {
>         if (!JS_ValueToObject(cx, args[1], &parent))
>             return false;
>     } else {
>         parent = js::GetGlobalForObjectCrossCompartment(&args.callee());
>     }
> 
>     // Should it worry us that we might be getting with wrappers
>     // around with wrappers here?
>     JS::AutoObjectVector scopeChain(cx);
>     if (!parent->is<GlobalObject>() && !scopeChain.append(parent))

here, `parent` is nullptr, because args[1] is not an object (`Float64Array.type` is undefined).
we could throw an error by detecting the non-object argument, but at least it's not critical issue, since it's shell-only.
Severity: normal → minor
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: P1 → --
Summary: segmentation fault, crashing at /dist/include/js/RootingAPI.h:761 → "clone" shell-only testing function should check the type of arguments

Updated

10 months ago
Flags: sec-bounty?
Shell functions are outside the scope of the bug bounty.
Flags: sec-bounty? → sec-bounty-
Keywords: triage-deferred
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.