Bug 1383951 (CVE-2017-7813)

Out-of-bounds access in js::frontend::TokenStream::TokenBuf::getRawChar

RESOLVED FIXED in Firefox 56

Status

()

RESOLVED FIXED
2 years ago
a year ago

People

(Reporter: inferno, Assigned: arai)

Tracking

({csectype-intoverflow, regression, sec-moderate})

unspecified
mozilla57
csectype-intoverflow, regression, sec-moderate
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty +
qe-verify -

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox55 wontfix, firefox56 fixed, firefox57 fixed)

Details

(Whiteboard: [adv-main56+][post-critsmash-triage])

Attachments

(1 attachment)

204 bytes, text/plain
Details
(Reporter)

Description

2 years ago
Posted file test.js
Build ASAN JS Shell using funfuzz
https://github.com/MozillaSecurity/funfuzz/tree/master/js

funfuzz/js/compileShell.py -b "--enable-debug --build-with-asan --build-with-clang --enable-more-deterministic -R /build/firefox/src"

ASAN:DEADLYSIGNAL
=================================================================
==145434==ERROR: AddressSanitizer: SEGV on unknown address 0x7ff600448408 (pc 0x0000022e7f6e bp 0x7fffd1a87d70 sp 0x7fffd1a87c20 T0)
    #0 0x22e7f6d in js::frontend::TokenStream::TokenBuf::getRawChar() build/firefox/src/js/src/frontend/TokenStream.h:971:20
    #1 0x22e7f6d in js::frontend::TokenStream::getCharIgnoreEOL() build/firefox/src/js/src/frontend/TokenStream.cpp:532
    #2 0x22e7f6d in js::frontend::TokenStream::putIdentInTokenbuf(char16_t const*) build/firefox/src/js/src/frontend/TokenStream.cpp:1189
    #3 0x22ea1d2 in js::frontend::TokenStream::getTokenInternal(js::frontend::TokenKind*, js::frontend::Token::Modifier) build/firefox/src/js/src/frontend/TokenStream.cpp:1447:18
    #4 0x676aef in js::frontend::TokenStream::peekToken(js::frontend::TokenKind*, js::frontend::Token::Modifier) build/firefox/src/js/src/frontend/TokenStream.h:781:14
    #5 0x674b71 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::statementListItem(js::frontend::YieldHandling, bool) build/firefox/src/js/src/frontend/Parser.cpp:7804:14
    #6 0x66eb6e in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::statementList(js::frontend::YieldHandling) build/firefox/src/js/src/frontend/Parser.cpp:4199:21
    #7 0x664475 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::evalBody(js::frontend::EvalSharedContext*) build/firefox/src/js/src/frontend/Parser.cpp:2176:49
    #8 0x19e214a in BytecodeCompiler::compileScript(JS::Handle<JSObject*>, js::frontend::SharedContext*) build/firefox/src/js/src/frontend/BytecodeCompiler.cpp:346:18
    #9 0x19e5347 in BytecodeCompiler::compileEvalScript(JS::Handle<JSObject*>, JS::Handle<js::Scope*>) build/firefox/src/js/src/frontend/BytecodeCompiler.cpp:402:12
    #10 0x19e84b6 in js::frontend::CompileEvalScript(JSContext*, js::LifoAlloc&, JS::Handle<JSObject*>, JS::Handle<js::Scope*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, js::ScriptSourceObject**) build/firefox/src/js/src/frontend/BytecodeCompiler.cpp:601:12
    #11 0x89e330 in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) build/firefox/src/js/src/builtin/Eval.cpp:316:30
    #12 0x89f9a7 in js::DirectEval(JSContext*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) build/firefox/src/js/src/builtin/Eval.cpp:438:12
    #13 0x7f0f60 in Interpret(JSContext*, js::RunState&) build/firefox/src/js/src/vm/Interpreter.cpp:2979:14
    #14 0x7df993 in js::RunScript(JSContext*, js::RunState&) build/firefox/src/js/src/vm/Interpreter.cpp:410:12
    #15 0x8187bb in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) build/firefox/src/js/src/vm/Interpreter.cpp:699:15
    #16 0x8193b0 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) build/firefox/src/js/src/vm/Interpreter.cpp:731:12
    #17 0x159a796 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) build/firefox/src/js/src/jsapi.cpp:4637:12
    #18 0x159ac60 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) build/firefox/src/js/src/jsapi.cpp:4670:12
    #19 0x5b12f7 in RunFile(JSContext*, char const*, _IO_FILE*, bool) build/firefox/src/js/src/shell/js.cpp:608:14
    #20 0x5b12f7 in Process(JSContext*, char const*, bool, FileKind) build/firefox/src/js/src/shell/js.cpp:958
    #21 0x557ad7 in ProcessArgs(JSContext*, js::cli::OptionParser*) build/firefox/src/js/src/shell/js.cpp:7753:14
    #22 0x557ad7 in Shell(JSContext*, js::cli::OptionParser*, char**) build/firefox/src/js/src/shell/js.cpp:8118
    #23 0x557ad7 in main build/firefox/src/js/src/shell/js.cpp:8515
    #24 0x7ff60b236f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #25 0x47ae8c in _start (shell-cache/js-dbg-64-dm-clang-asan-linux-899590a34d56/js-dbg-64-dm-clang-asan-linux-899590a34d56+0x47ae8c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV build/firefox/src/js/src/frontend/TokenStream.h:971:20 in js::frontend::TokenStream::TokenBuf::getRawChar()
==145434==ABORTING
(Reporter)

Updated

2 years ago
Summary: Out-of-bounds access in → Out-of-bounds access in js::frontend::TokenStream::TokenBuf::getRawChar
Group: core-security → javascript-core-security
Attachment #8889686 - Attachment mime type: application/javascript → application/plain-text
Attachment #8889686 - Attachment mime type: application/plain-text → application/text
Attachment #8889686 - Attachment mime type: application/text → text/plain
Arai, do you have time to look at this? Thanks.
Flags: needinfo?(arai.unmht)
(Assignee)

Comment 2

2 years ago
if this is not urgent, I can look into this next week.
(Assignee)

Comment 3

2 years ago
for now, I cannot reproduce the exact same crash.
I'm fixing somewhat related bug in bug 1385112, but not sure if they're same issue.
Might be nice to test again if it gets fixed.
Flags: needinfo?(arai.unmht)
Gary, can you try to reproduce this? Thanks.
Flags: needinfo?(gary)
(Reporter)

Comment 5

2 years ago
It is now fixed and does not reproduce anymore. Just a fyi, this bug 1383951 was filed before bug 1385112 (which i cannot access).
I'll mark this fixed by bug 1385112. (rather than a dupe because it was filed earlier)
Assignee: nobody → arai.unmht
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Depends on: 1385112
Resolution: --- → FIXED
Flags: needinfo?(gary)
status-firefox55: --- → wontfix
status-firefox56: --- → fixed
status-firefox57: --- → fixed
status-firefox-esr52: --- → unaffected
Target Milestone: --- → mozilla57
Group: javascript-core-security → core-security-release
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Keywords: csectype-intoverflow, sec-moderate
Alias: CVE-2017-7813
Whiteboard: [adv-main56+]
Flags: qe-verify-
Whiteboard: [adv-main56+] → [adv-main56+][post-critsmash-triage]
Blocks: 1314037
Keywords: regression
Blocks: 1326454
No longer blocks: 1314037
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.