Closed
Bug 1383951
(CVE-2017-7813)
Opened 7 years ago
Closed 7 years ago
Out-of-bounds access in js::frontend::TokenStream::TokenBuf::getRawChar
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla57
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox55 | --- | wontfix |
| firefox56 | --- | fixed |
| firefox57 | --- | fixed |
People
(Reporter: inferno, Assigned: arai)
References
Details
(4 keywords, Whiteboard: [adv-main56+][post-critsmash-triage])
Attachments
(1 file)
|
204 bytes,
text/plain
|
Details |
Build ASAN JS Shell using funfuzz
https://github.com/MozillaSecurity/funfuzz/tree/master/js
funfuzz/js/compileShell.py -b "--enable-debug --build-with-asan --build-with-clang --enable-more-deterministic -R /build/firefox/src"
ASAN:DEADLYSIGNAL
=================================================================
==145434==ERROR: AddressSanitizer: SEGV on unknown address 0x7ff600448408 (pc 0x0000022e7f6e bp 0x7fffd1a87d70 sp 0x7fffd1a87c20 T0)
#0 0x22e7f6d in js::frontend::TokenStream::TokenBuf::getRawChar() build/firefox/src/js/src/frontend/TokenStream.h:971:20
#1 0x22e7f6d in js::frontend::TokenStream::getCharIgnoreEOL() build/firefox/src/js/src/frontend/TokenStream.cpp:532
#2 0x22e7f6d in js::frontend::TokenStream::putIdentInTokenbuf(char16_t const*) build/firefox/src/js/src/frontend/TokenStream.cpp:1189
#3 0x22ea1d2 in js::frontend::TokenStream::getTokenInternal(js::frontend::TokenKind*, js::frontend::Token::Modifier) build/firefox/src/js/src/frontend/TokenStream.cpp:1447:18
#4 0x676aef in js::frontend::TokenStream::peekToken(js::frontend::TokenKind*, js::frontend::Token::Modifier) build/firefox/src/js/src/frontend/TokenStream.h:781:14
#5 0x674b71 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::statementListItem(js::frontend::YieldHandling, bool) build/firefox/src/js/src/frontend/Parser.cpp:7804:14
#6 0x66eb6e in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::statementList(js::frontend::YieldHandling) build/firefox/src/js/src/frontend/Parser.cpp:4199:21
#7 0x664475 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::evalBody(js::frontend::EvalSharedContext*) build/firefox/src/js/src/frontend/Parser.cpp:2176:49
#8 0x19e214a in BytecodeCompiler::compileScript(JS::Handle<JSObject*>, js::frontend::SharedContext*) build/firefox/src/js/src/frontend/BytecodeCompiler.cpp:346:18
#9 0x19e5347 in BytecodeCompiler::compileEvalScript(JS::Handle<JSObject*>, JS::Handle<js::Scope*>) build/firefox/src/js/src/frontend/BytecodeCompiler.cpp:402:12
#10 0x19e84b6 in js::frontend::CompileEvalScript(JSContext*, js::LifoAlloc&, JS::Handle<JSObject*>, JS::Handle<js::Scope*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, js::ScriptSourceObject**) build/firefox/src/js/src/frontend/BytecodeCompiler.cpp:601:12
#11 0x89e330 in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) build/firefox/src/js/src/builtin/Eval.cpp:316:30
#12 0x89f9a7 in js::DirectEval(JSContext*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) build/firefox/src/js/src/builtin/Eval.cpp:438:12
#13 0x7f0f60 in Interpret(JSContext*, js::RunState&) build/firefox/src/js/src/vm/Interpreter.cpp:2979:14
#14 0x7df993 in js::RunScript(JSContext*, js::RunState&) build/firefox/src/js/src/vm/Interpreter.cpp:410:12
#15 0x8187bb in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) build/firefox/src/js/src/vm/Interpreter.cpp:699:15
#16 0x8193b0 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) build/firefox/src/js/src/vm/Interpreter.cpp:731:12
#17 0x159a796 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) build/firefox/src/js/src/jsapi.cpp:4637:12
#18 0x159ac60 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) build/firefox/src/js/src/jsapi.cpp:4670:12
#19 0x5b12f7 in RunFile(JSContext*, char const*, _IO_FILE*, bool) build/firefox/src/js/src/shell/js.cpp:608:14
#20 0x5b12f7 in Process(JSContext*, char const*, bool, FileKind) build/firefox/src/js/src/shell/js.cpp:958
#21 0x557ad7 in ProcessArgs(JSContext*, js::cli::OptionParser*) build/firefox/src/js/src/shell/js.cpp:7753:14
#22 0x557ad7 in Shell(JSContext*, js::cli::OptionParser*, char**) build/firefox/src/js/src/shell/js.cpp:8118
#23 0x557ad7 in main build/firefox/src/js/src/shell/js.cpp:8515
#24 0x7ff60b236f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#25 0x47ae8c in _start (shell-cache/js-dbg-64-dm-clang-asan-linux-899590a34d56/js-dbg-64-dm-clang-asan-linux-899590a34d56+0x47ae8c)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV build/firefox/src/js/src/frontend/TokenStream.h:971:20 in js::frontend::TokenStream::TokenBuf::getRawChar()
==145434==ABORTING
|
Reporter | |
Updated•7 years ago
|
Summary: Out-of-bounds access in → Out-of-bounds access in js::frontend::TokenStream::TokenBuf::getRawChar
|
||
Updated•7 years ago
|
Group: core-security → javascript-core-security
|
||
Updated•7 years ago
|
Attachment #8889686 -
Attachment mime type: application/javascript → application/plain-text
|
|
||
Updated•7 years ago
|
Attachment #8889686 -
Attachment mime type: application/plain-text → application/text
|
|
||
Updated•7 years ago
|
Attachment #8889686 -
Attachment mime type: application/text → text/plain
|
Assignee | |
Comment 2•7 years ago
|
||
if this is not urgent, I can look into this next week.
|
|
Assignee | |
Comment 3•7 years ago
|
||
for now, I cannot reproduce the exact same crash.
I'm fixing somewhat related bug in bug 1385112, but not sure if they're same issue.
Might be nice to test again if it gets fixed.
Flags: needinfo?(arai.unmht)
|
|
Reporter | |
Comment 5•7 years ago
|
||
It is now fixed and does not reproduce anymore. Just a fyi, this bug 1383951 was filed before bug 1385112 (which i cannot access).
|
|
||
Comment 6•7 years ago
|
||
I'll mark this fixed by bug 1385112. (rather than a dupe because it was filed earlier)
Assignee: nobody → arai.unmht
Status: NEW → RESOLVED
Closed: 7 years ago
Depends on: 1385112
Resolution: --- → FIXED
|
|
||
Updated•7 years ago
|
Flags: needinfo?(gary)
|
|
||
Updated•7 years ago
|
status-firefox55:
--- → wontfix
status-firefox56:
--- → fixed
status-firefox57:
--- → fixed
status-firefox-esr52:
--- → unaffected
Target Milestone: --- → mozilla57
|
||
Updated•7 years ago
|
Group: javascript-core-security → core-security-release
|
|
||
Updated•7 years ago
|
Flags: sec-bounty?
|
|
||
Updated•7 years ago
|
Flags: sec-bounty? → sec-bounty+
Keywords: csectype-intoverflow,
sec-moderate
|
||
Updated•7 years ago
|
Alias: CVE-2017-7813
Whiteboard: [adv-main56+]
|
||
Updated•7 years ago
|
Flags: qe-verify-
Whiteboard: [adv-main56+] → [adv-main56+][post-critsmash-triage]
|
|
||
Updated•7 years ago
|
Blocks: 1314037
Keywords: regression
|
|
||
Updated•7 years ago
|
|
|
||
Updated•7 years ago
|
Group: core-security-release
|
||
Updated•6 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•