Closed
Bug 1415443
Opened 7 years ago
Closed 1 year ago
Crash in js::frontend::IsIdentifier
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
RESOLVED
INCOMPLETE
Tracking | Status | |
---|---|---|
firefox60 | --- | wontfix |
People
(Reporter: jesup, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-uaf, sec-high, Whiteboard: [#jsapi:crashes-retriage][leave open])
Crash Data
Attachments
(2 files, 1 obsolete file)
3.84 KB,
patch
|
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
82.23 KB,
text/plain
|
Details |
This bug was filed from the Socorro interface and is report bp-a640f79f-a61e-439e-9271-1bf110171102. ============================================================= UAF going back to at least 52ESR and likely further. Crashes in this function go back to at least FF22.
Reporter | ||
Updated•7 years ago
|
Flags: needinfo?(nihsanullah)
Updated•7 years ago
|
Group: core-security → javascript-core-security
Comment 1•7 years ago
|
||
Yoric, would you please take a look? The stacks for this crash signature are very consistent. If nothing else, ExpressionDecompiler::loadAtom should delegate directly to a JSScript method that has the same signature, and asserts that the pc is in range for the script and that the opcode actually has the JOF_ATOM flag. The more assertions, the better the fuzzers work, and a fuzzbug is a reproducible bug...
Priority: -- → P2
Updated•7 years ago
|
Flags: needinfo?(dteller)
At a quick glance: - looks OS-independent (so pretty certainly our fault); - all the stacks I have looked at but one look like js::frontend::IsIdentifier(JSLinearString*) js/src/vm/Unicode.h:155 (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char) js/src/jsopcode.cpp:1762 js::DecompileValueGenerator(JSContext*, int, JS::Handle<JS::Value>, JS::Handle<JSString*>, int) ... I'll add a few assertions and see if that helps.
Flags: needinfo?(dteller)
Can't find any obvious reason for the crash, so I'll adding a few asserts as suggested by jorendorff. If you can think of more stuff to assert, I'll be happy to add some more.
Attachment #8929430 -
Flags: review?(jorendorff)
Comment 5•7 years ago
|
||
Comment on attachment 8929430 [details] [diff] [review] Adding a few assertions around ExpressionDecompiler::decompilePC Review of attachment 8929430 [details] [diff] [review]: ----------------------------------------------------------------- Very nice, thanks. ::: js/src/frontend/TokenStream.cpp @@ +179,5 @@ > + MOZ_ASSERT(str); > + if (str->hasLatin1Chars()) > + return ::IsIdentifier(str->latin1Chars(nogc), str->length()); > + else > + return ::IsIdentifierMaybeNonBMP(str->twoByteChars(nogc), str->length()); Style nit: We have a hard rule against else-after-return. I'm not crazy about it, but it's one of the points where we actually agree with Gecko, so...
Attachment #8929430 -
Flags: review?(jorendorff) → review+
Comment 6•7 years ago
|
||
Christian, if we can tell you which existing tests exercise the expression decompiler, could we get some focused fuzz-testing on this code?
Flags: needinfo?(nihsanullah) → needinfo?(choller)
Comment 7•7 years ago
|
||
(In reply to Jason Orendorff [:jorendorff] from comment #6) > Christian, if we can tell you which existing tests exercise the expression > decompiler, could we get some focused fuzz-testing on this code? Yes, if you show me code examples that hit this code, I can try to add some focused code to the fuzzing driver.
Flags: needinfo?(choller) → needinfo?(jorendorff)
Comment 8•7 years ago
|
||
David, would you please find out which tests use the expression decompiler? (I would probably do this by adding a MOZ_CRASH() in DecompileValueGenerator or decompilePC and running the tests and jit-tests. Tests that use the decompiler will fail.) No guarantee the fuzzers will find this. Sure would be great if they did, though.
Flags: needinfo?(jorendorff) → needinfo?(dteller)
Comment 9•7 years ago
|
||
Note for Christian: The decompiler is invoked only when reporting an error; for example, "foo.toString is not a function". So most tests avoid it. And, very normal-looking code can trigger it.
Comment 10•7 years ago
|
||
Here is a recent fuzzing coverage report for js/src/jsopcode.cpp (the file in question): https://fuzzmanager.fuzzing.mozilla.org/covmanager/collections/833/browse/#p=js/src/jsopcode.cpp&s=1667 It seems to me that the decompiler is pretty well covered in general. If anyone wants to look through it to find interesting spots/holes and needs access for that, please ping me.
Comment 11•7 years ago
|
||
When trying to build with the attached patch applied to mozilla-central, I got this error:
> js/src/jsscript.h:1874:40: error: ‘JOF_OPTYPE’ was not declared in this scope
> MOZ_ASSERT(JOF_OPTYPE((JSOp)*pc) == JOF_ATOM);
Mmmh... Might be a case of unified builds? I'll check this out tomorrow.
Same one, minus typo, and plus requested layout fix. Do I need sec-approval for this? Also, currently attempting to list the tests requested in comment 8. Given how long our test suites last, I guess I'll have the list tomorrow.
Attachment #8929430 -
Attachment is obsolete: true
Flags: needinfo?(dteller)
Followed jorendorff's idea in comment 8, here is a list of tests involving ExpressionDecompiler::decompilePC. This does not include the tests that failed by timeout, which may or may not be related to decompilePC.
May I checkin-needed or do I need sec-approval for this?
Flags: needinfo?(jorendorff)
Comment on attachment 8930976 [details] [diff] [review] Adding a few assertions around ExpressionDecompiler::decompilePC [Security approval request comment] This patch is just adding assertions to help us pinpoint where this crash comes from and the impact on security.
Attachment #8930976 -
Flags: sec-approval?
Comment 18•7 years ago
|
||
(In reply to David Teller [:Yoric] (please use "needinfo") from comment #15) > May I checkin-needed or do I need sec-approval for this? Hard to know since no one has answered sec-approval template questions. It is a sec-high. If it affects more than trunk, it needs sec-approval. That's now been asked for in a later comment but I need the template questions answered.
Flags: needinfo?(abillings) → needinfo?(dteller)
Comment 19•7 years ago
|
||
I'm back from PTO now and will look into fuzzing this patch before it lands. Once it is clean on fuzzing, we should be able to land it. But if it is not, then it has potential to reveal a sec bug to others, so we should at least wait until that. I don't think this is a sec-approval case because this isn't a security fix we're doing here, we don't even know what the bug is, yet.
Ok, so not landing.
Flags: needinfo?(dteller)
Comment 21•7 years ago
|
||
So can you clear the sec-approval and request again when you want to land this?
Flags: needinfo?(dteller)
Comment on attachment 8930976 [details] [diff] [review] Adding a few assertions around ExpressionDecompiler::decompilePC Done
Attachment #8930976 -
Flags: sec-approval?
Comment 24•7 years ago
|
||
(In reply to Al Billings [:abillings] from comment #23) > Doesn't Christian need to fuzz this first? I have been fuzzing this for 24 hours now but not found anything. Will keep going, but I assume we can land this already.
Flags: needinfo?(choller)
Flags: needinfo?(dteller)
Comment 25•6 years ago
|
||
What are the next steps here? It seems we could get this shipped, no?
Flags: needinfo?(dteller)
Let's do that.
Flags: needinfo?(dteller)
Keywords: checkin-needed
Comment 27•6 years ago
|
||
Yoric, comment #21 tells me you still require sec-approval. Can you please request sec-approval for the attachment and answer all the questions in the template? This is required before checkin.
Flags: needinfo?(dteller)
Whiteboard: [leave open]
Comment on attachment 8930976 [details] [diff] [review] Adding a few assertions around ExpressionDecompiler::decompilePC [Security approval request comment] This is just a diagnosis patch, which we hope to use to help fuzz out the actual issue.
Attachment #8930976 -
Flags: sec-approval?
Comment 29•6 years ago
|
||
Comment on attachment 8930976 [details] [diff] [review] Adding a few assertions around ExpressionDecompiler::decompilePC sec-approval+
Attachment #8930976 -
Flags: sec-approval? → sec-approval+
Updated•6 years ago
|
status-firefox60:
--- → affected
Comment hidden (off-topic) |
Comment hidden (off-topic) |
Comment 32•6 years ago
|
||
diagnostic asserts: https://hg.mozilla.org/integration/mozilla-inbound/rev/35b81e0007ab42a5c0e7ec037ee2295d6708607e
Keywords: leave-open
Updated•6 years ago
|
Keywords: checkin-needed
Comment 33•6 years ago
|
||
diagnostic asserts: https://hg.mozilla.org/mozilla-central/rev/35b81e0007ab
For the moment, if I read Socorro correctly, we have exactly one re;evant signature from a build that contains this patch: https://crash-stats.mozilla.com/report/index/f72cff56-3d56-4607-98e7-1a4870180317 – and that signature neatly sidesteps all the assertions. For the moment, I have no clue where the crash could be coming from. If anybody has ideas, I'm interested.
Flags: needinfo?(dteller)
A few more crashes have shown up with the relevant signature, and they all show that `str` is non-null. Apparently, all the crashes on recent builds (60a1+) are under Windows. Crash addresses: - 0xffffffffffffffff (most) - 0x6b465346 (a few) - 0xc5212076 (one) - 0xa5 (one, what is that?) - 0x226 (one, what is that?) So, my best guess is that we're overwriting that memory. No clue where, though.
Updated•6 years ago
|
Priority: P2 → P3
Comment 38•6 years ago
|
||
Stalled. We did some digging, but it is currently unactionable.
Assignee: dteller → nobody
Keywords: stalled
Updated•6 years ago
|
Whiteboard: [leave open] → [#jsapi:crashes-retriage][leave open]
Comment 39•5 years ago
|
||
The leave-open keyword is there and there is no activity for 6 months.
:sdetar, maybe it's time to close this bug?
Flags: needinfo?(sdetar)
Comment 40•5 years ago
|
||
(In reply to Release mgmt bot [:sylvestre / :calixte / :marco for bugbug] from comment #39)
The leave-open keyword is there and there is no activity for 6 months.
:sdetar, maybe it's time to close this bug?
This is still a stalled sec bug. The leave-open was because it had a diagnostic patch landed.
Flags: needinfo?(sdetar)
Comment 41•4 years ago
|
||
The leave-open keyword is there and there is no activity for 6 months.
:sdetar, maybe it's time to close this bug?
Flags: needinfo?(sdetar)
Updated•4 years ago
|
Flags: needinfo?(sdetar)
Updated•3 years ago
|
Blocks: sm-defects-crashes
Updated•3 years ago
|
Updated•2 years ago
|
Severity: critical → S2
Updated•1 year ago
|
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → INCOMPLETE
Updated•1 year ago
|
Keywords: leave-open
Comment 42•1 year ago
|
||
Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.
Keywords: stalled
Updated•2 months ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•