Closed Bug 1415443 Opened 7 years ago Closed 1 year ago

Crash in js::frontend::IsIdentifier

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Version:
56 Branch
Platform:
x86
Windows 8
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
firefox60 --- wontfix

People

(Reporter: jesup, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-uaf, sec-high, Whiteboard: [#jsapi:crashes-retriage][leave open])

Crash Data

Attachments

(2 files, 1 obsolete file)

Adding a few assertions around ExpressionDecompiler::decompilePC
3.84 KB, patch
abillings
: sec-approval+
Details | Diff | Splinter Review
List of tests involving ExpressionDecompiler::decompilePC
82.23 KB, text/plain
Details 
This bug was filed from the Socorro interface and is 
report bp-a640f79f-a61e-439e-9271-1bf110171102.
=============================================================

UAF going back to at least 52ESR and likely further.  Crashes in this function go back to at least FF22.
Flags: needinfo?(nihsanullah)
Group: core-security → javascript-core-security
Yoric, would you please take a look? The stacks for this crash signature are very consistent.

If nothing else, ExpressionDecompiler::loadAtom should delegate directly to a JSScript method that has the same signature, and asserts that the pc is in range for the script and that the opcode actually has the JOF_ATOM flag. The more assertions, the better the fuzzers work, and a fuzzbug is a reproducible bug...
Priority: -- → P2
Flags: needinfo?(dteller)
At a quick glance:

- looks OS-independent (so pretty certainly our fault);
- all the stacks I have looked at but one look like

  js::frontend::IsIdentifier(JSLinearString*) 	js/src/vm/Unicode.h:155
  (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char) 	js/src/jsopcode.cpp:1762
  js::DecompileValueGenerator(JSContext*, int, JS::Handle<JS::Value>, JS::Handle<JSString*>, int)
  ...

I'll add a few assertions and see if that helps.
Flags: needinfo?(dteller)
Can't find any obvious reason for the crash, so I'll adding a few asserts as suggested by jorendorff. If you can think of more stuff to assert, I'll be happy to add some more.
Comment on attachment 8929430 [details] [diff] [review]
Adding a few assertions around ExpressionDecompiler::decompilePC

Review of attachment 8929430 [details] [diff] [review]:
-----------------------------------------------------------------

Very nice, thanks.

::: js/src/frontend/TokenStream.cpp
@@ +179,5 @@
> +    MOZ_ASSERT(str);
> +    if (str->hasLatin1Chars())
> +        return ::IsIdentifier(str->latin1Chars(nogc), str->length());
> +    else
> +        return ::IsIdentifierMaybeNonBMP(str->twoByteChars(nogc), str->length());

Style nit: We have a hard rule against else-after-return. I'm not crazy about it, but it's one of the points where we actually agree with Gecko, so...
Attachment #8929430 - Flags: review?(jorendorff) → review+
Christian, if we can tell you which existing tests exercise the expression decompiler, could we get some focused fuzz-testing on this code?
Flags: needinfo?(nihsanullah) → needinfo?(choller)
(In reply to Jason Orendorff [:jorendorff] from comment #6)
> Christian, if we can tell you which existing tests exercise the expression
> decompiler, could we get some focused fuzz-testing on this code?

Yes, if you show me code examples that hit this code, I can try to add some focused code to the fuzzing driver.
Flags: needinfo?(choller) → needinfo?(jorendorff)
David, would you please find out which tests use the expression decompiler?

(I would probably do this by adding a MOZ_CRASH() in DecompileValueGenerator or decompilePC and running the tests and jit-tests. Tests that use the decompiler will fail.)

No guarantee the fuzzers will find this. Sure would be great if they did, though.
Flags: needinfo?(jorendorff) → needinfo?(dteller)
Note for Christian: The decompiler is invoked only when reporting an error; for example, "foo.toString is not a function". So most tests avoid it. And, very normal-looking code can trigger it.
Here is a recent fuzzing coverage report for js/src/jsopcode.cpp (the file in question):

https://fuzzmanager.fuzzing.mozilla.org/covmanager/collections/833/browse/#p=js/src/jsopcode.cpp&s=1667

It seems to me that the decompiler is pretty well covered in general. If anyone wants to look through it to find interesting spots/holes and needs access for that, please ping me.
When trying to build with the attached patch applied to mozilla-central, I got this error:

> js/src/jsscript.h:1874:40: error: ‘JOF_OPTYPE’ was not declared in this scope
>         MOZ_ASSERT(JOF_OPTYPE((JSOp)*pc) == JOF_ATOM);
Mmmh... Might be a case of unified builds? I'll check this out tomorrow.
Same one, minus typo, and plus requested layout fix.

Do I need sec-approval for this?

Also, currently attempting to list the tests requested in comment 8. Given how long our test suites last, I guess I'll have the list tomorrow.
Attachment #8929430 - Attachment is obsolete: true
Flags: needinfo?(dteller)
Followed jorendorff's idea in comment 8, here is a list of tests involving ExpressionDecompiler::decompilePC. This does not include the tests that failed by timeout, which may or may not be related to decompilePC.
May I checkin-needed or do I need sec-approval for this?
Flags: needinfo?(jorendorff)
al: comment 15...
Flags: needinfo?(abillings)
Comment on attachment 8930976 [details] [diff] [review]
Adding a few assertions around ExpressionDecompiler::decompilePC

[Security approval request comment]
This patch is just adding assertions to help us pinpoint where this crash comes from and the impact on security.
Attachment #8930976 - Flags: sec-approval?
(In reply to David Teller [:Yoric] (please use "needinfo") from comment #15)
> May I checkin-needed or do I need sec-approval for this?

Hard to know since no one has answered sec-approval template questions. It is a sec-high. If it affects more than trunk, it needs sec-approval. That's now been asked for in a later comment but I need the template questions answered.
Flags: needinfo?(abillings) → needinfo?(dteller)
I'm back from PTO now and will look into fuzzing this patch before it lands. Once it is clean on fuzzing, we should be able to land it. But if it is not, then it has potential to reveal a sec bug to others, so we should at least wait until that. I don't think this is a sec-approval case because this isn't a security fix we're doing here, we don't even know what the bug is, yet.
Ok, so not landing.
Flags: needinfo?(dteller)
So can you clear the sec-approval and request again when you want to land this?
Flags: needinfo?(dteller)
Comment on attachment 8930976 [details] [diff] [review]
Adding a few assertions around ExpressionDecompiler::decompilePC

Done
Attachment #8930976 - Flags: sec-approval?
Doesn't Christian need to fuzz this first?
Flags: needinfo?(choller)
(In reply to Al Billings [:abillings] from comment #23)
> Doesn't Christian need to fuzz this first?

I have been fuzzing this for 24 hours now but not found anything. Will keep going, but I assume we can land this already.
Flags: needinfo?(choller)
Flags: needinfo?(dteller)
What are the next steps here? It seems we could get this shipped, no?
Flags: needinfo?(dteller)
Let's do that.
Flags: needinfo?(dteller)
Yoric, comment #21 tells me you still require sec-approval.
Can you please request sec-approval for the attachment and answer all the questions in the template?
This is required before checkin.
Assignee: nobody → dteller
Flags: needinfo?(dteller)
Keywords: checkin-needed
Flags: needinfo?(dteller)
Whiteboard: [leave open]
Comment on attachment 8930976 [details] [diff] [review]
Adding a few assertions around ExpressionDecompiler::decompilePC

[Security approval request comment]
This is just a diagnosis patch, which we hope to use to help fuzz out the actual issue.
Attachment #8930976 - Flags: sec-approval?
Comment on attachment 8930976 [details] [diff] [review]
Adding a few assertions around ExpressionDecompiler::decompilePC

sec-approval+
Attachment #8930976 - Flags: sec-approval? → sec-approval+
Any news since we landed the diagnostic assert?
Flags: needinfo?(dteller)
For the moment, if I read Socorro correctly, we have exactly one re;evant signature from a build that contains this patch: https://crash-stats.mozilla.com/report/index/f72cff56-3d56-4607-98e7-1a4870180317 – and that signature neatly sidesteps all the assertions.

For the moment, I have no clue where the crash could be coming from. If anybody has ideas, I'm interested.
Flags: needinfo?(dteller)
A few more crashes have shown up with the relevant signature, and they all show that `str` is non-null.

Apparently, all the crashes on recent builds (60a1+) are under Windows.

Crash addresses:
- 0xffffffffffffffff (most)
- 0x6b465346 (a few)
- 0xc5212076 (one)
- 0xa5 (one, what is that?)
- 0x226 (one, what is that?)

So, my best guess is that we're overwriting that memory. No clue where, though.
This is looking unactionable now.
Flags: needinfo?(jorendorff)
Priority: P2 → P3
Stalled. We did some digging, but it is currently unactionable.
Assignee: dteller → nobody
Keywords: stalled
Whiteboard: [leave open] → [#jsapi:crashes-retriage][leave open]

The leave-open keyword is there and there is no activity for 6 months.
:sdetar, maybe it's time to close this bug?

Flags: needinfo?(sdetar)

(In reply to Release mgmt bot [:sylvestre / :calixte / :marco for bugbug] from comment #39)

The leave-open keyword is there and there is no activity for 6 months.
:sdetar, maybe it's time to close this bug?

This is still a stalled sec bug. The leave-open was because it had a diagnostic patch landed.

Flags: needinfo?(sdetar)

The leave-open keyword is there and there is no activity for 6 months.
:sdetar, maybe it's time to close this bug?

Flags: needinfo?(sdetar)
Flags: needinfo?(sdetar)
Severity: critical → S2
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → INCOMPLETE

Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.

Keywords: stalled
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: