Closed Bug 1417898 Opened 3 years ago Closed 3 years ago

AddressSanitizer: heap-buffer-overflow [@ JS::Value::toTag] with READ of size 8 with async star function

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1415883
Tracking Status
firefox58 --- fixed
firefox59 --- fixed

People

(Reporter: decoder, Unassigned)

Details

(5 keywords, Whiteboard: [jsbugmon:update,bisect][adv-main58-])

The following testcase crashes on mozilla-central revision fc194660762d+ (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --disable-debug --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2, run with --fuzzing-safe):

var lfOffThreadGlobal = newGlobal();
async function* f() {
    yield {};
}
var x = f();
x.next();
for (lfLocal in this)
  lfOffThreadGlobal[lfLocal] = this[lfLocal];
x.next();
x.next();
x.next();
schedulegc(100);
x.next();
x.next(-Math.PI / 4);
x.next();


Backtrace:

==28891==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000012e40 at pc 0x00000059f120 bp 0x7ffeaf53c2b0 sp 0x7ffeaf53c2a8
READ of size 8 at 0x606000012e40 thread T0
    #0 0x59f11f in JS::Value::toTag() const dist/include/js/Value.h:437:32
    #1 0x59f11f in JS::Value::isString() const dist/include/js/Value.h:512
    #2 0x59f11f in _ZN2js13DispatchTypedINS_17PreBarrierFunctorIN2JS5ValueEEEJEEEDTclfp_scP8JSObjectLDnEspclsr7mozillaE7ForwardIT0_Efp1_EEET_RKS3_DpOS7_ dist/include/js/Value.h:1431
    #3 0x1741ea9 in js::InternalBarrierMethods<JS::Value>::preBarrier(JS::Value const&) js/src/gc/Barrier.h:283:9
    #4 0x1741ea9 in js::WriteBarrieredBase<JS::Value>::pre() js/src/gc/Barrier.h:374
    #5 0x1741ea9 in js::HeapSlot::~HeapSlot() js/src/gc/Barrier.h:678
    #6 0x1741ea9 in js::NativeObject::prepareElementRangeForOverwrite(unsigned long, unsigned long) js/src/vm/NativeObject.h:1007
    #7 0x1741ea9 in js::NativeObject::setDenseInitializedLengthUnchecked(unsigned int) js/src/vm/NativeObject.h:1179
    #8 0x1741ea9 in js::NativeObject::setDenseInitializedLength(unsigned int) js/src/vm/NativeObject.h:1196
    #9 0x1741ea9 in js::AsyncGeneratorRequest* js::ShiftFromList<js::AsyncGeneratorRequest>(JSContext*, JS::Handle<js::NativeObject*>) js/src/vm/List-inl.h:62
    #10 0x173293c in js::AsyncGeneratorObject::dequeueRequest(JSContext*, JS::Handle<js::AsyncGeneratorObject*>) js/src/vm/AsyncIteration.cpp:373:12
    #11 0x8fbde4 in js::AsyncGeneratorResolve(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>, bool) js/src/builtin/Promise.cpp:2769:13
    #12 0x8fcfa4 in AsyncGeneratorResumeNext(JSContext*, JS::Handle<js::AsyncGeneratorObject*>) js/src/builtin/Promise.cpp:2890:16
    #13 0x8fc247 in js::AsyncGeneratorResolve(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>, bool) js/src/builtin/Promise.cpp:2790:10
    #14 0x8fcfa4 in AsyncGeneratorResumeNext(JSContext*, JS::Handle<js::AsyncGeneratorObject*>) js/src/builtin/Promise.cpp:2890:16
    #15 0x8fc247 in js::AsyncGeneratorResolve(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>, bool) js/src/builtin/Promise.cpp:2790:10
    #16 0x8fcfa4 in AsyncGeneratorResumeNext(JSContext*, JS::Handle<js::AsyncGeneratorObject*>) js/src/builtin/Promise.cpp:2890:16
    #17 0x8fc247 in js::AsyncGeneratorResolve(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>, bool) js/src/builtin/Promise.cpp:2790:10
    #18 0x8fcfa4 in AsyncGeneratorResumeNext(JSContext*, JS::Handle<js::AsyncGeneratorObject*>) js/src/builtin/Promise.cpp:2890:16
    #19 0x8fc247 in js::AsyncGeneratorResolve(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>, bool) js/src/builtin/Promise.cpp:2790:10
    #20 0x8fcfa4 in AsyncGeneratorResumeNext(JSContext*, JS::Handle<js::AsyncGeneratorObject*>) js/src/builtin/Promise.cpp:2890:16
    #21 0x8fc247 in js::AsyncGeneratorResolve(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>, bool) js/src/builtin/Promise.cpp:2790:10
    #22 0x172fa13 in AsyncGeneratorReturned(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>) js/src/vm/AsyncIteration.cpp:416:12
    #23 0x172fa13 in js::AsyncGeneratorResume(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, js::CompletionKind, JS::Handle<JS::Value>) js/src/vm/AsyncIteration.cpp:504
    #24 0x8fd64c in AsyncGeneratorResumeNext(JSContext*, JS::Handle<js::AsyncGeneratorObject*>) js/src/builtin/Promise.cpp:2918:12
    #25 0x8fc247 in js::AsyncGeneratorResolve(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>, bool) js/src/builtin/Promise.cpp:2790:10
    #26 0x172fa13 in AsyncGeneratorReturned(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>) js/src/vm/AsyncIteration.cpp:416:12
    #27 0x172fa13 in js::AsyncGeneratorResume(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, js::CompletionKind, JS::Handle<JS::Value>) js/src/vm/AsyncIteration.cpp:504
    #28 0x9b38f3 in AsyncGeneratorPromiseReactionJob(JSContext*, JS::Handle<PromiseReactionRecord*>, JS::MutableHandle<JS::Value>) js/src/builtin/Promise.cpp:1122:14
    #29 0x9b38f3 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) js/src/builtin/Promise.cpp:1201
    #30 0x7f1ac3 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:291:15
[...]

0x606000012e40 is located 0 bytes to the right of 64-byte region [0x606000012e00,0x606000012e40)
allocated by thread T0 here:
    #0 0x50411d in __interceptor_realloc /srv/repos/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:71
    #1 0x13c7b52 in js_realloc(void*, unsigned long) dist/include/js/Utility.h:406:12
    #2 0x13c7b52 in unsigned char* js_pod_realloc<unsigned char>(unsigned char*, unsigned long, unsigned long) dist/include/js/Utility.h:594
    #3 0x13c7b52 in unsigned char* js::MallocProvider<JS::Zone>::maybe_pod_realloc<unsigned char>(unsigned char*, unsigned long, unsigned long) js/src/vm/MallocProvider.h:70
    #4 0x13c7b52 in unsigned char* js::MallocProvider<JS::Zone>::pod_realloc<unsigned char>(unsigned char*, unsigned long, unsigned long) js/src/vm/MallocProvider.h:173
    #5 0x1f98693 in js::Nursery::reallocateBuffer(JSObject*, void*, unsigned long, unsigned long) js/src/gc/Nursery.cpp:403:16
    #6 0x18eea2a in js::HeapSlot* js::ReallocateObjectBuffer<js::HeapSlot>(JSContext*, JSObject*, js::HeapSlot*, unsigned int, unsigned int) js/src/gc/Nursery-inl.h:135:34
    #7 0x18eea2a in js::NativeObject::shrinkElements(JSContext*, unsigned int) js/src/vm/NativeObject.cpp:1028
    #8 0x1741d6f in js::AsyncGeneratorRequest* js::ShiftFromList<js::AsyncGeneratorRequest>(JSContext*, JS::Handle<js::NativeObject*>) js/src/vm/List-inl.h:59:9
    #9 0x173293c in js::AsyncGeneratorObject::dequeueRequest(JSContext*, JS::Handle<js::AsyncGeneratorObject*>) js/src/vm/AsyncIteration.cpp:373:12
    #10 0x8fbde4 in js::AsyncGeneratorResolve(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>, bool) js/src/builtin/Promise.cpp:2769:13
    #11 0x8fcfa4 in AsyncGeneratorResumeNext(JSContext*, JS::Handle<js::AsyncGeneratorObject*>) js/src/builtin/Promise.cpp:2890:16
    #12 0x8fc247 in js::AsyncGeneratorResolve(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>, bool) js/src/builtin/Promise.cpp:2790:10
    #13 0x8fcfa4 in AsyncGeneratorResumeNext(JSContext*, JS::Handle<js::AsyncGeneratorObject*>) js/src/builtin/Promise.cpp:2890:16
    #14 0x8fc247 in js::AsyncGeneratorResolve(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>, bool) js/src/builtin/Promise.cpp:2790:10
    #15 0x8fcfa4 in AsyncGeneratorResumeNext(JSContext*, JS::Handle<js::AsyncGeneratorObject*>) js/src/builtin/Promise.cpp:2890:16
    #16 0x8fc247 in js::AsyncGeneratorResolve(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>, bool) js/src/builtin/Promise.cpp:2790:10
    #17 0x8fcfa4 in AsyncGeneratorResumeNext(JSContext*, JS::Handle<js::AsyncGeneratorObject*>) js/src/builtin/Promise.cpp:2890:16
    #18 0x8fc247 in js::AsyncGeneratorResolve(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>, bool) js/src/builtin/Promise.cpp:2790:10
    #19 0x8fcfa4 in AsyncGeneratorResumeNext(JSContext*, JS::Handle<js::AsyncGeneratorObject*>) js/src/builtin/Promise.cpp:2890:16
    #20 0x8fc247 in js::AsyncGeneratorResolve(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>, bool) js/src/builtin/Promise.cpp:2790:10
    #21 0x172fa13 in AsyncGeneratorReturned(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>) js/src/vm/AsyncIteration.cpp:416:12
    #22 0x172fa13 in js::AsyncGeneratorResume(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, js::CompletionKind, JS::Handle<JS::Value>) js/src/vm/AsyncIteration.cpp:504
    #23 0x8fd64c in AsyncGeneratorResumeNext(JSContext*, JS::Handle<js::AsyncGeneratorObject*>) js/src/builtin/Promise.cpp:2918:12
    #24 0x8fc247 in js::AsyncGeneratorResolve(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>, bool) js/src/builtin/Promise.cpp:2790:10
    #25 0x172fa13 in AsyncGeneratorReturned(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>) js/src/vm/AsyncIteration.cpp:416:12
    #26 0x172fa13 in js::AsyncGeneratorResume(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, js::CompletionKind, JS::Handle<JS::Value>) js/src/vm/AsyncIteration.cpp:504
    #27 0x9b38f3 in AsyncGeneratorPromiseReactionJob(JSContext*, JS::Handle<PromiseReactionRecord*>, JS::MutableHandle<JS::Value>) js/src/builtin/Promise.cpp:1122:14
    #28 0x9b38f3 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) js/src/builtin/Promise.cpp:1201
    #29 0x7f1ac3 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:291:15
[...]

SUMMARY: AddressSanitizer: heap-buffer-overflow dist/include/js/Value.h:437:32 in JS::Value::toTag() const
Shadow bytes around the buggy address:
  0x0c0c7fffa5b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c7fffa5c0: 00 00 00 00 00 00 00 00[fa]fa fa fa 00 00 00 00
  0x0c0c7fffa5d0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Heap left redzone:       fa



Found this after fixing the LangFuzz grammar for async/star function support. Obviously s-s.
This is bug 1415883.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: CVE-2018-5094
Mark 58/59 fixed as they were fixed in bug 1415883.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][adv-main58-]
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.