Closed
Bug 1421786
Opened 7 years ago
Closed 7 years ago
Crash in JSFunction::needsFunctionEnvironmentObjects
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
People
(Reporter: philipp, Assigned: tcampbell)
References
Details
(Keywords: crash, regression, sec-moderate, Whiteboard: [adv-main58+][post-critsmash-triage])
Crash Data
This bug was filed from the Socorro interface and is report bp-9319d3d2-2d1e-436f-84b3-66fbf0171127. ============================================================= Top 10 frames of crashing thread: 0 xul.dll JSFunction::needsFunctionEnvironmentObjects js/src/jsfun.h:163 1 xul.dll js::InterpreterFrame::prologue js/src/vm/Stack.cpp:244 2 xul.dll Interpret js/src/vm/Interpreter.cpp:1918 3 xul.dll js::RunScript js/src/vm/Interpreter.cpp:423 4 xul.dll js::ExecuteKernel js/src/vm/Interpreter.cpp:706 5 xul.dll ExecuteInExtensibleLexicalEnvironment js/src/builtin/Eval.cpp:465 6 xul.dll js::ExecuteInJSMEnvironment js/src/builtin/Eval.cpp:551 7 xul.dll js::ExecuteInJSMEnvironment js/src/builtin/Eval.cpp:509 8 xul.dll mozJSComponentLoader::ObjectForLocation js/xpconnect/loader/mozJSComponentLoader.cpp:879 9 xul.dll mozJSComponentLoader::ImportInto js/xpconnect/loader/mozJSComponentLoader.cpp:1163 ============================================================= crashes with this signature have been around for a while on a very low volume, but on 57 they are spiking up in frequency. the reports are all coming from windows builds and the uptime range is <60s in 99% of the cases. some crash addresses indicate it's a UAF situation, so i'm marking the bug as security sensitive.
Updated•7 years ago
|
Group: core-security → javascript-core-security
Comment 1•7 years ago
|
||
That's a very odd crashing address. It does have a bunch of e5e5 in the middle but it doesn't start with e5 (or padded with fffff). There are a cluster of crashes with addresses in that range (from different people) but most crashes are near-null crashes. There's also a cluster of 0xa0000000xx This appears to be crashing in chrome code so hopefully not as accessible to an attacker
Keywords: sec-moderate
Comment 3•7 years ago
|
||
Most of these look like null derefs, but a few look like UAFs. We can probably add some assertions to narrow down the null deref case. Not sure about the UAF case.
Assignee | ||
Comment 4•7 years ago
|
||
This looks roughly similar to Bug 1415546 which I can hopefully look into this week or early next.
Flags: needinfo?(tcampbell)
Updated•7 years ago
|
Priority: -- → P1
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → tcampbell
Assignee | ||
Comment 5•7 years ago
|
||
There are zero crashes in 58.0b9 after Bug 1418894 landed.
Comment 6•7 years ago
|
||
Calling ESR52 wontfix since the crash is low-volume there and this is only sec-moderate.
Updated•6 years ago
|
Group: javascript-core-security → core-security-release
Updated•6 years ago
|
Whiteboard: [adv-main58+]
Updated•6 years ago
|
Flags: qe-verify-
Whiteboard: [adv-main58+] → [adv-main58+][post-critsmash-triage]
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•