Closed
Bug 1440531
Opened 6 years ago
Closed 6 years ago
UBSan: downcast of address which does not point to an object of type 'js::jit::MInstruction' js/src/jit/InlineList.h:471
Categories
(Core :: JavaScript Engine: JIT, defect, P2)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
FIXED
mozilla61
People
(Reporter: tsmith, Assigned: bhackett1024)
Details
(Keywords: csectype-undefined, sec-audit, Whiteboard: [adv-main61-])
Attachments
(1 file)
1.21 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
This is triggered with regular browsing when built with -fsanitize=vptr Found with mozilla-central changeset: 404902:169b1ba48437 Marking as s-s until reviewed. src/js/src/jit/InlineList.h:471:16: runtime error: downcast of address 0x62d004a8eda0 which does not point to an object of type 'js::jit::MInstruction' 0x62d004a8eda0: note: object has invalid vptr 00 00 00 00 e4 e4 e4 e4 e4 e4 e4 e4 98 e7 a8 04 d0 62 00 00 98 44 a7 04 d0 62 00 00 9c 99 0f 00 ^~~~~~~~~~~~~~~~~~~~~~~ invalid vptr #0 0x7fc2333e97b8 in operator* src/js/src/jit/InlineList.h:471:16 #1 0x7fc2333e97b8 in js::jit::IonBuilder::jsop_initprop(js::PropertyName*) src/js/src/jit/IonBuilder.cpp:6467 #2 0x7fc2333c9d68 in js::jit::IonBuilder::inspectOpcode(JSOp) src/js/src/jit/IonBuilder.cpp:2027:16 #3 0x7fc2333c85f6 in js::jit::IonBuilder::visitBlock(js::jit::CFGBlock const*, js::jit::MBasicBlock*) src/js/src/jit/IonBuilder.cpp:1563:9 #4 0x7fc2333c0dc3 in js::jit::IonBuilder::traverseBytecode() src/js/src/jit/IonBuilder.cpp:1480:9 #5 0x7fc2333aff5e in js::jit::IonBuilder::build() src/js/src/jit/IonBuilder.cpp:863:5 #6 0x7fc2333872ed in IonCompile src/js/src/jit/Ion.cpp:2200:32 #7 0x7fc2333872ed in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool) src/js/src/jit/Ion.cpp:2464 #8 0x7fc233389852 in BaselineCanEnterAtBranch src/js/src/jit/Ion.cpp:2641:27 #9 0x7fc233389852 in js::jit::IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) src/js/src/jit/Ion.cpp:2699 #10 0x7fc233077a7b in js::jit::DoWarmUpCounterFallbackOSR(JSContext*, js::jit::BaselineFrame*, js::jit::ICWarmUpCounter_Fallback*, js::jit::IonOsrTempData**) src/js/src/jit/BaselineIC.cpp:147:10 #11 0x389b74031bf4 (<unknown module>)
Comment 1•6 years ago
|
||
I'm not very familiar with this code, but at a glance, the fix might be changing IonBuilder.cpp:6490 from > MInstruction* last = *current->rbegin(); to > MInstructionReverseIterator last = *current->rbegin(); and if so, it doesn't seem like this an immediate security hazard, because there's no actual dereference of the pointer in question. Brian, this code appears was introduced in r231263. Can you take a look?
Updated•6 years ago
|
Assignee | ||
Comment 2•6 years ago
|
||
Yeah, using MInstructionReverseIterator is equivalent and should avoid this invalid cast. There isn't a security hazard here, though I can't remove the s-s flag.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8959023 -
Flags: review?(jdemooij)
Reporter | ||
Updated•6 years ago
|
Group: javascript-core-security
Updated•6 years ago
|
Attachment #8959023 -
Flags: review?(jdemooij) → review+
Pushed by bhackett@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/f4fee0ff18cf Avoid unnecessary downcast, r=jandem.
Comment 4•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/f4fee0ff18cf
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox61:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Updated•6 years ago
|
Updated•6 years ago
|
Whiteboard: [adv-main61-]
You need to log in
before you can comment on or make changes to this bug.
Description
•