Closed Bug 1440531 Opened 6 years ago Closed 6 years ago

UBSan: downcast of address which does not point to an object of type 'js::jit::MInstruction' js/src/jit/InlineList.h:471

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla61
Tracking Status
firefox60 --- wontfix
firefox61 --- fixed

People

(Reporter: tsmith, Assigned: bhackett1024)

Details

(Keywords: csectype-undefined, sec-audit, Whiteboard: [adv-main61-])

Attachments

(1 file)

This is triggered with regular browsing when built with -fsanitize=vptr

Found with mozilla-central changeset: 404902:169b1ba48437 Marking as s-s until reviewed.

src/js/src/jit/InlineList.h:471:16: runtime error: downcast of address 0x62d004a8eda0 which does not point to an object of type 'js::jit::MInstruction'
0x62d004a8eda0: note: object has invalid vptr
 00 00 00 00  e4 e4 e4 e4 e4 e4 e4 e4  98 e7 a8 04 d0 62 00 00  98 44 a7 04 d0 62 00 00  9c 99 0f 00
              ^~~~~~~~~~~~~~~~~~~~~~~
              invalid vptr
    #0 0x7fc2333e97b8 in operator* src/js/src/jit/InlineList.h:471:16
    #1 0x7fc2333e97b8 in js::jit::IonBuilder::jsop_initprop(js::PropertyName*) src/js/src/jit/IonBuilder.cpp:6467
    #2 0x7fc2333c9d68 in js::jit::IonBuilder::inspectOpcode(JSOp) src/js/src/jit/IonBuilder.cpp:2027:16
    #3 0x7fc2333c85f6 in js::jit::IonBuilder::visitBlock(js::jit::CFGBlock const*, js::jit::MBasicBlock*) src/js/src/jit/IonBuilder.cpp:1563:9
    #4 0x7fc2333c0dc3 in js::jit::IonBuilder::traverseBytecode() src/js/src/jit/IonBuilder.cpp:1480:9
    #5 0x7fc2333aff5e in js::jit::IonBuilder::build() src/js/src/jit/IonBuilder.cpp:863:5
    #6 0x7fc2333872ed in IonCompile src/js/src/jit/Ion.cpp:2200:32
    #7 0x7fc2333872ed in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool) src/js/src/jit/Ion.cpp:2464
    #8 0x7fc233389852 in BaselineCanEnterAtBranch src/js/src/jit/Ion.cpp:2641:27
    #9 0x7fc233389852 in js::jit::IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) src/js/src/jit/Ion.cpp:2699
    #10 0x7fc233077a7b in js::jit::DoWarmUpCounterFallbackOSR(JSContext*, js::jit::BaselineFrame*, js::jit::ICWarmUpCounter_Fallback*, js::jit::IonOsrTempData**) src/js/src/jit/BaselineIC.cpp:147:10
    #11 0x389b74031bf4  (<unknown module>)
I'm not very familiar with this code, but at a glance, the fix might be changing IonBuilder.cpp:6490 from

>     MInstruction* last = *current->rbegin();

to 

>     MInstructionReverseIterator last = *current->rbegin();

and if so, it doesn't seem like this an immediate security hazard, because there's no actual dereference of the pointer in question.

Brian, this code appears was introduced in r231263. Can you take a look?
Flags: needinfo?(bhackett1024)
Priority: -- → P2
Keywords: sec-audit
Attached patch patchSplinter Review
Yeah, using MInstructionReverseIterator is equivalent and should avoid this invalid cast.  There isn't a security hazard here, though I can't remove the s-s flag.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8959023 - Flags: review?(jdemooij)
Group: javascript-core-security
Attachment #8959023 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/f4fee0ff18cf
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Whiteboard: [adv-main61-]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: