Closed
Bug 1449385
Opened 8 years ago
Closed 8 years ago
AddressSanitizer: use-after-poison [@ __asan_memset] with WRITE of size 1048576
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox59 | --- | unaffected |
| firefox60 | --- | unaffected |
| firefox61 | --- | unaffected |
People
(Reporter: decoder, Assigned: jandem)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [jsbugmon:ignore])
The following testcase crashes on mozilla-central revision 7a682f7ab2f5 (using the patch from bug 1448589) (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2, run with --fuzzing-safe --ion-offthread-compile=off):
gczeal(7);
for (var i = 0; i < 1024; ++class get {}.enum) {}
Backtrace:
==9816==ERROR: AddressSanitizer: use-after-poison on address 0x7f6f99b00000 at pc 0x0000004f932c bp 0x7ffc4c17b990 sp 0x7ffc4c17b140
WRITE of size 1048576 at 0x7f6f99b00000 thread T0
#0 0x4f932b in __asan_memset compiler-rt/lib/asan/asan_interceptors.cc:424
#1 0x2147cc2 in Poison(void*, unsigned char, unsigned long, MemCheckKind) js/src/jsutil.h:335:5
#2 0x2147cc2 in js::NurseryChunk::poisonAfterSweep() js/src/gc/Nursery.cpp:88
#3 0x2147cc2 in js::Nursery::clear() js/src/gc/Nursery.cpp:1027
#4 0x2145b56 in js::Nursery::doCollection(JS::gcreason::Reason, js::gc::TenureCountCache&) js/src/gc/Nursery.cpp:920:5
#5 0x2142872 in js::Nursery::collect(JS::gcreason::Reason) js/src/gc/Nursery.cpp:726:9
#6 0x2097f4a in js::gc::GCRuntime::minorGC(JS::gcreason::Reason, js::gcstats::PhaseKind) js/src/gc/GC.cpp:7744:5
#7 0x202eb89 in js::gc::GCRuntime::runDebugGC() js/src/gc/GC.cpp:8129:16
#8 0x202e660 in js::gc::GCRuntime::gcIfNeededAtAllocation(JSContext*) js/src/gc/Allocator.cpp:310:9
#9 0x20f26b4 in bool js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1>(JSContext*, js::gc::AllocKind) js/src/gc/Allocator.cpp:271:14
#10 0x20f26b4 in JSObject* js::Allocate<JSObject, (js::AllowGC)1>(JSContext*, js::gc::AllocKind, unsigned long, js::gc::InitialHeap, js::Class const*) js/src/gc/Allocator.cpp:52
#11 0x15a4a95 in js::NativeObject::create(JSContext*, js::gc::AllocKind, js::gc::InitialHeap, JS::Handle<js::Shape*>, JS::Handle<js::ObjectGroup*>) js/src/vm/NativeObject-inl.h:538:21
#12 0x17f6dfe in NewObject(JSContext*, JS::Handle<js::ObjectGroup*>, js::gc::AllocKind, js::NewObjectKind, unsigned int) js/src/vm/JSObject.cpp:728:9
#13 0x17f7a57 in js::NewObjectWithClassProtoCommon(JSContext*, js::Class const*, JS::Handle<JSObject*>, js::gc::AllocKind, js::NewObjectKind) js/src/vm/JSObject.cpp:849:21
#14 0x85c33a in js::NewObjectWithClassProto(JSContext*, js::Class const*, JS::Handle<JSObject*>, js::gc::AllocKind, js::NewObjectKind) js/src/vm/JSObject-inl.h:677:12
#15 0x85c33a in js::NewBuiltinClassInstance(JSContext*, js::Class const*, js::gc::AllocKind, js::NewObjectKind) js/src/vm/JSObject-inl.h:714
#16 0x85c33a in js::PlainObject* js::NewBuiltinClassInstance<js::PlainObject>(JSContext*, js::gc::AllocKind, js::NewObjectKind) js/src/vm/JSObject-inl.h:736
#17 0x85c33a in js::CopyInitializerObject(JSContext*, JS::Handle<js::PlainObject*>, js::NewObjectKind) js/src/vm/NativeObject-inl.h:706
#18 0x85d1fd in js::NewObjectOperationWithTemplate(JSContext*, JS::Handle<JSObject*>) js/src/vm/Interpreter.cpp:5006:21
#19 0x7f6f9b2f4e95 (<unknown module>)
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: use-after-poison compiler-rt/lib/asan/asan_interceptors.cc:424 in __asan_memset
Shadow bytes around the buggy address:
0x0fee73357fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fee73357ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fee73358000:[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0fee73358010: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Poisoned by user: f7
==9816==ABORTING
This is with jandem's patch for poisoning GC and and jit-code allocations that are no longer valid (bug 1448589). Therefore, this could indicate a security problem, marking s-s.
|
Assignee | |
Comment 1•8 years ago
|
||
I'll take a look. It's likely an issue with my patch.
Flags: needinfo?(jdemooij)
|
|
Assignee | |
Comment 2•8 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #1)
> I'll take a look. It's likely an issue with my patch.
Yep. Fixed this in my patch for bug 1448589.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → FIXED
|
|
Assignee | |
Updated•8 years ago
|
|
||
Updated•8 years ago
|
Assignee: nobody → jdemooij
status-firefox59:
--- → unaffected
status-firefox60:
--- → unaffected
status-firefox-esr52:
--- → unaffected
|
||
Updated•8 years ago
|
Group: javascript-core-security → core-security-release
|
|
||
Updated•6 years ago
|
Group: core-security-release
|
||
Updated•6 years ago
|
Blocks: asan-maintenance
You need to log in
before you can comment on or make changes to this bug.
Description
•