Closed
Bug 1449385
Opened 6 years ago
Closed 6 years ago
AddressSanitizer: use-after-poison [@ __asan_memset] with WRITE of size 1048576
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox59 | --- | unaffected |
| firefox60 | --- | unaffected |
| firefox61 | --- | unaffected |
People
(Reporter: decoder, Assigned: jandem)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [jsbugmon:ignore])
The following testcase crashes on mozilla-central revision 7a682f7ab2f5 (using the patch from bug 1448589) (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2, run with --fuzzing-safe --ion-offthread-compile=off): gczeal(7); for (var i = 0; i < 1024; ++class get {}.enum) {} Backtrace: ==9816==ERROR: AddressSanitizer: use-after-poison on address 0x7f6f99b00000 at pc 0x0000004f932c bp 0x7ffc4c17b990 sp 0x7ffc4c17b140 WRITE of size 1048576 at 0x7f6f99b00000 thread T0 #0 0x4f932b in __asan_memset compiler-rt/lib/asan/asan_interceptors.cc:424 #1 0x2147cc2 in Poison(void*, unsigned char, unsigned long, MemCheckKind) js/src/jsutil.h:335:5 #2 0x2147cc2 in js::NurseryChunk::poisonAfterSweep() js/src/gc/Nursery.cpp:88 #3 0x2147cc2 in js::Nursery::clear() js/src/gc/Nursery.cpp:1027 #4 0x2145b56 in js::Nursery::doCollection(JS::gcreason::Reason, js::gc::TenureCountCache&) js/src/gc/Nursery.cpp:920:5 #5 0x2142872 in js::Nursery::collect(JS::gcreason::Reason) js/src/gc/Nursery.cpp:726:9 #6 0x2097f4a in js::gc::GCRuntime::minorGC(JS::gcreason::Reason, js::gcstats::PhaseKind) js/src/gc/GC.cpp:7744:5 #7 0x202eb89 in js::gc::GCRuntime::runDebugGC() js/src/gc/GC.cpp:8129:16 #8 0x202e660 in js::gc::GCRuntime::gcIfNeededAtAllocation(JSContext*) js/src/gc/Allocator.cpp:310:9 #9 0x20f26b4 in bool js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1>(JSContext*, js::gc::AllocKind) js/src/gc/Allocator.cpp:271:14 #10 0x20f26b4 in JSObject* js::Allocate<JSObject, (js::AllowGC)1>(JSContext*, js::gc::AllocKind, unsigned long, js::gc::InitialHeap, js::Class const*) js/src/gc/Allocator.cpp:52 #11 0x15a4a95 in js::NativeObject::create(JSContext*, js::gc::AllocKind, js::gc::InitialHeap, JS::Handle<js::Shape*>, JS::Handle<js::ObjectGroup*>) js/src/vm/NativeObject-inl.h:538:21 #12 0x17f6dfe in NewObject(JSContext*, JS::Handle<js::ObjectGroup*>, js::gc::AllocKind, js::NewObjectKind, unsigned int) js/src/vm/JSObject.cpp:728:9 #13 0x17f7a57 in js::NewObjectWithClassProtoCommon(JSContext*, js::Class const*, JS::Handle<JSObject*>, js::gc::AllocKind, js::NewObjectKind) js/src/vm/JSObject.cpp:849:21 #14 0x85c33a in js::NewObjectWithClassProto(JSContext*, js::Class const*, JS::Handle<JSObject*>, js::gc::AllocKind, js::NewObjectKind) js/src/vm/JSObject-inl.h:677:12 #15 0x85c33a in js::NewBuiltinClassInstance(JSContext*, js::Class const*, js::gc::AllocKind, js::NewObjectKind) js/src/vm/JSObject-inl.h:714 #16 0x85c33a in js::PlainObject* js::NewBuiltinClassInstance<js::PlainObject>(JSContext*, js::gc::AllocKind, js::NewObjectKind) js/src/vm/JSObject-inl.h:736 #17 0x85c33a in js::CopyInitializerObject(JSContext*, JS::Handle<js::PlainObject*>, js::NewObjectKind) js/src/vm/NativeObject-inl.h:706 #18 0x85d1fd in js::NewObjectOperationWithTemplate(JSContext*, JS::Handle<JSObject*>) js/src/vm/Interpreter.cpp:5006:21 #19 0x7f6f9b2f4e95 (<unknown module>) AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: use-after-poison compiler-rt/lib/asan/asan_interceptors.cc:424 in __asan_memset Shadow bytes around the buggy address: 0x0fee73357fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fee73357ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0fee73358000:[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0fee73358010: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Poisoned by user: f7 ==9816==ABORTING This is with jandem's patch for poisoning GC and and jit-code allocations that are no longer valid (bug 1448589). Therefore, this could indicate a security problem, marking s-s.
|
Assignee | |
Comment 1•6 years ago
|
||
I'll take a look. It's likely an issue with my patch.
Flags: needinfo?(jdemooij)
|
|
Assignee | |
Comment 2•6 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #1) > I'll take a look. It's likely an issue with my patch. Yep. Fixed this in my patch for bug 1448589.
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → FIXED
|
|
Assignee | |
Updated•6 years ago
|
|
||
Updated•6 years ago
|
Assignee: nobody → jdemooij
status-firefox59:
--- → unaffected
status-firefox60:
--- → unaffected
status-firefox-esr52:
--- → unaffected
|
||
Updated•6 years ago
|
Group: javascript-core-security → core-security-release
|
|
||
Updated•4 years ago
|
Group: core-security-release
|
||
Updated•4 years ago
|
Blocks: asan-maintenance
You need to log in
before you can comment on or make changes to this bug.
Description
•