Closed Bug 1497036 Opened 2 years ago Closed 2 years ago

Crash [@ js::frontend::DeclaredNameInfo::alterKind] with BinAST

Categories

(Core :: JavaScript Engine, defect, P1)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
mozilla64
Tracking Status
firefox-esr60 --- unaffected
firefox62 --- unaffected
firefox63 --- unaffected
firefox64 --- verified
firefox65 --- verified

People

(Reporter: decoder, Assigned: arai)

References

Details

(Keywords: crash, sec-other, testcase, Whiteboard: [fuzzblocker][post-critsmash-triage])

Crash Data

Attachments

(3 files)

The attached testcase crashes on mozilla-central revision 07c609fc8eb8 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-tests --enable-fuzzing --disable-debug --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2, run with FUZZER=BinAST ./fuzz-tests test.binjs).

Backtrace:

==2820==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000000c (pc 0x563d4662b3aa bp 0x7fff06d353d0 sp 0x7fff06d351a0 T0)
==2820==The signal is caused by a WRITE memory access.
==2820==Hint: address points to the zero page.
    #0 0x563d4662b3a9 in js::frontend::DeclaredNameInfo::alterKind(js::frontend::DeclarationKind) js/src/frontend/NameAnalysisTypes.h:167:15
    #1 0x563d4662b3a9 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::buildFunctionBox(js::GeneratorKind, js::FunctionAsyncKind, js::frontend::FunctionSyntaxKind, js::frontend::ParseNode*) js/src/frontend/BinSource.cpp:245
    #2 0x563d4659d906 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceEagerFunctionDeclaration(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&) js/src/frontend/BinSource-auto.cpp:3273:5
    #3 0x563d4658d11b in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseStatement() js/src/frontend/BinSource-auto.cpp:1731:5
    #4 0x563d465c5c23 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseListOfStatement() js/src/frontend/BinSource-auto.cpp:5655:9
    #5 0x563d465b0da0 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceScript(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&) js/src/frontend/BinSource-auto.cpp:4487:5
    #6 0x563d4658b79a in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseSumProgram(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&) js/src/frontend/BinSource-auto.cpp:1448:9
    #7 0x563d4658b79a in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseProgram() js/src/frontend/BinSource-auto.cpp:1433
    #8 0x563d46627852 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseAux(js::frontend::GlobalSharedContext*, unsigned char const*, unsigned long, js::frontend::BinASTSourceMetadata**) js/src/frontend/BinSource.cpp:153:5
    #9 0x563d4662892a in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parse(js::frontend::GlobalSharedContext*, unsigned char const*, unsigned long, js::frontend::BinASTSourceMetadata**) js/src/frontend/BinSource.cpp:125:19
    #10 0x563d4662892a in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parse(js::frontend::GlobalSharedContext*, mozilla::Vector<unsigned char, 0ul, js::TempAllocPolicy> const&, js::frontend::BinASTSourceMetadata**) js/src/frontend/BinSource.cpp:118
    #11 0x563d464cd127 in testBinASTReaderFuzz(unsigned char const*, unsigned long) js/src/fuzz-tests/testBinASTReader.cpp:73:29
    #12 0x563d4656b3eb in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:517:13
[...]
    #19 0x563d463d0888 in _start (build/fuzz-tests+0x524888)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV js/src/frontend/NameAnalysisTypes.h:167:15 in js::frontend::DeclaredNameInfo::alterKind(js::frontend::DeclarationKind)
==2820==ABORTING
Attached file Testcase
This is blocking BinAST fuzzing, marking as fuzzblocker.
Flags: needinfo?(arai.unmht)
Whiteboard: [fuzzblocker]
The same assertion failure as bug 1496334, which is about annex B
marking s-s just in case.
Group: core-security
Flags: needinfo?(arai.unmht)
See Also: → 1496334
Keeping hidden and sec-other per bug 1496334  comment 3
Keywords: sec-other
Group: core-security → javascript-core-security
This fuzzblocker has been on file for over a week, currently prevents *any* fuzzing of BinJS and also breaks its coverage job.
NI arai per comment 5.
Flags: needinfo?(arai.unmht)
the assertion there was based on wrong assumption.
the name won't be there if the AssertedDeclaredName doesn't exist for the name.
Assignee: nobody → arai.unmht
Flags: needinfo?(arai.unmht)
Attachment #9017123 - Flags: review?(dteller)
Comment on attachment 9017123 [details] [diff] [review]
Throw error if function declaration is found without corresponding AssertedDeclaredName.

Review of attachment 9017123 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/frontend/BinSource.cpp
@@ +243,5 @@
>  
>      if (parseContext_ && syntax == FunctionSyntaxKind::Statement) {
>          auto ptr = parseContext_->varScope().lookupDeclaredName(atom);
> +        if (!ptr) {
> +            return raiseError("FunctionDeclaration without corresponding AssertedDeclaredName.");

Out of curiosity, when could this happen?
Attachment #9017123 - Flags: review?(dteller) → review+
Thank you for reviewing :D

(In reply to David Teller [:Yoric] (please use "needinfo") from comment #8)
> ::: js/src/frontend/BinSource.cpp
> @@ +243,5 @@
> >  
> >      if (parseContext_ && syntax == FunctionSyntaxKind::Statement) {
> >          auto ptr = parseContext_->varScope().lookupDeclaredName(atom);
> > +        if (!ptr) {
> > +            return raiseError("FunctionDeclaration without corresponding AssertedDeclaredName.");
> 
> Out of curiosity, when could this happen?

just by removing the corresponding AssertedDeclaredName from valid file.
https://hg.mozilla.org/integration/mozilla-inbound/rev/cd6a56ce613caf1e103b4d51503de6bce2cdee26
Bug 1497036 - Throw error if function declaration is found without corresponding AssertedDeclaredName. r=Yoric
Priority: -- → P1
https://hg.mozilla.org/mozilla-central/rev/cd6a56ce613c
Group: javascript-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Flags: qe-verify+
Whiteboard: [fuzzblocker] → [fuzzblocker][post-critsmash-triage]
I successfully reproduced the issue with some help from Christian using fuzzing-asan-opt (2018100609) under Ubuntu 18.04 (x64).

While verifying using the latest fuzzing-asan 64 build I encountered another crash (see the attachment) in the terminal output. This happened as well under Ubuntu 18.04 (x64).
Is there any progress for the issue?
Flags: needinfo?(arai.unmht)
I'll take a look today
that's bug 1496334, that the crash itself is already fixed by other bug.
now it throws "SyntaxError: BinAST Parsing Error: FunctionDeclaration without corresponding AssertedDeclaredName.".
Flags: needinfo?(arai.unmht)
So, can we consider flagging it as verified fix if the crash itself is already fixed in another bug?
Flags: needinfo?(arai.unmht)
the crash doesn't happen on latest m-c for you, right?
if so, yes
Flags: needinfo?(arai.unmht)
Clearing the qe-verify+ flag as the crash is not occuring anymore on latest m-c build (20181114123936-fuzzing-asan-opt). Test was performed under Ubuntu 18.04 (x64).
Status: RESOLVED → VERIFIED
Flags: qe-verify+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.