Closed
Bug 1499366
Opened 5 years ago
Closed 5 years ago
Crash [@ js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceAssertedPositionalParameterName]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla64
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox62 | --- | disabled |
| firefox63 | --- | disabled |
| firefox64 | --- | fixed |
People
(Reporter: decoder, Assigned: arai)
Details
(Keywords: assertion, crash, testcase, Whiteboard: [fuzzblocker])
Crash Data
Attachments
(3 files)
|
510 bytes,
application/octet-stream
|
Details | |
|
932 bytes,
patch
|
Yoric
:
review+
|
Details | Diff | Splinter Review |
|
2.85 KB,
patch
|
Yoric
:
review+
|
Details | Diff | Splinter Review |
The attached testcase crashes on mozilla-central revision 4c11ab0cd989 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-tests --enable-fuzzing --disable-debug --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2, run with FUZZER=BinAST ./fuzz-tests test.binjs).
Backtrace:
==21650==ERROR: AddressSanitizer: SEGV on unknown address 0x00017fff7fff (pc 0x55eb200ae069 bp 0x7ffc46eed0b0 sp 0x7ffc46eecea0 T0)
==21650==The signal is caused by a READ memory access.
#0 0x55eb200ae068 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceAssertedPositionalParameterName(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&, js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::AssertedScopeKind, JS::MutableHandle<JS::GCVector<JSAtom*, 0ul, js::TempAllocPolicy> >) js/src/frontend/BinSource-auto.cpp:2342:9
#1 0x55eb200a4084 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseSumAssertedMaybePositionalParameterName(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&, js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::AssertedScopeKind, JS::MutableHandle<JS::GCVector<JSAtom*, 0ul, js::TempAllocPolicy> >) js/src/frontend/BinSource-auto.cpp:78:9
#2 0x55eb200a4084 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseAssertedMaybePositionalParameterName(js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::AssertedScopeKind, JS::MutableHandle<JS::GCVector<JSAtom*, 0ul, js::TempAllocPolicy> >) js/src/frontend/BinSource-auto.cpp:61
#3 0x55eb200e3d9e in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseListOfAssertedMaybePositionalParameterName(js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::AssertedScopeKind, JS::MutableHandle<JS::GCVector<JSAtom*, 0ul, js::TempAllocPolicy> >) js/src/frontend/BinSource-auto.cpp:5462:9
#4 0x55eb200d5c35 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceAssertedParameterScope(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&, JS::MutableHandle<JS::GCVector<JSAtom*, 0ul, js::TempAllocPolicy> >) js/src/frontend/BinSource-auto.cpp:2289:5
#5 0x55eb200d5873 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseAssertedParameterScope(JS::MutableHandle<JS::GCVector<JSAtom*, 0ul, js::TempAllocPolicy> >) js/src/frontend/BinSource-auto.cpp:2269:5
#6 0x55eb200dccd6 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceFunctionExpressionContents(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&, unsigned int, js::frontend::ListNode**, js::frontend::ListNode**) js/src/frontend/BinSource-auto.cpp:3808:5
#7 0x55eb200dc549 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseFunctionExpressionContents(unsigned int, js::frontend::ListNode**, js::frontend::ListNode**) js/src/frontend/BinSource-auto.cpp:3774:5
#8 0x55eb200b4f51 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceEagerFunctionExpression(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&) js/src/frontend/BinSource-auto.cpp:3315:5
#9 0x55eb200a66ab in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseExpression() js/src/frontend/BinSource-auto.cpp:395:5
#10 0x55eb200cfc02 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceDataProperty(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&) js/src/frontend/BinSource-auto.cpp:3129:5
#11 0x55eb200aae1b in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseObjectProperty() js/src/frontend/BinSource-auto.cpp:1323:5
#12 0x55eb200ec9da in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseListOfObjectProperty() js/src/frontend/BinSource-auto.cpp:5555:9
#13 0x55eb200ba06c in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceObjectExpression(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&) js/src/frontend/BinSource-auto.cpp:4411:5
#14 0x55eb200accab in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseSpreadElementOrExpression() js/src/frontend/BinSource-auto.cpp:1575:5
#15 0x55eb200e5d57 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseArguments() js/src/frontend/BinSource-auto.cpp:5369:9
#16 0x55eb200b258b in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceCallExpression(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&) js/src/frontend/BinSource-auto.cpp:2829:5
#17 0x55eb200ea6ff in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseOptionalExpression() js/src/frontend/BinSource-auto.cpp:5790:9
#18 0x55eb200e1a84 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceVariableDeclarator(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&) js/src/frontend/BinSource-auto.cpp:5030:5
#19 0x55eb200e1672 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseVariableDeclarator() js/src/frontend/BinSource-auto.cpp:5011:5
#20 0x55eb200eedc7 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseListOfVariableDeclarator() js/src/frontend/BinSource-auto.cpp:5663:9
#21 0x55eb200bf8a6 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceVariableDeclaration(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&) js/src/frontend/BinSource-auto.cpp:4968:5
#22 0x55eb200ad5eb in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseStatement() js/src/frontend/BinSource-auto.cpp:1727:5
#23 0x55eb200e5333 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseListOfStatement() js/src/frontend/BinSource-auto.cpp:5624:9
#24 0x55eb200d0a40 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceScript(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&) js/src/frontend/BinSource-auto.cpp:4455:5
#25 0x55eb200abc6a in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseSumProgram(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&) js/src/frontend/BinSource-auto.cpp:1444:9
#26 0x55eb200abc6a in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseProgram() js/src/frontend/BinSource-auto.cpp:1429
#27 0x55eb20146162 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseAux(js::frontend::GlobalSharedContext*, unsigned char const*, unsigned long, js::frontend::BinASTSourceMetadata**) js/src/frontend/BinSource.cpp:153:5
#28 0x55eb2014723a in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parse(js::frontend::GlobalSharedContext*, unsigned char const*, unsigned long, js::frontend::BinASTSourceMetadata**) js/src/frontend/BinSource.cpp:125:19
#29 0x55eb2014723a in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parse(js::frontend::GlobalSharedContext*, mozilla::Vector<unsigned char, 0ul, js::TempAllocPolicy> const&, js::frontend::BinASTSourceMetadata**) js/src/frontend/BinSource.cpp:118
#30 0x55eb1ffed627 in testBinASTReaderFuzz(unsigned char const*, unsigned long) js/src/fuzz-tests/testBinASTReader.cpp:73:29
[...]
#36 0x55eb1fef0d88 in _start (/srv/corpus/build/build/fuzz-tests+0x525d88)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV js/src/frontend/BinSource-auto.cpp:2342:9 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceAssertedPositionalParameterName(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&, js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::AssertedScopeKind, JS::MutableHandle<JS::GCVector<JSAtom*, 0ul, js::TempAllocPolicy> >)
==21650==ABORTING
|
Reporter | |
Comment 1•5 years ago
|
||
|
|
Reporter | |
Comment 2•5 years ago
|
||
Another blocker for BinJS fuzzing.
Flags: needinfo?(arai.unmht)
Whiteboard: [fuzzblocker]
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 3•5 years ago
|
||
There are 2 issues. one is that BinTokenReaderMultipart::readInternalUint32 doesn't check shift
Flags: needinfo?(arai.unmht)
Attachment #9017519 -
Flags: review?(dteller)
|
|
Assignee | |
Comment 4•5 years ago
|
||
another one is integer overflow because of +1 while checking AssertedPositionalParameterName.index
Attachment #9017520 -
Flags: review?(dteller)
Attachment #9017519 -
Flags: review?(dteller) → review+
Attachment #9017520 -
Flags: review?(dteller) → review+
|
|
Assignee | |
Comment 5•5 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/bca5f70008c94e9a74c2d8d7272c10edcfa9c404 Bug 1499366 - Part 1: Check shift while reading uint32. r=Yoric https://hg.mozilla.org/integration/mozilla-inbound/rev/c96e54bae30c098a4b10a42721bf58295a1409f7 Bug 1499366 - Part 2: Check parameter index before increment. r=Yoric
|
||
Comment 6•5 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/bca5f70008c9 https://hg.mozilla.org/mozilla-central/rev/c96e54bae30c
Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox62:
--- → disabled
status-firefox63:
--- → disabled
status-firefox-esr60:
--- → unaffected
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
|
||
Updated•5 years ago
|
Flags: qe-verify-
|
||
Updated•4 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•