Closed Bug 1499366 Opened 2 years ago Closed 2 years ago

Crash [@ js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceAssertedPositionalParameterName]

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla64
Tracking Status
firefox-esr60 --- unaffected
firefox62 --- disabled
firefox63 --- disabled
firefox64 --- fixed

People

(Reporter: decoder, Assigned: arai)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [fuzzblocker])

Crash Data

Attachments

(3 files)

The attached testcase crashes on mozilla-central revision 4c11ab0cd989 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-tests --enable-fuzzing --disable-debug --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2, run with FUZZER=BinAST ./fuzz-tests test.binjs).

Backtrace:

==21650==ERROR: AddressSanitizer: SEGV on unknown address 0x00017fff7fff (pc 0x55eb200ae069 bp 0x7ffc46eed0b0 sp 0x7ffc46eecea0 T0)
==21650==The signal is caused by a READ memory access.
    #0 0x55eb200ae068 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceAssertedPositionalParameterName(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&, js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::AssertedScopeKind, JS::MutableHandle<JS::GCVector<JSAtom*, 0ul, js::TempAllocPolicy> >) js/src/frontend/BinSource-auto.cpp:2342:9
    #1 0x55eb200a4084 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseSumAssertedMaybePositionalParameterName(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&, js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::AssertedScopeKind, JS::MutableHandle<JS::GCVector<JSAtom*, 0ul, js::TempAllocPolicy> >) js/src/frontend/BinSource-auto.cpp:78:9
    #2 0x55eb200a4084 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseAssertedMaybePositionalParameterName(js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::AssertedScopeKind, JS::MutableHandle<JS::GCVector<JSAtom*, 0ul, js::TempAllocPolicy> >) js/src/frontend/BinSource-auto.cpp:61
    #3 0x55eb200e3d9e in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseListOfAssertedMaybePositionalParameterName(js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::AssertedScopeKind, JS::MutableHandle<JS::GCVector<JSAtom*, 0ul, js::TempAllocPolicy> >) js/src/frontend/BinSource-auto.cpp:5462:9
    #4 0x55eb200d5c35 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceAssertedParameterScope(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&, JS::MutableHandle<JS::GCVector<JSAtom*, 0ul, js::TempAllocPolicy> >) js/src/frontend/BinSource-auto.cpp:2289:5
    #5 0x55eb200d5873 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseAssertedParameterScope(JS::MutableHandle<JS::GCVector<JSAtom*, 0ul, js::TempAllocPolicy> >) js/src/frontend/BinSource-auto.cpp:2269:5
    #6 0x55eb200dccd6 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceFunctionExpressionContents(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&, unsigned int, js::frontend::ListNode**, js::frontend::ListNode**) js/src/frontend/BinSource-auto.cpp:3808:5
    #7 0x55eb200dc549 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseFunctionExpressionContents(unsigned int, js::frontend::ListNode**, js::frontend::ListNode**) js/src/frontend/BinSource-auto.cpp:3774:5
    #8 0x55eb200b4f51 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceEagerFunctionExpression(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&) js/src/frontend/BinSource-auto.cpp:3315:5
    #9 0x55eb200a66ab in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseExpression() js/src/frontend/BinSource-auto.cpp:395:5
    #10 0x55eb200cfc02 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceDataProperty(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&) js/src/frontend/BinSource-auto.cpp:3129:5
    #11 0x55eb200aae1b in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseObjectProperty() js/src/frontend/BinSource-auto.cpp:1323:5
    #12 0x55eb200ec9da in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseListOfObjectProperty() js/src/frontend/BinSource-auto.cpp:5555:9
    #13 0x55eb200ba06c in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceObjectExpression(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&) js/src/frontend/BinSource-auto.cpp:4411:5
    #14 0x55eb200accab in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseSpreadElementOrExpression() js/src/frontend/BinSource-auto.cpp:1575:5
    #15 0x55eb200e5d57 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseArguments() js/src/frontend/BinSource-auto.cpp:5369:9
    #16 0x55eb200b258b in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceCallExpression(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&) js/src/frontend/BinSource-auto.cpp:2829:5
    #17 0x55eb200ea6ff in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseOptionalExpression() js/src/frontend/BinSource-auto.cpp:5790:9
    #18 0x55eb200e1a84 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceVariableDeclarator(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&) js/src/frontend/BinSource-auto.cpp:5030:5
    #19 0x55eb200e1672 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseVariableDeclarator() js/src/frontend/BinSource-auto.cpp:5011:5
    #20 0x55eb200eedc7 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseListOfVariableDeclarator() js/src/frontend/BinSource-auto.cpp:5663:9
    #21 0x55eb200bf8a6 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceVariableDeclaration(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&) js/src/frontend/BinSource-auto.cpp:4968:5
    #22 0x55eb200ad5eb in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseStatement() js/src/frontend/BinSource-auto.cpp:1727:5
    #23 0x55eb200e5333 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseListOfStatement() js/src/frontend/BinSource-auto.cpp:5624:9
    #24 0x55eb200d0a40 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceScript(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&) js/src/frontend/BinSource-auto.cpp:4455:5
    #25 0x55eb200abc6a in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseSumProgram(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&) js/src/frontend/BinSource-auto.cpp:1444:9
    #26 0x55eb200abc6a in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseProgram() js/src/frontend/BinSource-auto.cpp:1429
    #27 0x55eb20146162 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseAux(js::frontend::GlobalSharedContext*, unsigned char const*, unsigned long, js::frontend::BinASTSourceMetadata**) js/src/frontend/BinSource.cpp:153:5
    #28 0x55eb2014723a in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parse(js::frontend::GlobalSharedContext*, unsigned char const*, unsigned long, js::frontend::BinASTSourceMetadata**) js/src/frontend/BinSource.cpp:125:19
    #29 0x55eb2014723a in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parse(js::frontend::GlobalSharedContext*, mozilla::Vector<unsigned char, 0ul, js::TempAllocPolicy> const&, js::frontend::BinASTSourceMetadata**) js/src/frontend/BinSource.cpp:118
    #30 0x55eb1ffed627 in testBinASTReaderFuzz(unsigned char const*, unsigned long) js/src/fuzz-tests/testBinASTReader.cpp:73:29
[...]
    #36 0x55eb1fef0d88 in _start (/srv/corpus/build/build/fuzz-tests+0x525d88)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV js/src/frontend/BinSource-auto.cpp:2342:9 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceAssertedPositionalParameterName(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&, js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::AssertedScopeKind, JS::MutableHandle<JS::GCVector<JSAtom*, 0ul, js::TempAllocPolicy> >)
==21650==ABORTING
Attached file Testcase
Another blocker for BinJS fuzzing.
Flags: needinfo?(arai.unmht)
Whiteboard: [fuzzblocker]
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
There are 2 issues.
one is that BinTokenReaderMultipart::readInternalUint32 doesn't check shift
Flags: needinfo?(arai.unmht)
Attachment #9017519 - Flags: review?(dteller)
another one is integer overflow because of +1 while checking AssertedPositionalParameterName.index
Attachment #9017520 - Flags: review?(dteller)
Attachment #9017519 - Flags: review?(dteller) → review+
Attachment #9017520 - Flags: review?(dteller) → review+
https://hg.mozilla.org/mozilla-central/rev/bca5f70008c9
https://hg.mozilla.org/mozilla-central/rev/c96e54bae30c
Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Flags: qe-verify-
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.