Closed Bug 1546300 Opened 5 years ago Closed 5 years ago

Assertion failure: (detail::IsInBounds<From, To>(aFrom)), at dist/include/mozilla/Casting.h:208

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox67 --- unaffected
firefox68 --- fixed

People

(Reporter: decoder, Assigned: Waldo)

References

(Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Bug 1546300 - Add a runtime check for structured-clone of RegExp flags not producing an invalid value, rather than merely asserting it. r=tcampbell
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision b783cd5203ea (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2):

let data = new Uint8Array([
  104,97,108,101,6,0,255,255,95,98,
  0,0,0,0,0,104,97,108,101,9,0,255,
  255,95,98,115,0,0,0,0,0,0,65,0,0,
  0,0,0,0,0,0,0,0,0,0,0,0,0
]);
let cloneBuffer = serialize(null);
cloneBuffer.clonebuffer = data.buffer;
deserialize(cloneBuffer);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  mozilla::AssertedCast<unsigned char, unsigned int> (aFrom=1701601640) at dist/include/mozilla/Casting.h:208
#1  JSStructuredCloneReader::startRead (this=this@entry=0x7fffffffc430, vp=...) at js/src/vm/StructuredClone.cpp:2465
#2  0x0000555555d20497 in JSStructuredCloneReader::read (this=this@entry=0x7fffffffc430, vp=vp@entry=...) at js/src/vm/StructuredClone.cpp:2906
#3  0x0000555555d20c33 in ReadStructuredClone (cx=<optimized out>, data=..., scope=scope@entry=JS::StructuredCloneScope::DifferentProcess, vp=..., cb=cb@entry=0x0, cbClosure=cbClosure@entry=0x0) at js/src/vm/StructuredClone.cpp:644
#4  0x0000555555d20d27 in JS_ReadStructuredClone (cx=<optimized out>, buf=..., version=version@entry=8, scope=scope@entry=JS::StructuredCloneScope::DifferentProcess, vp=..., vp@entry=..., optionalCallbacks=optionalCallbacks@entry=0x0, closure=0x0) at js/src/vm/StructuredClone.cpp:3034
#5  0x0000555555c72d68 in Deserialize (cx=<optimized out>, cx@entry=0x7ffff5f19000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:3222
#6  0x00005555558ef719 in CallJSNative (cx=0x7ffff5f19000, native=native@entry=0x555555c729b0 <Deserialize(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:442
[...]
#20 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11369
rax	0x555557c87340	93825033335616
rbx	0x1	1
rcx	0x7ffff6c1c2dd	140737333281501
rdx	0x555556b507a0	93825015285664
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffc290	140737488339600
rsp	0x7fffffffc1a0	140737488339360
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7fffffffc430	140737488340016
r13	0x7fffffffc1d0	140737488339408
r14	0xffff0006	4294901766
r15	0xffff0006656c6168	-281447505305240
rip	0x555555d1f6c7 <JSStructuredCloneReader::startRead(JS::MutableHandle<JS::Value>)+3031>
=> 0x555555d1f6c7 <JSStructuredCloneReader::startRead(JS::MutableHandle<JS::Value>)+3031>:	movl   $0x0,0x0
   0x555555d1f6d2 <JSStructuredCloneReader::startRead(JS::MutableHandle<JS::Value>)+3042>:	ud2

Looking at the code, it seems that we are casing an uint32_t to uint8_t but we assert that the value was in range before (which it was not). I don't see how this could cause any security issues just from a first glance over the following code and it might be that we don't want to assert on this but instead just truncate the value.

Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/6f8d311064d9
user:        Jeff Walden
date:        Tue Apr 02 02:07:50 2019 +0000
summary:     Bug 1539690 - Make a JS::RegExpFlag public API for flag bits, and make a JS::RegExpFlags flag-set abstraction.  r=sfink

This iteration took 519.609 seconds to run.
Assignee: nobody → jwalden
Status: NEW → ASSIGNED
Priority: -- → P1
Pushed by jwalden@mit.edu:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ee5f7a9341cc
Add a runtime check for structured-clone of RegExp flags not producing an invalid value, rather than merely asserting it.  r=tcampbell

https://hg.mozilla.org/mozilla-central/rev/ee5f7a9341cc

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox68: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
status-firefox67: --- → unaffected
status-firefox-esr60: --- → unaffected
Flags: in-testsuite+
Regressed by: 1539690
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: