Closed Bug 1546327 Opened 5 years ago Closed 5 years ago

Bytecode length can overflow UINT32_MAX

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox-esr60 67+ fixed
firefox66 --- wontfix
firefox67 + fixed
firefox68 + fixed

People

(Reporter: jandem, Assigned: jandem)

Details

(Keywords: csectype-intoverflow, sec-high, Whiteboard: [adv-main67+][adv-esr60.7+])

Attachments

(1 file)

Bug 1546327 - Clean up bytecode and source note allocation. r?arai!
47 bytes, text/x-phabricator-request
lizzard
: approval-mozilla-beta+
lizzard
: approval-mozilla-esr60+
abillings
: sec-approval+
Details | Review

Vector<> happily supports sizes > UINT32_MAX, but parts of the emitter and SharedScriptData::codeLength_ assume the length <= UINT32_MAX. There also seem to be issues with jump offsets being signed so maybe bytecode length should be limited to INT32_MAX.

The testcase below crashes 64-bit opt builds and fails a JumpList assertion in debug builds. Test runs for 20-30 seconds in opt builds but I'm sure it could be "optimized" to crash faster.

One way to fix this without an extra check everywhere is with a custom AllocPolicy, like this: https://searchfox.org/mozilla-central/rev/f46e2bf881d522a440b30cbf5cf8d76fc212eaf4/js/src/jit/x86-shared/AssemblerBuffer-x86-shared.h#78

function f() {
    var prefix = "throw 1;";
    var suffix = "0";
    var s = "[...[]],".repeat(50000000);
    Function(prefix + s + suffix)();
}
f();

(In reply to Jan de Mooij [:jandem] from comment #0)

There also seem to be issues with jump offsets being signed so maybe bytecode length should be limited to INT32_MAX.

Debug builds fail the delta < 0 assertion here:

https://searchfox.org/mozilla-central/rev/f46e2bf881d522a440b30cbf5cf8d76fc212eaf4/js/src/frontend/JumpList.cpp#25

Probably safest to limit the bytecode Vector length to INT32_MAX.

Keywords: csectype-intoverflow, sec-high
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED

(In reply to Jan de Mooij [:jandem] from comment #0)

One way to fix this without an extra check everywhere is with a custom AllocPolicy, like this

A problem with this is that it uses allocation size, not length, so the max bytecode length would depend on Vector's over-allocation/doubling behavior and that doesn't seem ideal. For now it's probably safest to restrict bytecode and source note Vectors to INT32_MAX in emitCheck/AllocSrcNote.

Comment on attachment 9060059 [details]
Bug 1546327 - Clean up bytecode and source note allocation. r?arai!

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Not trivial but probably not too hard either.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: All
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: Should apply or be easy to backport.
  • How likely is this patch to cause regressions; how much testing does it need?: Unlikely. It adds some size limits that we shouldn't reach on real websites.
Attachment #9060059 - Flags: sec-approval?
status-firefox68: --- → affected
Priority: -- → P1

Just realized jandem already said all branches are affected.

status-firefox66: ?wontfix
status-firefox67: ?affected
status-firefox-esr60: ?affected

Comment on attachment 9060059 [details]
Bug 1546327 - Clean up bytecode and source note allocation. r?arai!

Sec-approval+ for trunk after talking to Liz in release management. We'll want a Beta and ESR60 patch nominated as well.

Attachment #9060059 - Flags: sec-approval? → sec-approval+

https://hg.mozilla.org/mozilla-central/rev/c89cf3ac460f

Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox68: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68

Comment on attachment 9060059 [details]
Bug 1546327 - Clean up bytecode and source note allocation. r?arai!

Beta/Release Uplift Approval Request

  • User impact if declined: Security issues.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): It adds some limits that shouldn't affect real websites.
  • String changes made/needed: None
Attachment #9060059 - Flags: approval-mozilla-esr60?
Attachment #9060059 - Flags: approval-mozilla-beta?

Comment on attachment 9060059 [details]
Bug 1546327 - Clean up bytecode and source note allocation. r?arai!

Fix for sec-high issue, let's take this for beta 16 and for esr 60.7.

Attachment #9060059 - Flags: approval-mozilla-esr60?
Attachment #9060059 - Flags: approval-mozilla-esr60+
Attachment #9060059 - Flags: approval-mozilla-beta?
Attachment #9060059 - Flags: approval-mozilla-beta+

Patch fails to apply, code has been altered by bug 1535994 and bug 1543211 before (checked on beta). Please provide patches for beta and esr.

Flags: needinfo?(jdemooij)

https://hg.mozilla.org/releases/mozilla-esr60/rev/a096a8ee118db4fcd39b7dbf4e963c96a795bb4b

I left out the asserts in JSScript.cpp in the ESR60 patch: I added them originally to catch regressions in mozilla-central but the code on ESR60 is very different and I don't think we need those sanity checks there.

status-firefox-esr60: affectedfixed
Flags: needinfo?(jdemooij)
Whiteboard: [adv-main67+][adv-esr60.7+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: