A few Metadata fields are not serialized and deserialized, thus they may be undefined
Categories
(Core :: JavaScript: WebAssembly, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox78 | --- | fixed |
People
(Reporter: bbouvier, Assigned: lth)
References
Details
(Keywords: sec-low, Whiteboard: [adv-main78+r])
Attachments
(1 file)
Thanks to dmajor who asked about this on slack.
A few fields in Metadata may not be serialized or deserialized: for instance, bigIntEnabled isn't serialized and deserialized here, leading to undefined behavior here.
Classifying as sec bug for now (I'm probably being paranoid), but I'd like that we take time thinking about what the consequences might be. v128enabled suffers from the same issue, as far as i can tell.
|
Assignee | |
Comment 1•4 years ago
|
||
OK, good find. It's problematic that we don't have a system that catches these mistakes for us. We need to fix the problem for BigInt soonish because that rides the FF78 train.
The clang-10 landing (bug 1616692) bounced because of a ubsan complaint about this (I'm not sure why clang-9's sanitizers don't catch it). I'm very eager to re-land clang-10, since compiler updates bitrot really fast and I'm always catching up with new test failures. I had been planning on adding a suppression for this error while it's investigated, but, seeing that this is potentially a security bug... is that an ok thing to do?
|
|
Assignee | |
Comment 3•4 years ago
•
|
||
This is at most a nightly-only concern since bigint and simd are nightly-only at the moment. Simd is even off by default. As for bigint, it's a new feature no content uses, and it's a boolean flag, so if it should have been false but is read as true we're just enabling code that isn't exercised, and if it should have been true but is read as false then we're at most throwing errors some places we shouldn't be, and we'll see those bug reports. So suppressing it should be just fine.
|
Reporter | |
Comment 4•4 years ago
|
||
It's problematic that we don't have a system that catches these mistakes for us.
The right way is to put these raw fields in the MetadataCacheablePod, which are serialized and deserialized for free.
we're at most throwing errors some places we shouldn't be
Are we sure it might not cause MOZ_CRASHes? Even so, we could unhide this bug and suppress it then, because mozcrashes are safe.
|
|
Assignee | |
Comment 5•4 years ago
|
||
Yeah, I can look into preparing a patch to move the fields tomorrow.
In general, the values of these switches that are exposed to about:config must be assumed to change at any moment, so if there's a MOZ_CRASH or other crash then that's a latent bug I think. I think we've generally been careful about this, we read switches once when compilation starts and then propagate those values, and we try to gate things at high levels (instructions that validate) but not low (specific code generation strategies), though of course bugs happen.
With that logic in mind, it sort of doesn't make a difference whether the fields are serialized, so long as we don't deserialize them but instead get current values...
|
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Comment 6•4 years ago
|
||
omitsBoundsChecks falls into this category too. It was already properly serialized/deserialized but can be moved to the POD.
|
|
Assignee | |
Comment 7•4 years ago
|
||
Serialized/deserialized properties that are POD should be in the
CacheablePod structure so that we don't have to worry about adding
extra code to serialize/deserialize them; it's so easy to forget.
|
|
Assignee | |
Comment 8•4 years ago
|
||
Nightly-only and probably without any real user impact => sec-low
|
|
Reporter | |
Comment 9•4 years ago
|
||
This has been backed out for failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&searchStr=spidermonkey&revision=bc5e947dda0abeb48f46417f596a079fbc53817e
|
||
Updated•4 years ago
|
|
|
Assignee | |
Comment 11•4 years ago
|
||
Oops, forgot to update serializedSize() too.
|
||
Comment 12•4 years ago
|
||
Pushed by lhansen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/99ddf2c70b4f Make sure to serialize/deserialize all code properties. r=bbouvier
|
||
Comment 13•4 years ago
|
||
| bugherder | ||
|
|
||
Comment 14•4 years ago
|
||
Backout by csabou@mozilla.com: https://hg.mozilla.org/mozilla-central/rev/db5f5d127e24 Backed out changeset bc5e947dda0a for wasm related bustage CLOSED TREE
|
||
Comment 15•4 years ago
|
||
(In reply to Pulsebot from comment #14)
Backout by csabou@mozilla.com:
https://hg.mozilla.org/mozilla-central/rev/db5f5d127e24
Backed out changeset bc5e947dda0a for wasm related bustage CLOSED TREE
Note that this is a delayed reporting of the first backout; the second landing is still present.
|
|
||
Comment 16•4 years ago
|
||
Thanks a lot for the quick response on this, Benjamin and Lars!
|
||
Updated•4 years ago
|
Description
•