Closed Bug 1658675 Opened 4 years ago Closed 4 years ago

"Dereferencing a UniquePtr containing Nullptr" following registerModule() in Spidermonkey

Categories

(Core :: JavaScript Engine, task, P1)

task

Tracking

()

RESOLVED FIXED
81 Branch
Tracking Status
firefox81 --- fixed

People

(Reporter: albntomat0, Assigned: jonco)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(1 file)

OS: Ubuntu 18.04.5 LTS
Commit: 68cd54888e1cc4f595ba5feff754011f11f47afa (current master), dated 11 Aug 2020
Build options: This reproduces on the standard Spidermonkey debug build, using the following:
/bin/sh ../configure.in --enable-debug --disable-optimize
make

Note: I have been able to reproduce this consistently when typed into the shell, but have not been able to trigger it loading from a file. I expect this is due to my inexperience with this type of issue.

This was found using a modified version of fuzzilli (https://github.com/googleprojectzero/fuzzilli). The modifications will be open sourced in the near future.

Test case:
const v4 = parseModule("export var a = 1; export var b = 2;");
const v5 = registerModule("-268435456",v4);

Stack Trace:
Assertion failure: get() (dereferencing a UniquePtr containing nullptr), at /home/b/Desktop/projects/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/fuzzbuild_OPT.OBJ/dist/include/mozilla/UniquePtr.h:281
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==19772==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55ae7a1dac42 bp 0x7fff49287440 sp 0x7fff492873d0 T19772)
==19772==The signal is caused by a WRITE memory access.
==19772==Hint: address points to the zero page.
#0 0x55ae7a1dac42 in mozilla::UniquePtr<js::shell::ModuleLoader, JS::DeletePolicy<js::shell::ModuleLoader> >::operator->() const /home/b/Desktop/projects/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/fuzzbuild_OPT.OBJ/dist/include/mozilla/UniquePtr.h:281:5
#1 0x55ae7a1dac42 in RegisterModule(JSContext*, unsigned int, JS::Value*) /home/b/Desktop/projects/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/shell/js.cpp:5241:8
#2 0x55ae7a2ec177 in CallJSNative(JSContext*, bool ()(JSContext, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/b/Desktop/projects/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/vm/Interpreter.cpp:507:13
#3 0x55ae7a2eb6cf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/b/Desktop/projects/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/vm/Interpreter.cpp:599:12
#4 0x55ae7a2ed683 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /home/b/Desktop/projects/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/vm/Interpreter.cpp:664:10
#5 0x55ae7a2db020 in js::CallFromStack(JSContext*, JS::CallArgs const&) /home/b/Desktop/projects/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/vm/Interpreter.cpp:668:10
#6 0x55ae7a2db020 in Interpret(JSContext*, js::RunState&) /home/b/Desktop/projects/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/vm/Interpreter.cpp:3336:16
#7 0x55ae7a2cd4b8 in js::RunScript(JSContext*, js::RunState&) /home/b/Desktop/projects/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/vm/Interpreter.cpp:468:13
#8 0x55ae7a2ef3d8 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /home/b/Desktop/projects/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/vm/Interpreter.cpp:856:13
#9 0x55ae7a2efe6e in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) /home/b/Desktop/projects/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/vm/Interpreter.cpp:888:10
#10 0x55ae7a59a5ad in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /home/b/Desktop/projects/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:384:10
#11 0x55ae7a59a314 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /home/b/Desktop/projects/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:410:10
#12 0x55ae7a22b86a in EvalUtf8AndPrint(JSContext*, char const*, unsigned long, int, bool) /home/b/Desktop/projects/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/shell/js.cpp:1428:8
#13 0x55ae7a22b86a in ReadEvalPrintLoop(JSContext*, _IO_FILE*, bool) /home/b/Desktop/projects/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/shell/js.cpp:1505:26
#14 0x55ae7a22b86a in Process(JSContext*, char const*, bool, FileKind) /home/b/Desktop/projects/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/shell/js.cpp:1595:10
#15 0x55ae7a1a5b36 in ProcessArgs(JSContext*, js::cli::OptionParser*) /home/b/Desktop/projects/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/shell/js.cpp:10263:12
#16 0x55ae7a1a5b36 in Shell(JSContext*, js::cli::OptionParser*, char**) /home/b/Desktop/projects/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/shell/js.cpp:11059:10
#17 0x55ae7a19c98f in main /home/b/Desktop/projects/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/shell/js.cpp:11814:12
#18 0x7fefbbb3cb96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
#19 0x55ae7a16a029 in _start (/home/b/Desktop/projects/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/fuzzbuild_OPT.OBJ/dist/bin/js+0x1b8c029)

Flags: sec-bounty?
Group: firefox-core-security → javascript-core-security
Component: Security → JavaScript Engine
Product: Firefox → Core
Flags: needinfo?(jcoppeard)
Assignee: nobody → jcoppeard
Severity: -- → S4
Flags: needinfo?(jcoppeard)
Priority: -- → P1

This is a shell only problem.

Group: javascript-core-security

The problem was that the module loader intialization was skipped if there were
no paths passed on the commandline.

Flags: sec-bounty?
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/45e64fba31ca Initialize module loader before starting an interactive shell r=jandem
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: