Crash [@ ??] with invalid read involving asm.js
Categories
(Core :: JavaScript: WebAssembly, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox-esr78 | --- | unaffected |
firefox80 | --- | unaffected |
firefox81 | --- | unaffected |
firefox82 | --- | verified |
firefox83 | --- | verified |
People
(Reporter: decoder, Assigned: dbezhetskov)
References
(Regression)
Details
(5 keywords, Whiteboard: [bugmon:update,bisected,confirmed][fuzzblocker][sec-survey])
Crash Data
Attachments
(1 file, 2 obsolete files)
423 bytes,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 20200914-09390cf1d667 (debug build, run with --fuzzing-safe --ion-offthread-compile=off):
var all = [undefined, null, ];
function AsmModule(stdlib) {
"use asm";
var fround = stdlib.Math.fround;
function fltConvNot(y38) {
y38 = fround(y38);
var i38 = 0;
i38 = ~((~~y38) | 0);
return (!!i38) | 0;
}
return {
fltConvNot: fltConvNot,
};
}
var asmModule = AsmModule({
Math: Math
});
for (var i38 = 0; i38 < 10; ++i38)
asmModule.fltConvNot(all[i38])
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000289c56a8c00a in ?? ()
#1 0x00007fffffffb438 in ?? ()
#2 0x00007fffffffb8b8 in ?? ()
#3 0x0000289c56a7c11b in ?? ()
#4 0x00007ffff4de13c0 in ?? ()
#5 0x000000007fc00000 in ?? ()
#6 0x000000007fc00000 in ?? ()
#7 0x0000000000000000 in ?? ()
rax 0x289c56a8c000 44651933908992
rbx 0x7fffffffb570 140737488336240
rcx 0x7fffffffb901 140737488337153
rdx 0x1 1
rsi 0x7ffff4de13c0 140737301582784
rdi 0x7fffffffb8b8 140737488337080
rbp 0x7fffffffb2d8 140737488335576
rsp 0x7fffffffb2d8 140737488335576
r8 0xffffd555559ce578 -46912491428488
r9 0xffffd555559ce568 -46912491428504
r10 0xaaaaaaaaaaaaaaaa -6148914691236517206
r11 0x7ffff4a7c6a8 140737298024104
r12 0x7fffffffb468 140737488335976
r13 0x1 1
r14 0x7fffffffb8b8 140737488337080
r15 0x0 0
rip 0x289c56a8c00a 44651933909002
=> 0x289c56a8c00a: mov 0x1e0(%r10),%r10
0x289c56a8c011: movl $0x1,0x78(%r10)
Reporter | ||
Comment 1•4 years ago
|
||
Comment 2•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200915092930-24b917577203.
The bug appears to have been introduced in the following build range:
Start: 83a3ed07220dfe4c8a2d16a2c48cfa8d49635362 (20200914043200)
End: 09390cf1d66716146aeb3112f0ac640e317890d9 (20200914054405)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=83a3ed07220dfe4c8a2d16a2c48cfa8d49635362&tochange=09390cf1d66716146aeb3112f0ac640e317890d9
Updated•4 years ago
|
Updated•4 years ago
|
Assignee | ||
Comment 3•4 years ago
|
||
Thanks Christian, I managed to reproduce the SIGSEGV, I'll provide a fix soon.
Assignee | ||
Comment 4•4 years ago
|
||
When we do Push(srcSingle) inside outOfLineTruncateSlow but we don't adjust tlsOffset.
To account for this push Push(WasmTlsReg) was moved deeper. Also, it
allows us to reduce the code size a little bit.
Updated•4 years ago
|
Reporter | ||
Updated•4 years ago
|
Comment 5•4 years ago
|
||
Would be great if we could land this ASAP to help fuzzing.
decoder is fighting a few different crashes in JIT code and it's hard to categorize those.
Assignee | ||
Comment 6•4 years ago
|
||
I can't land without the approve and then I don't have permissions to land by myself, I can only put the checkinNeeded flag in the review.
Comment 7•4 years ago
|
||
I'll attempt to review (late) this afternoon, and land it if I r+ it.
Assignee | ||
Comment 8•4 years ago
|
||
When we do Push(srcSingle) inside outOfLineTruncateSlow but we don't adjust tlsOffset.
Assignee | ||
Comment 9•4 years ago
|
||
I've create the fast fix version of the previous patch to land them asap.
Actually it is just a one-liner patch: https://phabricator.services.mozilla.com/D90537
Updated•4 years ago
|
Comment 10•4 years ago
|
||
Oh, forgot to clear the ni?. I reviewed the fast fix last night; it needs further work.
Assignee | ||
Comment 11•4 years ago
|
||
Updated the fast fix, I think we can land it and then replace it with the more robust fix via the normal schedule.
Updated•4 years ago
|
Comment 12•4 years ago
|
||
This is good to go and a nightly-only regression, so I'll land it. I'll try to get to the other patch this week but we may possibly not land until after the merge window.
Comment 13•4 years ago
|
||
That fix was backed out for setting the tree on fire (https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=2550e7f176e49dc7f44fbe449a7e7c75e0b2c1bd). I think need to see a fresh green try run for the other patch probably by tomorrow, or the main option left to me will be to start backing out the patches from bug 1639153 before the merge window closes.
Comment 14•4 years ago
|
||
Backout got merged: https://hg.mozilla.org/mozilla-central/rev/2550e7f176e4
Updated•4 years ago
|
Comment 16•4 years ago
|
||
This can be fixed by backing out part 6.6 from bug 1639153 (changeset 09390cf1d667, there's a small conflict but it is easily resolved).
Comment 17•4 years ago
|
||
I'm going to backout part 6.6, patch to do so will appear here and will need uplift. Doing a broad try run now (unavoidable), https://treeherder.mozilla.org/#/jobs?repo=try&revision=f7986401ed5cb95bce8daa27bb9982d86276d9f0.
Comment 18•4 years ago
|
||
Recent patches from Bug 1639153 (eight of them, from part 6 through part 6.6 plus a subsequent fix) were backed out on my request, and the backout will be uplifted to beta. That should take care of this problem and at least bug 1664045. The backout was clean.
I see there's a sec-high rating here, that's probably overstating it. The crash here is because a register value that should contain the TLS pointer on a callout to C++ contains something else due to faulty register save/restore logic. While an attacker can perhaps set things up so as to get a value into that register (and this is not obvious), it is hard to see that value being used effectively from asm.js in the window that's available until the value is used in a way that will cause a crash. (This is my attempt at a post-facto justification for the backout without asking permission.)
Comment 19•4 years ago
|
||
AIUI we can call this one fixed?
https://bugzilla.mozilla.org/show_bug.cgi?id=1639153#c100
https://bugzilla.mozilla.org/show_bug.cgi?id=1639153#c101
Comment 20•4 years ago
|
||
Almost certainly, though decoder promised to re-test once the nightlies are live.
Reporter | ||
Comment 21•4 years ago
|
||
(In reply to Lars T Hansen [:lth] from comment #20)
Almost certainly, though decoder promised to re-test once the nightlies are live.
Confirmed, this is fixed.
Updated•4 years ago
|
Updated•4 years ago
|
Comment 22•4 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200923095909-7927a1705247.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Comment 23•4 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
Comment 24•4 years ago
|
||
Should we land the testcase from this bug?
Comment 25•4 years ago
|
||
Yes, I'll take care of it. Will land with the test case on bug 1666051.
Updated•4 years ago
|
Updated•4 years ago
|
Assignee | ||
Updated•3 years ago
|
Updated•3 years ago
|
Description
•