Closed Bug 1664979 Opened 4 years ago Closed 4 years ago

Crash [@ ??] with invalid read involving asm.js

Categories

(Core :: JavaScript: WebAssembly, defect, P1)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
83 Branch
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- unaffected
firefox80 --- unaffected
firefox81 --- unaffected
firefox82 --- verified
firefox83 --- verified

People

(Reporter: decoder, Assigned: dbezhetskov)

References

(Regression)

Details

(5 keywords, Whiteboard: [bugmon:update,bisected,confirmed][fuzzblocker][sec-survey])

Crash Data

Attachments

(1 file, 2 obsolete files)

Testcase
423 bytes, text/plain
Details

The following testcase crashes on mozilla-central revision 20200914-09390cf1d667 (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

var all = [undefined, null, ];
function AsmModule(stdlib) {
    "use asm";
    var fround = stdlib.Math.fround;
    function fltConvNot(y38) {
        y38 = fround(y38);
        var i38 = 0;
        i38 = ~((~~y38) | 0);
        return (!!i38) | 0;
    }
    return {
        fltConvNot: fltConvNot,
    };
}
var asmModule = AsmModule({
    Math: Math
});
for (var i38 = 0; i38 < 10; ++i38)
  asmModule.fltConvNot(all[i38])

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000289c56a8c00a in ?? ()
#1  0x00007fffffffb438 in ?? ()
#2  0x00007fffffffb8b8 in ?? ()
#3  0x0000289c56a7c11b in ?? ()
#4  0x00007ffff4de13c0 in ?? ()
#5  0x000000007fc00000 in ?? ()
#6  0x000000007fc00000 in ?? ()
#7  0x0000000000000000 in ?? ()
rax	0x289c56a8c000	44651933908992
rbx	0x7fffffffb570	140737488336240
rcx	0x7fffffffb901	140737488337153
rdx	0x1	1
rsi	0x7ffff4de13c0	140737301582784
rdi	0x7fffffffb8b8	140737488337080
rbp	0x7fffffffb2d8	140737488335576
rsp	0x7fffffffb2d8	140737488335576
r8	0xffffd555559ce578	-46912491428488
r9	0xffffd555559ce568	-46912491428504
r10	0xaaaaaaaaaaaaaaaa	-6148914691236517206
r11	0x7ffff4a7c6a8	140737298024104
r12	0x7fffffffb468	140737488335976
r13	0x1	1
r14	0x7fffffffb8b8	140737488337080
r15	0x0	0
rip	0x289c56a8c00a	44651933909002
=> 0x289c56a8c00a:	mov    0x1e0(%r10),%r10
   0x289c56a8c011:	movl   $0x1,0x78(%r10)
Attached file Testcase 

    
    

    
  
Bugmon Analysis:

Verified bug as reproducible on mozilla-central 20200915092930-24b917577203.

The bug appears to have been introduced in the following build range:




Start: 83a3ed07220dfe4c8a2d16a2c48cfa8d49635362 (20200914043200)

End: 09390cf1d66716146aeb3112f0ac640e317890d9 (20200914054405)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=83a3ed07220dfe4c8a2d16a2c48cfa8d49635362&tochange=09390cf1d66716146aeb3112f0ac640e317890d9




Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

          status-firefox80:
          --- → unaffected

          status-firefox81:
          --- → unaffected

          status-firefox-esr68:
          --- → unaffected

          status-firefox-esr78:
          --- → unaffected
Flags: needinfo?(dbezhetskov)
Regressed by: 1639153

    
  
Has Regression Range: --- → yes

    
    

    
  
Thanks Christian, I managed to reproduce the SIGSEGV, I'll provide a fix soon.


Flags: needinfo?(dbezhetskov)

    
    

    
  


  
When we do Push(srcSingle) inside outOfLineTruncateSlow but we don't adjust tlsOffset.

To account for this push Push(WasmTlsReg) was moved deeper. Also, it

allows us to reduce the code size a little bit.


Assignee: nobody → dbezhetskov
Status: NEW → ASSIGNED

    
  
Whiteboard: [bugmon:update,bisected,confirmed] → [bugmon:update,bisected,confirmed][fuzzblocker]

    
    

    
  
Would be great if we could land this ASAP to help fuzzing.


decoder is fighting a few different crashes in JIT code and it's hard to categorize those.



    
    

    
  
I can't land without the approve and then I don't have permissions to land by myself, I can only put the checkinNeeded flag in the review.



    
    

    
  
I'll attempt to review (late) this afternoon, and land it if I r+ it.



    
    

    
  


  
When we do Push(srcSingle) inside outOfLineTruncateSlow but we don't adjust tlsOffset.



    
    

    
  
I've create the fast fix version of the previous patch to land them asap.

Actually it is just a one-liner patch: https://phabricator.services.mozilla.com/D90537


Flags: needinfo?(lhansen)

    
    

    
  
Oh, forgot to clear the ni?.  I reviewed the fast fix last night; it needs further work.


Flags: needinfo?(lhansen)

    
    

    
  
Updated the fast fix, I think we can land it and then replace it with the more robust fix via the normal schedule.


Severity: -- → S3
Priority: -- → P1

    
    

    
  
This is good to go and a nightly-only regression, so I'll land it.  I'll try to get to the other patch this week but we may possibly not land until after the merge window.


Keywords: leave-open

    
    

    
  
That fix was backed out for setting the tree on fire (https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=2550e7f176e49dc7f44fbe449a7e7c75e0b2c1bd).  I think need to see a fresh green try run for the other patch probably by tomorrow, or the main option left to me will be to start backing out the patches from bug 1639153 before the merge window closes.


Flags: needinfo?(dbezhetskov)
Component: JavaScript Engine: JIT → Javascript: WebAssembly

    
    

    
  
Upping to S1 due to related bug.


Severity: S3 → S1
See Also:  → 1666140

    
    

    
  
This can be fixed by backing out part 6.6 from bug 1639153 (changeset 09390cf1d667, there's a small conflict but it is easily resolved).



    
    

    
  
I'm going to backout part 6.6, patch to do so will appear here and will need uplift.  Doing a broad try run now (unavoidable), https://treeherder.mozilla.org/#/jobs?repo=try&revision=f7986401ed5cb95bce8daa27bb9982d86276d9f0.



    
    

    
  
Recent patches from Bug 1639153 (eight of them, from part 6 through part 6.6 plus a subsequent fix) were backed out on my request, and the backout will be uplifted to beta.  That should take care of this problem and at least bug 1664045.  The backout was clean.


I see there's a sec-high rating here, that's probably overstating it.  The crash here is because a register value that should contain the TLS pointer on a callout to C++ contains something else due to faulty register save/restore logic.  While an attacker can perhaps set things up so as to get a value into that register (and this is not obvious), it is hard to see that value being used effectively from asm.js in the window that's available until the value is used in a way that will cause a crash.  (This is my attempt at a post-facto justification for the backout without asking permission.)


Flags: needinfo?(dbezhetskov)

    
    

    
  
Almost certainly, though decoder promised to re-test once the nightlies are live.



    
    

    
  
(In reply to Lars T Hansen [:lth] from comment #20)




Almost certainly, though decoder promised to re-test once the nightlies are live.




Confirmed, this is fixed.


Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED

          status-firefox83:
          ?fixed
Target Milestone: --- → 83 Branch

    
    

    
  
Bugmon Analysis:

Verified bug as fixed on rev mozilla-central 20200923095909-7927a1705247.

Removing bugmon keyword as no further action possible.

Please review the bug and re-add the keyword for further analysis.


Status: RESOLVED → VERIFIED

          status-firefox82:
          fixedverified

          status-firefox83:
          fixedverified
Keywords: bugmon

    
    

    
  
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.


Please visit this google form to reply.


Flags: needinfo?(dbezhetskov)
Whiteboard: [bugmon:update,bisected,confirmed][fuzzblocker] → [bugmon:update,bisected,confirmed][fuzzblocker][sec-survey]

    
    

    
  
Should we land the testcase from this bug?


Group: javascript-core-security → core-security-release
Flags: needinfo?(lhansen)

    
    

    
  
Yes, I'll take care of it.  Will land with the test case on bug 1666051.


Flags: needinfo?(lhansen)

        Attachment #9175969 -
        Attachment is obsolete: true

        Attachment #9176251 -
        Attachment is obsolete: true

    
  
Flags: needinfo?(dbezhetskov)
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: