Closed Bug 1672677 Opened 5 years ago Closed 5 years ago

READ memory access

Categories

(Core :: JavaScript Engine, task)

Product:
Core
Component:
JavaScript Engine
Type:
task

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: 1422930734, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(1 file)

5
496 bytes, text/javascript
Details
Attached file 5

1 . version:
JavaScript-C72.0a1
2. git commit:
27ded6834ef8b61fa52838acd59fe617bf44c61c

3 . command:
./js poc
4. description:
ASAN:DEADLYSIGNAL

==103383==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x563270844628 bp 0x7ffd8f87a830 sp 0x7ffd8f87a780 T0)
==103383==The signal is caused by a READ memory access.
==103383==Hint: address points to the zero page.
#0 0x563270844627 in mozilla::UniquePtr<char [], JS::FreePolicy>::reset(char*) /root/AFL/compile/gecko-dev/js/src/build_OPT.OBJ/dist/include/mozilla/UniquePtr.h:436:20
#1 0x563270844627 in mozilla::UniquePtr<char [], JS::FreePolicy>::operator=(mozilla::UniquePtr<char [], JS::FreePolicy>&&) /root/AFL/compile/gecko-dev/js/src/build_OPT.OBJ/dist/include/mozilla/UniquePtr.h:410
#2 0x563270844627 in js::wasm::Decoder::fail(unsigned long, char const*) /root/AFL/compile/gecko-dev/js/src/wasm/WasmValidate.cpp:80
#3 0x563270606da3 in js::wasm::OpIter<(anonymous namespace)::IonCompilePolicy>::readTeeStore(js::wasm::ValType, unsigned int, js::wasm::LinearMemoryAddress<js::jit::MDefinition*>, js::jit::MDefinition**) /root/AFL/compile/gecko-dev/js/src/wasm/WasmOpIter.h:1687:8
#4 0x563270606da3 in EmitTeeStore((anonymous namespace)::FunctionCompiler&, js::wasm::ValType, js::Scalar::Type) /root/AFL/compile/gecko-dev/js/src/wasm/WasmIonCompile.cpp:2483
#5 0x56327056e043 in EmitBodyExprs((anonymous namespace)::FunctionCompiler&) /root/AFL/compile/gecko-dev/js/src/wasm/WasmIonCompile.cpp:4112:13
#6 0x563270543aae in js::wasm::IonCompileFunctions(js::wasm::ModuleEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode, mozilla::UniquePtr<char [], JS::FreePolicy>) /root/AFL/compile/gecko-dev/js/src/wasm/WasmIonCompile.cpp:4226:12
#7 0x5632704f2ccf in ExecuteCompileTask(js::wasm::CompileTask, mozilla::UniquePtr<char [], JS::FreePolicy>) /root/AFL/compile/gecko-dev/js/src/wasm/WasmGenerator.cpp:736:12
#8 0x5632704f8d34 in js::wasm::ModuleGenerator::locallyCompileCurrentTask() /root/AFL/compile/gecko-dev/js/src/wasm/WasmGenerator.cpp:775:8
#9 0x5632704f8d34 in js::wasm::ModuleGenerator::finishFuncDefs() /root/AFL/compile/gecko-dev/js/src/wasm/WasmGenerator.cpp:913
#10 0x563270438b4b in ModuleValidator<mozilla::Utf8Unit>::finish() /root/AFL/compile/gecko-dev/js/src/wasm/AsmJS.cpp:2155:13
#11 0x5632700c082e in RefPtr<js::wasm::Module const> CheckModule<mozilla::Utf8Unit>(JSContext, js::frontend::Parser<js::frontend::FullParseHandler, mozilla::Utf8Unit>&, js::frontend::ParseNode*, unsigned int*) /root/AFL/compile/gecko-dev/js/src/wasm/AsmJS.cpp:6421:27
#12 0x5632700c082e in bool DoCompileAsmJS<mozilla::Utf8Unit>(JSContext*, js::frontend::Parser<js::frontend::FullParseHandler, mozilla::Utf8Unit>&, js::frontend::ParseNode*, bool*) /root/AFL/compile/gecko-dev/js/src/wasm/AsmJS.cpp:7099
#13 0x5632700c082e in js::CompileAsmJS(JSContext*, js::frontend::Parser<js::frontend::FullParseHandler, mozilla::Utf8Unit>&, js::frontend::ParseNode*, bool*) /root/AFL/compile/gecko-dev/js/src/wasm/AsmJS.cpp:7146
#14 0x56326e042710 in js::frontend::Parser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::asmJS(js::frontend::ListNode*) /root/AFL/compile/gecko-dev/js/src/frontend/Parser.cpp:3526:8
#15 0x56326e042710 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::asmJS(js::frontend::ListNode*) /root/AFL/compile/gecko-dev/js/src/frontend/Parser.cpp:3539
#16 0x56326e042710 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::maybeParseDirective(js::frontend::ListNode*, js::frontend::ParseNode*, bool*) /root/AFL/compile/gecko-dev/js/src/frontend/Parser.cpp:3618
#17 0x56326dfdb80c in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::statementList(js::frontend::YieldHandling) /root/AFL/compile/gecko-dev/js/src/frontend/Parser.cpp:3695:12
#18 0x56326e02c42b in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::functionBody(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionSyntaxKind, js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::FunctionBodyType) /root/AFL/compile/gecko-dev/js/src/frontend/Parser.cpp:2028:12
#19 0x56326e02169c in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::functionFormalParametersAndBody(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionNode**, js::frontend::FunctionSyntaxKind, mozilla::Maybe<unsigned int> const&, bool) /root/AFL/compile/gecko-dev/js/src/frontend/Parser.cpp:3238:12
#20 0x56326e01e633 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::innerFunctionForFunctionBox(js::frontend::FunctionNode*, js::frontend::ParseContext*, js::frontend::FunctionBox*, js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionSyntaxKind, js::frontend::Directives*) /root/AFL/compile/gecko-dev/js/src/frontend/Parser.cpp:2986:8
#21 0x56326dfe7646 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::innerFunction(js::frontend::FunctionNode*, js::frontend::ParseContext*, JS::Handle<js::frontend::FunctionCreationData>, unsigned int, js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::FunctionAsyncKind, bool, js::frontend::Directives, js::frontend::Directives*) /root/AFL/compile/gecko-dev/js/src/frontend/Parser.cpp:3019:32
#22 0x56326dfe7646 in js::frontend::Parser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::trySyntaxParseInnerFunction(js::frontend::FunctionNode**, JS::Handle<js::frontend::FunctionCreationData>, unsigned int, js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::FunctionAsyncKind, bool, js::frontend::Directives, js::frontend::Directives*) /root/AFL/compile/gecko-dev/js/src/frontend/Parser.cpp:2926
#23 0x56326e0377a1 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::trySyntaxParseInnerFunction(js::frontend::FunctionNode**, JS::Handle<js::frontend::FunctionCreationData>, unsigned int, js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::FunctionAsyncKind, bool, js::frontend::Directives, js::frontend::Directives*) /root/AFL/compile/gecko-dev/js/src/frontend/Parser.cpp:2964:27
#24 0x56326e0377a1 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::functionDefinition(js::frontend::FunctionNode*, unsigned int, js::frontend::InHandling, js::frontend::YieldHandling, JS::Handle<JSAtom*>, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::FunctionAsyncKind, bool) /root/AFL/compile/gecko-dev/js/src/frontend/Parser.cpp:2818
#25 0x56326dff71f0 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::functionStmt(unsigned int, js::frontend::YieldHandling, js::frontend::DefaultHandling, js::FunctionAsyncKind) /root/AFL/compile/gecko-dev/js/src/frontend/Parser.cpp:3410:10
#26 0x56326dfeaedc in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::statementListItem(js::frontend::YieldHandling, bool) /root/AFL/compile/gecko-dev/js/src/frontend/Parser.cpp:8196:14
#27 0x56326dfdb63e in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::statementList(js::frontend::YieldHandling) /root/AFL/compile/gecko-dev/js/src/frontend/Parser.cpp:3673:17
#28 0x56326e3593bc in js::frontend::Parser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::globalBody(js::frontend::GlobalSharedContext*) /root/AFL/compile/gecko-dev/js/src/frontend/Parser.cpp:1501:20
#29 0x56326e4a57e7 in js::frontend::ScriptCompiler<mozilla::Utf8Unit>::compileScript(js::frontend::BytecodeCompiler&, JS::Handle<JSObject*>, js::frontend::SharedContext*) /root/AFL/compile/gecko-dev/js/src/frontend/BytecodeCompiler.cpp:522:22
#30 0x56326e3846c5 in JSScript* CreateGlobalScript<mozilla::Utf8Unit>(js::frontend::GlobalScriptInfo&, JS::SourceText<mozilla::Utf8Unit>&, js::ScriptSourceObject**) /root/AFL/compile/gecko-dev/js/src/frontend/BytecodeCompiler.cpp:213:16
#31 0x56326e3846c5 in js::frontend::CompileGlobalScript(js::frontend::GlobalScriptInfo&, JS::SourceText<mozilla::Utf8Unit>&, js::ScriptSourceObject**) /root/AFL/compile/gecko-dev/js/src/frontend/BytecodeCompiler.cpp:231
#32 0x56326c4deab1 in JSScript* CompileSourceBuffer<mozilla::Utf8Unit>(JSContext*, JS::ReadOnlyCompileOptions const&, JS::SourceText<mozilla::Utf8Unit>&) /root/AFL/compile/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:69:10
#33 0x56326c4deab1 in JS::CompileUtf8FileDontInflate(JSContext*, JS::ReadOnlyCompileOptions const&, _IO_FILE*) /root/AFL/compile/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:141
#34 0x56326b7d787e in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:878:16
#35 0x56326b7d3ee5 in Process(JSContext*, char const*, bool, FileKind) /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:1459:14
#36 0x56326b709f88 in ProcessArgs(JSContext*, js::cli::OptionParser*) /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:10234:10
#37 0x56326b709f88 in Shell(JSContext*, js::cli::OptionParser*, char**) /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:10828
#38 0x56326b709f88 in main /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:11479
#39 0x7f332415e82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
#40 0x56326b5c19e8 in _start (/root/analysis/gecko/js3+0x6649e8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/AFL/compile/gecko-dev/js/src/build_OPT.OBJ/dist/include/mozilla/UniquePtr.h:436:20 in mozilla::UniquePtr<char [], JS::FreePolicy>::reset(char*)
==103383==ABORTING

Flags: sec-bounty?
Group: firefox-core-security → javascript-core-security
Component: Security → JavaScript Engine
Product: Firefox → Core
Attachment #9183150 - Attachment mime type: text/x-matlab → text/javascript

The crash doesn't reproduce for me in a current build of the JS engine. Most likely it was already fixed.

Crashes near null are not normally exploitable, so this isn't security-sensitive. Opening.

Group: javascript-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: