Closed Bug 1672679 Opened 5 years ago Closed 5 years ago

WRITE memory access

Categories

(Core :: JavaScript Engine, task)

Product:
Core
Component:
JavaScript Engine
Type:
task

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: 1422930734, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(1 file)

7
7.33 KB, text/javascript
Details
Attached file 7

1 . version:
JavaScript-C72.0a1
2. git commit:
27ded6834ef8b61fa52838acd59fe617bf44c61c

3 . command:
./js poc
4. description:
ASAN:DEADLYSIGNAL

==103405==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5600cbfc2a58 bp 0x7ffc934fdb10 sp 0x7ffc934fd940 T0)
==103405==The signal is caused by a WRITE memory access.
==103405==Hint: address points to the zero page.
#0 0x5600cbfc2a57 in Crash(JSContext*, unsigned int, JS::Value*) /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:3711:5
#1 0x5600cc3b4dbf in CallJSNative(JSContext*, bool ()(JSContext, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:456:13
#2 0x5600cc3b4dbf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:548
#3 0x5600cc36308c in js::CallFromStack(JSContext*, JS::CallArgs const&) /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:621:10
#4 0x5600cc36308c in Interpret(JSContext*, js::RunState&) /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:3110
#5 0x5600cc345036 in js::RunScript(JSContext*, js::RunState&) /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:423:10
#6 0x5600cc3c3201 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:810:13
#7 0x5600cc3c4533 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:843:10
#8 0x5600ccce80c6 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /root/AFL/compile/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:482:10
#9 0x5600cbfd1c48 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:899:10
#10 0x5600cbfcdee5 in Process(JSContext*, char const*, bool, FileKind) /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:1459:14
#11 0x5600cbf03f88 in ProcessArgs(JSContext*, js::cli::OptionParser*) /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:10234:10
#12 0x5600cbf03f88 in Shell(JSContext*, js::cli::OptionParser*, char**) /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:10828
#13 0x5600cbf03f88 in main /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:11479
#14 0x7fdff4bd982f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
#15 0x5600cbdbb9e8 in _start (/root/analysis/gecko/js3+0x6649e8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:3711:5 in Crash(JSContext*, unsigned int, JS::Value*)
==103405==ABORTING

Flags: sec-bounty?
Group: firefox-core-security → javascript-core-security
Component: Security → JavaScript Engine
Product: Firefox → Core
Attachment #9183152 - Attachment filename: 7 → 7.js
Attachment #9183152 - Attachment mime type: audio/x-mod → text/javascript
    var MGpC = crash();

This is behaving as expected and is not a security risk. crash() is not exposed to web scripts.

To avoid functions like this, try running the JS engine with --fuzzing-safe.

Group: javascript-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: