Closed Bug 1684825 Opened 5 years ago Closed 5 years ago

AddressSanitizer: heap-buffer-overflow [@ new_<js::wasm::Stk>] with WRITE of size 4

Categories

(Core :: JavaScript: WebAssembly, defect, P1)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1675844
Tracking Flags:
Tracking Status
firefox86 --- affected

People

(Reporter: decoder, Assigned: lth)

Details

(Keywords: crash, regression, testcase)

Attachments

(1 file)

Testcase
9.73 KB, application/octet-stream
Details

The attached testcase crashes on mozilla-central revision 20210103-89fef9703703 (build with --enable-address-sanitizer --disable-debug, run with --no-threads --wasm-compiler=baseline test.js).

Backtrace:

==27111==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6210000538f0 at pc 0x560528adef28 bp 0x7ffccd6e5eb0 sp 0x7ffccd6e5ea8
WRITE of size 4 at 0x6210000538f0 thread T0
    #0 0x560528adef27 in new_<js::wasm::Stk> dist/include/mozilla/Vector.h:58:30
    #1 0x560528adef27 in infallibleEmplaceBack<js::wasm::Stk> dist/include/mozilla/Vector.h:705:5
    #2 0x560528adef27 in push<js::wasm::Stk> js/src/wasm/WasmBaselineCompile.cpp:3737:10
    #3 0x560528adef27 in pushI64 js/src/wasm/WasmBaselineCompile.cpp:4252:29
    #4 0x560528adef27 in js::wasm::BaseCompiler::emitBody() js/src/wasm/WasmBaselineCompile.cpp:14376:11
    #5 0x560528af1879 in emitFunction js/src/wasm/WasmBaselineCompile.cpp:15588:8
    #6 0x560528af1879 in js::wasm::BaselineCompileFunctions(js::wasm::ModuleEnvironment const&, js::wasm::CompilerEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmBaselineCompile.cpp:15757:12
    #7 0x560528bbff36 in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmGenerator.cpp:794:12
    #8 0x560528bc015d in js::wasm::ModuleGenerator::locallyCompileCurrentTask() js/src/wasm/WasmGenerator.cpp:844:8
    #9 0x560528bc1255 in js::wasm::ModuleGenerator::finishFuncDefs() js/src/wasm/WasmGenerator.cpp:982:24
    #10 0x560528b13e6a in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/wasm/WasmCompile.cpp:571:13
    #11 0x560528b12a5f in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*, JSTelemetrySender) js/src/wasm/WasmCompile.cpp:594:8
    #12 0x560528c21676 in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) js/src/wasm/WasmJS.cpp:1585:25
    #13 0x5605275e416f in CallJSNative js/src/vm/Interpreter.cpp:503:13
    #14 0x5605275e416f in CallJSNativeConstructor js/src/vm/Interpreter.cpp:519:8
    #15 0x5605275e416f in InternalConstruct(JSContext*, js::AnyConstructArgs const&) js/src/vm/Interpreter.cpp:691:14
    #16 0x5605275e3a83 in js::ConstructFromStack(JSContext*, JS::CallArgs const&) js/src/vm/Interpreter.cpp:737:10
    #17 0x5605275b43e7 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:3299:16
    #18 0x5605275acd1b in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:473:13
    #19 0x5605275e5b1f in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:839:13
    #20 0x5605275e60dc in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:871:10
    #21 0x56052786f8f3 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) js/src/vm/CompilationAndEvaluation.cpp:424:10
    #22 0x56052786fb8d in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) js/src/vm/CompilationAndEvaluation.cpp:457:10
    #23 0x5605273074e4 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) js/src/shell/js.cpp:982:10
    #24 0x560527306249 in Process(JSContext*, char const*, bool, FileKind) js/src/shell/js.cpp:1573:14
    #25 0x560527275912 in ProcessArgs js/src/shell/js.cpp:10378:10
    #26 0x560527275912 in Shell js/src/shell/js.cpp:11119:10
    #27 0x560527275912 in main js/src/shell/js.cpp:11918:12

0x6210000538f0 is located 0 bytes to the right of 4080-byte region [0x621000052900,0x6210000538f0)
allocated by thread T0 here:
    #0 0x5605272294dd in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x560528b990f3 in js_arena_malloc dist/include/js/Utility.h:385:10
    #2 0x560528b990f3 in js_pod_arena_malloc<js::wasm::Stk> dist/include/js/Utility.h:593:26
    #3 0x560528b990f3 in maybe_pod_arena_malloc<js::wasm::Stk> dist/include/js/AllocPolicy.h:31:12
    #4 0x560528b990f3 in pod_arena_malloc<js::wasm::Stk> dist/include/js/AllocPolicy.h:44:12
    #5 0x560528b990f3 in pod_malloc<js::wasm::Stk> dist/include/js/AllocPolicy.h:70:12
    #6 0x560528b990f3 in mozilla::Vector<js::wasm::Stk, 0ul, js::SystemAllocPolicy>::convertToHeapStorage(unsigned long) dist/include/mozilla/Vector.h:927:30
    #7 0x560528af12c9 in reserve dist/include/mozilla/Vector.h:1069:9
    #8 0x560528af12c9 in js::wasm::BaselineCompileFunctions(js::wasm::ModuleEnvironment const&, js::wasm::CompilerEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmBaselineCompile.cpp:15732:12
    #9 0x560528bbff36 in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmGenerator.cpp:794:12
    #10 0x560528bc015d in js::wasm::ModuleGenerator::locallyCompileCurrentTask() js/src/wasm/WasmGenerator.cpp:844:8
    #11 0x560528bc1255 in js::wasm::ModuleGenerator::finishFuncDefs() js/src/wasm/WasmGenerator.cpp:982:24
    #12 0x560528b13e6a in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/wasm/WasmCompile.cpp:571:13
    #13 0x560528b12a5f in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*, JSTelemetrySender) js/src/wasm/WasmCompile.cpp:594:8
    #14 0x560528c21676 in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) js/src/wasm/WasmJS.cpp:1585:25
    #15 0x5605275e416f in CallJSNative js/src/vm/Interpreter.cpp:503:13
    #16 0x5605275e416f in CallJSNativeConstructor js/src/vm/Interpreter.cpp:519:8
    #17 0x5605275e416f in InternalConstruct(JSContext*, js::AnyConstructArgs const&) js/src/vm/Interpreter.cpp:691:14
    #18 0x5605275e3a83 in js::ConstructFromStack(JSContext*, JS::CallArgs const&) js/src/vm/Interpreter.cpp:737:10
    #19 0x5605275b43e7 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:3299:16
    #20 0x5605275acd1b in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:473:13
    #21 0x5605275e5b1f in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:839:13
    #22 0x5605275e60dc in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:871:10
    #23 0x56052786f8f3 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) js/src/vm/CompilationAndEvaluation.cpp:424:10
    #24 0x56052786fb8d in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) js/src/vm/CompilationAndEvaluation.cpp:457:10
    #25 0x5605273074e4 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) js/src/shell/js.cpp:982:10
    #26 0x560527306249 in Process(JSContext*, char const*, bool, FileKind) js/src/shell/js.cpp:1573:14
    #27 0x560527275912 in ProcessArgs js/src/shell/js.cpp:10378:10
    #28 0x560527275912 in Shell js/src/shell/js.cpp:11119:10
    #29 0x560527275912 in main js/src/shell/js.cpp:11918:12

SUMMARY: AddressSanitizer: heap-buffer-overflow dist/include/mozilla/Vector.h:58:30 in new_<js::wasm::Stk>
Shadow bytes around the buggy address:
  0x0c42800026c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c42800026d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c42800026e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c42800026f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4280002700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4280002710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa
  0x0c4280002720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280002730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280002740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280002750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280002760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==27111==ABORTING
Attached file Testcase

Hm, that could be fallout from the multiple-values fix that landed before christmas, I'll take a look.

Assignee: nobody → lhansen
Severity: -- → S2
Status: NEW → ASSIGNED
Priority: -- → P1

Oh, thinking about it some more, that patch has been delayed until next week, so this could be a dup of bug 1675844.

I can repro locally, and when I apply the patch for bug 1675844 I instead error out with this message:

test.js:16:14 CompileError: at offset 188: unable to read opcode
Stack:
  @test.js:16:14

That seems OK, so I'm assuming this is a dup.

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: