Closed
Bug 1687243
Opened 4 years ago
Closed 4 years ago
Assertion failure: byteLength <= TypedArrayObject::maxByteLength(), at vm/StructuredClone.cpp:2243
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
86 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox84 | --- | unaffected |
| firefox85 | --- | unaffected |
| firefox86 | --- | fixed |
People
(Reporter: decoder, Assigned: jandem)
Details
(4 keywords)
Attachments
(2 files)
The attached testcase crashes on mozilla-central revision 20210117-8539666101ed (build with --enable-debug --enable-fuzzing --enable-tests, run with FUZZER=StructuredCloneReader ./fuzz-tests test.bin).
Backtrace:
==95==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x563677ce358a bp 0x7ffefaffc5b0 sp 0x7ffefaffc2e0 T0)
==95==The signal is caused by a WRITE memory access.
==95==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
#0 0x563677ce358a in JSStructuredCloneReader::readTypedArray(unsigned int, unsigned long, JS::MutableHandle<JS::Value>, bool) js/src/vm/StructuredClone.cpp:2243:3
#1 0x563677ce4364 in JSStructuredCloneReader::startRead(JS::MutableHandle<JS::Value>, js::gc::InitialHeap) js/src/vm/StructuredClone.cpp:2736:14
#2 0x563677ccdfab in JSStructuredCloneReader::read(JS::MutableHandle<JS::Value>) js/src/vm/StructuredClone.cpp:3233:8
#3 0x563677ccd7f8 in ReadStructuredClone(JSContext*, JSStructuredCloneData const&, JS::StructuredCloneScope, JS::MutableHandle<JS::Value>, JS::CloneDataPolicy const&, JSStructuredCloneCallbacks const*, void*) js/src/vm/StructuredClone.cpp:703:12
#4 0x563677cee02e in JS_ReadStructuredClone(JSContext*, JSStructuredCloneData const&, unsigned int, JS::StructuredCloneScope, JS::MutableHandle<JS::Value>, JS::CloneDataPolicy const&, JSStructuredCloneCallbacks const*, void*) js/src/vm/StructuredClone.cpp:3379:10
#5 0x563677aa440a in testStructuredCloneReaderFuzz(unsigned char const*, unsigned long) js/src/fuzz-tests/testStructuredCloneReader.cpp:59:8
[...]
This seems to be a release assert, so there is no immediate danger with respect to the range check. However, since this is in structured clone, I'm marking this s-s anyway until investigated, since there might be other problems at work if we end up in this state and structured clone is a very central/critical component.
|
Reporter | |
Comment 1•4 years ago
|
||
|
Assignee | |
Comment 3•4 years ago
|
||
We can't assume the data is valid, it breaks fuzzing. Also add some tests to ensure
huge 64-bit values are caught early and aren't truncated on 32-bit platforms.
|
||
Updated•4 years ago
|
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
|
|
||
Updated•4 years ago
|
Attachment #9197909 -
Attachment description: Bug 1687243 - Remove invalid assertion from readTypedArray. r?sfink! → Bug 1687243 - Fix invalid assertion in readTypedArray. r?sfink!
|
|
Assignee | |
Updated•4 years ago
|
Group: javascript-core-security
Flags: needinfo?(jdemooij)
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6400d76790f4
Fix invalid assertion in readTypedArray. r=sfink
|
||
Comment 5•4 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 86 Branch
|
||
Updated•4 years ago
|
status-firefox84:
--- → unaffected
status-firefox85:
--- → unaffected
status-firefox-esr78:
--- → unaffected
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•