Closed Bug 1711342 Opened 3 years ago Closed 3 years ago

AddressSanitizer: SEGV or MOZ_CRASH(This promise should never be rejected)

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
90 Branch
Tracking Flags:
Tracking Status
firefox90 --- fixed

People

(Reporter: gkw, Assigned: jonco)

References

Details

(Keywords: testcase)

Attachments

(1 file)

Bug 1711342 - Fix shell module loader to use an object with a null prototype internally to pass import information r?jandem
48 bytes, text/x-phabricator-request
Details | Review 
Object.defineProperty(__proto__, "then", {
    get: function () {
        x
    }
});
import(0);

AddressSanitizer:DEADLYSIGNAL
=================================================================
==17642==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55d65165bdc0 bp 0x7fffb25ff010 sp 0x7fffb25ff010 T0)
==17642==The signal is caused by a WRITE memory access.
==17642==Hint: address points to the zero page.
    #0 0x55d65165bdc0 in js::shell::ModuleLoader::DynamicImportDelayRejected(JSContext*, unsigned int, JS::Value*) /home/skygentoo/trees/mozilla-central/js/src/shell/ModuleLoader.cpp:238:3
    #1 0x55d65186b3a3 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:427:13
    #2 0x55d65186b3a3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:512:12
    #3 0x55d65186dc56 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:572:10
    #4 0x55d65186dc56 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:589:8
    #5 0x55d651cab421 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.h:106:10
    #6 0x55d651cab421 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /home/skygentoo/trees/mozilla-central/js/src/builtin/Promise.cpp:1905:10
    #7 0x55d65186b3a3 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:427:13
    #8 0x55d65186b3a3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:512:12
    #9 0x55d65186dc56 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:572:10
    #10 0x55d65186dc56 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:589:8
    #11 0x55d65245f3f9 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/jsapi.cpp:2796:10
    #12 0x55d651de17ec in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JSObject*>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/jsapi.h:1197:10
    #13 0x55d651de17ec in js::InternalJobQueue::runJobs(JSContext*) /home/skygentoo/trees/mozilla-central/js/src/vm/JSContext.cpp:779:14
    #14 0x55d651de091e in js::RunJobs(JSContext*) /home/skygentoo/trees/mozilla-central/js/src/vm/JSContext.cpp:716:17
    #15 0x55d65168af85 in RunShellJobs(JSContext*) /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:1163:5
    #16 0x55d6516793a9 in Shell(JSContext*, js::cli::OptionParser*) /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:11681:5
    #17 0x55d65166dc15 in main /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:12635:12
    #18 0x7f03f78d3e39 in __libc_start_main (/lib64/libc.so.6+0x23e39)
    #19 0x55d6515a48b9 in _start (/home/skygentoo/shell-cache/js-64-asan-linux-x86_64-ef13365d8188/js-64-asan-linux-x86_64-ef13365d8188+0x178d8b9)

AddressSanitizer can not provide additional info.

(gdb) bt
#0  js::shell::ModuleLoader::DynamicImportDelayRejected (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/shell/ModuleLoader.cpp:238
#1  0x0000555556b141f1 in CallJSNative (cx=cx@entry=0x7ffff6a26000, native=0x555556a08a60 <js::shell::ModuleLoader::DynamicImportDelayRejected(JSContext*, unsigned int, JS::Value*)>, reason=<optimized out>, reason@entry=js::CallReason::Call, args=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:427
#2  0x0000555556b06e8c in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6a26000, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=reason@entry=js::CallReason::Call) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:512
#3  0x0000555556b07bab in InternalCall (cx=cx@entry=0x7ffff6a26000, args=..., reason=reason@entry=js::CallReason::Call) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:572
#4  0x0000555556b07dd0 in js::Call (cx=0x7ffff7c3f9a0 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6a26000, fval=fval@entry=..., thisv=thisv@entry=..., args=..., rval=rval@entry=..., reason=js::CallReason::Getter, reason@entry=js::CallReason::Call) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:589
#5  0x0000555556bcfa1d in js::Call (cx=0x7ffff6a26000, fval=..., thisv=..., arg0=..., rval=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.h:106
#6  0x0000555556d47d86 in PromiseReactionJob (cx=0x7ffff7c3f9a0 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6a26000, argc=<optimized out>, vp=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/builtin/Promise.cpp:1905
#7  0x0000555556b141f1 in CallJSNative (cx=cx@entry=0x7ffff6a26000, native=0x555556d46990 <PromiseReactionJob(JSContext*, unsigned int, JS::Value*)>, reason=<optimized out>, reason@entry=js::CallReason::Call, args=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:427
#8  0x0000555556b06e8c in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6a26000, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=reason@entry=js::CallReason::Call) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:512
#9  0x0000555556b07bab in InternalCall (cx=cx@entry=0x7ffff6a26000, args=..., reason=reason@entry=js::CallReason::Call) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:572
#10 0x0000555556b07dd0 in js::Call (cx=0x7ffff7c3f9a0 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6a26000, fval=..., thisv=..., args=..., rval=rval@entry=..., reason=js::CallReason::Getter, reason@entry=js::CallReason::Call) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:589
#11 0x000055555711977b in JS::Call (cx=<optimized out>, cx@entry=0x7ffff6a26000, thisv=..., fval=..., args=..., rval=..., rval@entry=...) at /home/skygentoo/trees/mozilla-central/js/src/jsapi.cpp:2796
#12 0x0000555556dd8546 in JS::Call (cx=0x7ffff6a26000, thisv=..., funObj=..., args=..., rval=...) at /home/skygentoo/trees/mozilla-central/js/src/jsapi.h:1197
#13 js::InternalJobQueue::runJobs (this=0x7ffff6a59700, cx=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/vm/JSContext.cpp:779
#14 0x0000555556dd7ff6 in js::RunJobs (cx=cx@entry=0x7ffff6a26000) at /home/skygentoo/trees/mozilla-central/js/src/vm/JSContext.cpp:716
#15 0x0000555556a1f968 in RunShellJobs (cx=cx@entry=0x7ffff6a26000) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:1163
#16 0x0000555556a166d9 in Shell (cx=0x7ffff6a26000, op=<optimized out>, op@entry=0x7fffffffd750) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:11681
#17 0x0000555556a0fedb in main (argc=-157130752, argv=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:12635
(gdb)

Seems to go as far back as m-c rev 48f46a7eada9.

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ./configure --enable-debug --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests, tested on m-c rev ef13365d8188.

Not sure if this is s-s, I'd leave it to Jan as a start.

Flags: sec-bounty?
Flags: needinfo?
Flags: needinfo? → needinfo?(jdemooij)

Looks like this has to do with dynamic import, forwarding to jonco.

Flags: needinfo?(jdemooij) → needinfo?(jcoppeard)

This affects the shell module loader only, so is not security sensitive.

Assignee: nobody → jcoppeard
Severity: -- → N/A
Flags: needinfo?(jcoppeard)
Priority: -- → P3
Group: core-security
Flags: sec-bounty?

The module loader uses an object internally to keep hold of dynamic import
arguments. Currently it uses a plain object but this is problematic because the
user can affect its operation by changing Object's prototype as in this
example. The fix is to create an object with a null prototype instead.

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/68062ca46e90
Fix shell module loader to use an object with a null prototype internally to pass import information r=jandem

https://hg.mozilla.org/mozilla-central/rev/68062ca46e90

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox90: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 90 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: