Closed Bug 1729374 Opened 3 years ago Closed 3 years ago

Try-delegate crashes when there is a mismatch in stack height

Categories

(Core :: JavaScript: WebAssembly, defect, P2)

Product:
Core
Component:
JavaScript: WebAssembly
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
94 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 --- unaffected
firefox92 --- disabled
firefox93 --- disabled
firefox94 --- fixed

People

(Reporter: asumu, Assigned: asumu)

References

(Blocks 1 open bug)

Details

(Keywords: sec-high, Whiteboard: [sec-survey][post-critsmash-triage])

Attachments

(3 files)

crash.js
520 bytes, application/x-javascript
Details
Bug 1729374 - Fix try-delegate stack preparation for jump
48 bytes, text/x-phabricator-request
Details | Review
Bug 1729374 - Add test case for try-delegate bug
48 bytes, text/x-phabricator-request
Details | Review
Attached file crash.js

The attached test case crashes in the jit-test suite (when put in jit-test/tests/wasm/exceptions) when run with mach jit-test exceptions/crash.js:

UndefinedBehaviorSanitizer:DEADLYSIGNAL
==3722052==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000078 (pc 0x3df6c24973bf bp 0x7ffe26621348 sp 0x7ffe26621348 T3722052)
==3722052==The signal is caused by a WRITE memory access.
==3722052==Hint: address points to the zero page.
    #0 0x3df6c24973bf  (<unknown module>)

UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV (<unknown module>) 
==3722052==ABORTING
Exit code: 1
FAIL - wasm/exceptions/crash.js
[1|1|0|0]  50% ==========================>                            |   0.2s

The crash is due to Wasm's try-delegate failing to correctly reset the stack height before jumping (triggered in this test case, which forces some values onto the stack before the try-delegate).

Assignee: nobody → asumu

Depends on D124709

Priority: -- → P2

Does this need to be a security bug? The crash in comment 0 looks like a null deref.

(In reply to Andrew McCreight [:mccr8] from comment #3)

Does this need to be a security bug? The crash in comment 0 looks like a null deref.

I think the compile bug could have some security implications as we are mishandling the stack pointer. But this wasm feature is disabled by default everywhere, so it shouldn't be trigger-able by users. So I don't think this needs the security process.

Group: core-security → javascript-core-security
status-firefox92: --- → disabled
status-firefox93: --- → disabled
status-firefox94: --- → disabled
Keywords: sec-high

Fix try-delegate stack preparation for jump r=rhunt
https://hg.mozilla.org/integration/autoland/rev/a9056dbfdfd2b8ddae02d3311e5c664a96d97725
Add test case for try-delegate bug r=rhunt
https://hg.mozilla.org/integration/autoland/rev/2ce628f4653d20b2a5ac748cee51bd284d4b14b8

https://hg.mozilla.org/mozilla-central/rev/a9056dbfdfd2
https://hg.mozilla.org/mozilla-central/rev/2ce628f4653d

Group: javascript-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 94 Branch
status-firefox94: disabledfixed
Flags: in-testsuite+

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(asumu)
Whiteboard: [sec-survey]

Thanks, I filled out the survey.

Flags: needinfo?(asumu)
Flags: qe-verify-
Whiteboard: [sec-survey] → [sec-survey][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: