Crash [@ memset] through [@ js::TypedObject::initDefault]
Categories
(Core :: JavaScript: WebAssembly, defect, P2)
Tracking
()
People
(Reporter: decoder, Assigned: rhunt)
Details
(5 keywords, Whiteboard: [bugmon:update,bisect][sec-survey][post-critsmash-triage])
Crash Data
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20211210-026fe822049a (debug build, run with --fuzzing-safe --ion-offthread-compile=off --wasm-gc --wasm-function-references):
function b(c) {
binary = wasmTextToBinary(c);
d = new WebAssembly.Module(binary);
return new WebAssembly.Instance(d);
}
let { createDefault } = b(`
(module (type $a (array (mut i32)))
(func (export "createDefault") (param i32) (result eqref)
local.get 0
rtt.canon $a
array.new_default_with_rtt $a
)
)
`).exports;
for (f = 0; f > -100; f--)
createDefault(f);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0xf7ccd39a in ?? () from /lib32/libc.so.6
#1 0x58b0da6e in js::TypedObject::initDefault() ()
#2 0x58b0dcad in js::TypedObject::createArray(JSContext*, JS::Handle<js::RttValue*>, unsigned int, js::gc::InitialHeap) ()
#3 0x58c26191 in js::wasm::Instance::arrayNew(js::wasm::Instance*, unsigned int, void*) ()
#4 0xe826bf75 in ?? ()
#5 0xe824a074 in ?? ()
#6 0xe824a0d7 in ?? ()
eax 0x0 0
ebx 0x800 2048
ecx 0x3ffc703a 1073508410
edx 0x0 0
esi 0x590a0bc0 1493830592
edi 0xf6eff000 -152047616
ebp 0xffffac68 4294945896
esp 0xffffac34 4294945844
eip 0xf7ccd39a 4157395866
=> 0xf7ccd39a: rep stos %eax,%es:(%edi)
0xf7ccd39c: je 0xf7ccd3b0
This only reproduces on 32-bit for me.
Reporter | ||
Comment 1•2 years ago
|
||
Reporter | ||
Comment 2•2 years ago
|
||
Updated•2 years ago
|
Comment 3•2 years ago
|
||
Bugmon Analysis
Unable to reproduce bug 1745391 using build mozilla-central 20211210053159-026fe822049a. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Updated•2 years ago
|
Assignee | ||
Comment 4•2 years ago
|
||
I'm looking at this now. The severity here should be limited as this feature is not enabled by default anywhere.
Assignee | ||
Comment 5•2 years ago
|
||
The array byte length could overflow and wrap around zero creating
an invalid array object. Drive by fix to remove error message no
longer needed.
Assignee | ||
Comment 6•2 years ago
|
||
This can only be triggered via preff'ed off code (the wasm-gc feature).
Comment 7•2 years ago
|
||
wasm: Handle overflow in array byte length calculation. r=lth
https://hg.mozilla.org/integration/autoland/rev/8166ee3abbd2157ce25cec85bb0c282c964c89a4
https://hg.mozilla.org/mozilla-central/rev/8166ee3abbd2
Updated•2 years ago
|
Comment 8•2 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
Updated•2 years ago
|
Comment 10•2 years ago
|
||
:rhunt, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Assignee | ||
Updated•2 years ago
|
Updated•2 years ago
|
Description
•