1745391 - Crash [@ memset] through [@ js::TypedObject::initDefault]

Status: RESOLVED FIXED

(Core :: JavaScript: WebAssembly, defect, P2)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 20211210-026fe822049a (debug build, run with --fuzzing-safe --ion-offthread-compile=off --wasm-gc --wasm-function-references):

function b(c) {
  binary = wasmTextToBinary(c);
  d = new WebAssembly.Module(binary);
  return new WebAssembly.Instance(d);
}
let { createDefault } = b(`
  (module (type $a (array (mut i32)))  
    (func (export "createDefault") (param i32) (result eqref)   
      local.get 0 
      rtt.canon $a 
      array.new_default_with_rtt $a     
    )
  )
`).exports;
for (f = 0; f > -100; f--)
  createDefault(f);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0xf7ccd39a in ?? () from /lib32/libc.so.6
#1  0x58b0da6e in js::TypedObject::initDefault() ()
#2  0x58b0dcad in js::TypedObject::createArray(JSContext*, JS::Handle<js::RttValue*>, unsigned int, js::gc::InitialHeap) ()
#3  0x58c26191 in js::wasm::Instance::arrayNew(js::wasm::Instance*, unsigned int, void*) ()
#4  0xe826bf75 in ?? ()
#5  0xe824a074 in ?? ()
#6  0xe824a0d7 in ?? ()
eax	0x0	0
ebx	0x800	2048
ecx	0x3ffc703a	1073508410
edx	0x0	0
esi	0x590a0bc0	1493830592
edi	0xf6eff000	-152047616
ebp	0xffffac68	4294945896
esp	0xffffac34	4294945844
eip	0xf7ccd39a	4157395866
=> 0xf7ccd39a:	rep stos %eax,%es:(%edi)
   0xf7ccd39c:	je     0xf7ccd3b0

This only reproduces on 32-bit for me.

Comment 1

[Christian Holler (:decoder)]

Attachment: Detailed Crash Information

Comment 2

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 3

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Unable to reproduce bug 1745391 using build mozilla-central 20211210053159-026fe822049a. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 4

[Ryan Hunt [:rhunt] (on leave until early May)]

I'm looking at this now. The severity here should be limited as this feature is not enabled by default anywhere.

Comment 5

[Ryan Hunt [:rhunt] (on leave until early May)]

Attachment: Bug 1745391 - wasm: Handle overflow in array byte length calculation. r?lth

The array byte length could overflow and wrap around zero creating
an invalid array object. Drive by fix to remove error message no
longer needed.

Comment 6

[Ryan Hunt [:rhunt] (on leave until early May)]

This can only be triggered via preff'ed off code (the wasm-gc feature).

Comment 7

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

wasm: Handle overflow in array byte length calculation. r=lth
https://hg.mozilla.org/integration/autoland/rev/8166ee3abbd2157ce25cec85bb0c282c964c89a4
https://hg.mozilla.org/mozilla-central/rev/8166ee3abbd2

Comment 8

[BugBot [:suhaib / :marco/ :calixte]]

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Comment 9

[Ryan Hunt [:rhunt] (on leave until early May)]

Done.

Comment 10

[BugBot [:suhaib / :marco/ :calixte]]

:rhunt, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.