Closed Bug 1773266 (CVE-2022-38475) Opened 2 years ago Closed 2 years ago

Assertion failure: count.as<int32_t>() > 0, at jit/CodeGenerator.cpp:11916

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
104 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- wontfix
firefox101 --- wontfix
firefox102 --- wontfix
firefox103 --- wontfix
firefox104 --- fixed

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed][adv-main104+r])

Attachments

(4 files)

Detailed Crash Information
1.86 KB, text/plain
Details
Testcase
214 bytes, text/plain
Details
Bug 1773266: Correctly handle zero count when inlining slice for inline arguments. r=iain!
48 bytes, text/x-phabricator-request
Details | Review
advisory.txt
259 bytes, text/plain
Details

The following testcase crashes on mozilla-central revision 20220604-490469b53dbe (debug build, run with --fuzzing-safe --no-threads --fast-warmup --ion-inlining=off):

name = re;
var re = {};
function inner() {
  return Array.prototype.slice.call(arguments, 1, name & 1)
}
function outer3() {
  trialInline();
  return inner(1, 2, 3)
}
for (var i60 = 0; i60 < 50; i60++)
  outer3();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555557a3f9da in js::jit::CodeGenerator::visitInlineArgumentsSlice(js::jit::LInlineArgumentsSlice*) ()
#1  0x0000555557a1f0c6 in js::jit::CodeGenerator::generateBody() ()
#2  0x0000555557a69366 in js::jit::CodeGenerator::generate() ()
#3  0x0000555557aa1eab in js::jit::GenerateCode(js::jit::MIRGenerator*, js::jit::LIRGraph*) ()
#4  0x0000555557aa2128 in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) ()
#5  0x0000555557aa349d in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) ()
#6  0x0000555557aa3fbe in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) ()
#7  0x000032f4d5a6ddc5 in ?? ()
[...]
#14 0x0000000000000000 in ?? ()
rax	0x55555576ea4e	93824994437710
rbx	0x3	3
rcx	0x5555581e8838	93825038977080
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffb430	140737488335920
rsp	0x7fffffffb330	140737488335664
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x7fffffffb3d0	140737488335824
r13	0x7ffff6028c00	140737320750080
r14	0x7ffff6028000	140737320747008
r15	0x1	1
rip	0x555557a3f9da <js::jit::CodeGenerator::visitInlineArgumentsSlice(js::jit::LInlineArgumentsSlice*)+490>
=> 0x555557a3f9da <_ZN2js3jit13CodeGenerator25visitInlineArgumentsSliceEPNS0_21LInlineArgumentsSliceE+490>:	movl   $0x2e8c,0x0
   0x555557a3f9e5 <_ZN2js3jit13CodeGenerator25visitInlineArgumentsSliceEPNS0_21LInlineArgumentsSliceE+501>:	callq  0x555556be1628 <abort>

JIT-related assert, marking s-s until triaged.

Attached file Testcase 

    
    

    
  
NI anba because this is likely a recent regression from changes in this area.


Flags: needinfo?(andrebargull)

    
    

    
  
Yes, this is a regression from bug 1765397.


This bug can lead to writing a value at NativeObject::elements[0] in a zero-length array (NewDenseFullyAllocatedArray(cx, 0)). This shouldn't be exploitable, because GuessArrayGCKind returns gc::AllocKind::OBJECT8 when the array length is zero, which means NativeObject::elements[0] isn't unallocated memory.


Flags: needinfo?(andrebargull)

    
    

    
  


  
Don't assume non-zero number of actual arguments means count must be larger than zero.


Assignee: nobody → andrebargull
Status: NEW → ASSIGNED

    
    

    
  
Bugmon Analysis

Verified bug as reproducible on mozilla-central 20220608160129-fab53b92a95d.

The bug appears to have been introduced in the following build range:




Start: e64a440f0c8b9f2cd539929c77e611d2de49c6e2 (20220421083230)

End: 201252c849f427b49422fffea6ca65e36cdade1d (20220421084833)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e64a440f0c8b9f2cd539929c77e611d2de49c6e2&tochange=201252c849f427b49422fffea6ca65e36cdade1d




Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Has Regression Range: --- → yes
Blocks: sm-opt-jits
Severity: -- → S4
Priority: -- → P1

    
    

    
  
Set release status flags based on info from the regressing bug 1765397



          status-firefox104:
          --- → affected

    
    

    
  
Correctly handle zero count when inlining slice for inline arguments. r=iain

https://hg.mozilla.org/integration/autoland/rev/46aa13de580938eed6117805519d1da94049a848

https://hg.mozilla.org/mozilla-central/rev/46aa13de5809


Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago

          status-firefox104:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 104 Branch

    
    

    
  
Bugmon Analysis

Verified bug as fixed on rev mozilla-central 20220718184409-e8822bdecf78.


Status: RESOLVED → VERIFIED
Whiteboard: [bugmon:update,bisected,confirmed] → [bugmon:update,bisected,confirmed][adv-main104+r]
Alias: CVE-2022-38475
Group: core-security-release
Assignee: andrebargull → nobody
Keywords: bugmon

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: