Closed Bug 1773266 (CVE-2022-38475) Opened 2 years ago Closed 2 years ago

Assertion failure: count.as<int32_t>() > 0, at jit/CodeGenerator.cpp:11916

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
104 Branch
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- wontfix
firefox101 --- wontfix
firefox102 --- wontfix
firefox103 --- wontfix
firefox104 --- fixed

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed][adv-main104+r])

Attachments

(4 files)

The following testcase crashes on mozilla-central revision 20220604-490469b53dbe (debug build, run with --fuzzing-safe --no-threads --fast-warmup --ion-inlining=off):

name = re;
var re = {};
function inner() {
  return Array.prototype.slice.call(arguments, 1, name & 1)
}
function outer3() {
  trialInline();
  return inner(1, 2, 3)
}
for (var i60 = 0; i60 < 50; i60++)
  outer3();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555557a3f9da in js::jit::CodeGenerator::visitInlineArgumentsSlice(js::jit::LInlineArgumentsSlice*) ()
#1  0x0000555557a1f0c6 in js::jit::CodeGenerator::generateBody() ()
#2  0x0000555557a69366 in js::jit::CodeGenerator::generate() ()
#3  0x0000555557aa1eab in js::jit::GenerateCode(js::jit::MIRGenerator*, js::jit::LIRGraph*) ()
#4  0x0000555557aa2128 in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) ()
#5  0x0000555557aa349d in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) ()
#6  0x0000555557aa3fbe in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) ()
#7  0x000032f4d5a6ddc5 in ?? ()
[...]
#14 0x0000000000000000 in ?? ()
rax	0x55555576ea4e	93824994437710
rbx	0x3	3
rcx	0x5555581e8838	93825038977080
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffb430	140737488335920
rsp	0x7fffffffb330	140737488335664
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x7fffffffb3d0	140737488335824
r13	0x7ffff6028c00	140737320750080
r14	0x7ffff6028000	140737320747008
r15	0x1	1
rip	0x555557a3f9da <js::jit::CodeGenerator::visitInlineArgumentsSlice(js::jit::LInlineArgumentsSlice*)+490>
=> 0x555557a3f9da <_ZN2js3jit13CodeGenerator25visitInlineArgumentsSliceEPNS0_21LInlineArgumentsSliceE+490>:	movl   $0x2e8c,0x0
   0x555557a3f9e5 <_ZN2js3jit13CodeGenerator25visitInlineArgumentsSliceEPNS0_21LInlineArgumentsSliceE+501>:	callq  0x555556be1628 <abort>

JIT-related assert, marking s-s until triaged.

Attached file Testcase

NI anba because this is likely a recent regression from changes in this area.

Flags: needinfo?(andrebargull)

Yes, this is a regression from bug 1765397.

This bug can lead to writing a value at NativeObject::elements[0] in a zero-length array (NewDenseFullyAllocatedArray(cx, 0)). This shouldn't be exploitable, because GuessArrayGCKind returns gc::AllocKind::OBJECT8 when the array length is zero, which means NativeObject::elements[0] isn't unallocated memory.

Flags: needinfo?(andrebargull)

Don't assume non-zero number of actual arguments means count must be larger than zero.

Assignee: nobody → andrebargull
Status: NEW → ASSIGNED

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220608160129-fab53b92a95d.
The bug appears to have been introduced in the following build range:

Start: e64a440f0c8b9f2cd539929c77e611d2de49c6e2 (20220421083230)
End: 201252c849f427b49422fffea6ca65e36cdade1d (20220421084833)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e64a440f0c8b9f2cd539929c77e611d2de49c6e2&tochange=201252c849f427b49422fffea6ca65e36cdade1d

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Has Regression Range: --- → yes
Blocks: sm-opt-jits
Severity: -- → S4
Priority: -- → P1

Set release status flags based on info from the regressing bug 1765397

Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 104 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220718184409-e8822bdecf78.

Status: RESOLVED → VERIFIED
Whiteboard: [bugmon:update,bisected,confirmed] → [bugmon:update,bisected,confirmed][adv-main104+r]
Attached file advisory.txt
Alias: CVE-2022-38475
Group: core-security-release
Assignee: andrebargull → nobody
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.