Closed Bug 1811208 Opened 2 years ago Closed 2 years ago

Assertion failure: cx->compartment() == obj->compartment(), at js/src/vm/NativeObject-inl.h:704

Categories

(Core :: JavaScript Engine, task)

task

Tracking

()

RESOLVED DUPLICATE of bug 1810711

People

(Reporter: saelo, Unassigned)

Details

Attachments

(1 file)

42.03 KB, text/javascript
Details
Attached file crash.js

The attached sample triggers an assertion failure in Spidermonkey debug builds from current HEAD. Here is the backtrace from gdb:

#0  0x0000555557a07a4d in js::NativeLookupOwnPropertyInline<(js::AllowGC)1, (js::LookupResolveMode)1> (cx=0x7ffff772d100, obj=..., id=..., propp=0x7fffffff06c8) at js/src/vm/NativeObject-inl.h:704
#1  0x0000555557a0d28e in NativeGetPropertyInline<(js::AllowGC)1> (cx=0x7ffff772d100, obj=..., receiver=..., id=..., nameLookup=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:2176
#2  0x0000555557a0d195 in js::NativeGetProperty (cx=0x7ffff772d100, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.cpp:2224
#3  0x00005555575728ba in js::GetProperty (cx=0x7ffff772d100, obj=..., receiver=..., id=..., vp=...) at js/src/vm/ObjectOperations-inl.h:118
#4  0x0000555557597f25 in js::GetProperty (cx=0x7ffff772d100, obj=..., receiver=..., name=0x228daa729fa0, vp=...) at js/src/vm/ObjectOperations-inl.h:125
#5  0x0000555557597e2f in js::GetProperty (cx=0x7ffff772d100, obj=..., receiver=..., name=0x228daa729fa0, vp=...) at js/src/vm/ObjectOperations-inl.h:139
#6  0x0000555557eac029 in GetProxyTrap (cx=0x7ffff772d100, handler=..., name=..., func=...) at js/src/proxy/ScriptedProxyHandler.cpp:185
#7  0x0000555557eabb35 in js::ScriptedProxyHandler::getPrototype (this=0x5555596ef900 <js::ScriptedProxyHandler::singleton>, cx=0x7ffff772d100, proxy=..., protop=...) at js/src/proxy/ScriptedProxyHandler.cpp:232
#8  0x0000555557ea7b22 in js::Proxy::getPrototype (cx=0x7ffff772d100, proxy=..., proto=...) at js/src/proxy/Proxy.cpp:297
#9  0x00005555578e560d in js::GetPrototype (cx=0x7ffff772d100, obj=..., protop=...) at js/src/vm/ObjectOperations-inl.h:50
#10 0x00005555578bf6c1 in FindErrorInstanceOrPrototype (cx=0x7ffff772d100, obj=..., result=...) at js/src/vm/ErrorObject.cpp:626
#11 0x00005555578bf080 in js::ErrorObject::getStack_impl (cx=0x7ffff772d100, args=...) at js/src/vm/ErrorObject.cpp:664
#12 0x00005555578bef30 in JS::CallNonGenericMethod<&(IsObject(JS::Handle<JS::Value>)), &js::ErrorObject::getStack_impl> (cx=0x7ffff772d100, args=...) at obj-debug/dist/include/js/CallNonGenericMethod.h:103
#13 0x00005555578bee9c in js::ErrorObject::getStack (cx=0x7ffff772d100, argc=0, vp=0x7fffffff12c8) at js/src/vm/ErrorObject.cpp:656
#14 0x00005555576ea83c in CallJSNative (cx=0x7ffff772d100, native=0x5555578bee50 <js::ErrorObject::getStack(JSContext*, unsigned int, JS::Value*)>, reason=js::CallReason::Getter, args=...) at js/src/vm/Interpreter.cpp:459
#15 0x00005555576d8b03 in js::InternalCallOrConstruct (cx=0x7ffff772d100, args=..., construct=js::NO_CONSTRUCT, reason=js::CallReason::Getter) at js/src/vm/Interpreter.cpp:547
#16 0x00005555576d9289 in InternalCall (cx=0x7ffff772d100, args=..., reason=js::CallReason::Getter) at js/src/vm/Interpreter.cpp:614
#17 0x00005555576d9439 in js::Call (cx=0x7ffff772d100, fval=..., thisv=..., args=..., rval=..., reason=js::CallReason::Getter) at js/src/vm/Interpreter.cpp:646
#18 0x00005555576da1c7 in js::CallGetter (cx=0x7ffff772d100, thisv=..., getter=..., rval=...) at js/src/vm/Interpreter.cpp:768
#19 0x0000555557a16d7a in CallGetter (cx=0x7ffff772d100, obj=..., receiver=..., id=..., prop=..., vp=...) at js/src/vm/NativeObject.cpp:2017
#20 0x0000555557a0cc47 in GetExistingProperty<(js::AllowGC)1> (cx=0x7ffff772d100, receiver=..., obj=..., id=..., prop=..., vp=...) at js/src/vm/NativeObject.cpp:2045
#21 0x0000555557a0d42e in NativeGetPropertyInline<(js::AllowGC)1> (cx=0x7ffff772d100, obj=..., receiver=..., id=..., nameLookup=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:2193
#22 0x0000555557a0d195 in js::NativeGetProperty (cx=0x7ffff772d100, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.cpp:2224
#23 0x00005555575728ba in js::GetProperty (cx=0x7ffff772d100, obj=..., receiver=..., id=..., vp=...) at js/src/vm/ObjectOperations-inl.h:118
#24 0x0000555557eb5fa3 in js::ForwardingProxyHandler::get (this=0x5555596ef1e0 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff772d100, proxy=..., receiver=..., id=..., vp=...) at js/src/proxy/Wrapper.cpp:147
#25 0x0000555557e9185e in js::CrossCompartmentWrapper::get (this=0x5555596ef1e0 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff772d100, wrapper=..., receiver=..., id=..., vp=...) at js/src/proxy/CrossCompartmentWrapper.cpp:179
#26 0x0000555557ebac42 in js::Proxy::getInternal (cx=0x7ffff772d100, proxy=..., receiver=..., id=..., vp=...) at js/src/proxy/Proxy.cpp:497
#27 0x0000555557ea8b6a in js::Proxy::get (cx=0x7ffff772d100, proxy=..., receiver_=..., id=..., vp=...) at js/src/proxy/Proxy.cpp:505
#28 0x0000555557572864 in js::GetProperty (cx=0x7ffff772d100, obj=..., receiver=..., id=..., vp=...) at js/src/vm/ObjectOperations-inl.h:115
#29 0x0000555557eb1ba8 in js::ScriptedProxyHandler::get (this=0x5555596ef900 <js::ScriptedProxyHandler::singleton>, cx=0x7ffff772d100, proxy=..., receiver=..., id=..., vp=...) at js/src/proxy/ScriptedProxyHandler.cpp:1134
#30 0x0000555557ebac42 in js::Proxy::getInternal (cx=0x7ffff772d100, proxy=..., receiver=..., id=..., vp=...) at js/src/proxy/Proxy.cpp:497
#31 0x0000555557ea8b6a in js::Proxy::get (cx=0x7ffff772d100, proxy=..., receiver_=..., id=..., vp=...) at js/src/proxy/Proxy.cpp:505
#32 0x0000555557572864 in js::GetProperty (cx=0x7ffff772d100, obj=..., receiver=..., id=..., vp=...) at js/src/vm/ObjectOperations-inl.h:115
#33 0x0000555557eb5fa3 in js::ForwardingProxyHandler::get (this=0x5555596ef1e0 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff772d100, proxy=..., receiver=..., id=..., vp=...) at js/src/proxy/Wrapper.cpp:147
#34 0x0000555557e9185e in js::CrossCompartmentWrapper::get (this=0x5555596ef1e0 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff772d100, wrapper=..., receiver=..., id=..., vp=...) at js/src/proxy/CrossCompartmentWrapper.cpp:179
#35 0x0000555557ebac42 in js::Proxy::getInternal (cx=0x7ffff772d100, proxy=..., receiver=..., id=..., vp=...) at js/src/proxy/Proxy.cpp:497
#36 0x0000555557ea8b6a in js::Proxy::get (cx=0x7ffff772d100, proxy=..., receiver_=..., id=..., vp=...) at js/src/proxy/Proxy.cpp:505
#37 0x0000555557572864 in js::GetProperty (cx=0x7ffff772d100, obj=..., receiver=..., id=..., vp=...) at js/src/vm/ObjectOperations-inl.h:115
#38 0x0000555558520844 in js::GetObjectElementOperation (cx=0x7ffff772d100, op=JSOp::GetElem, obj=..., receiver=..., key=..., res=...) at js/src/vm/Interpreter-inl.h:417
#39 0x00005555585359e8 in js::GetElementOperationWithStackIndex (cx=0x7ffff772d100, lref=..., lrefIndex=1, rref=..., res=...) at js/src/vm/Interpreter-inl.h:514
#40 0x000055555851ffb7 in js::GetElementOperation (cx=0x7ffff772d100, lref=..., rref=..., res=...) at js/src/vm/Interpreter-inl.h:522
#41 0x000055555851faed in js::jit::DoGetElemFallback (cx=0x7ffff772d100, frame=0x7fffffff2888, stub=0x7ffff5697668, lhs=..., rhs=..., res=...) at js/src/jit/BaselineIC.cpp:653
#42 0x000002d8b61041e4 in ?? ()
#43 0x0000008800000012 in ?? ()
#44 0x00007fffffff2828 in ?? ()
#45 0x00007fffffff2860 in ?? ()
#46 0xfff9800000000000 in ?? ()
#47 0x000055555971f860 in js::jit::tailCallVMFunctions ()
...

The sample could unfortunately not be properly minimized by Fuzzilli as it crashed during "exploration": https://github.com/googleprojectzero/fuzzilli/blob/main/Sources/Fuzzilli/Mutators/ExplorationMutator.swift the "real" testcase is at the bottom of the file (starting at Proxy.sameZoneAs = this;), the part above it is the exploration logic. It seems that some operation performed during exploration (which will for example enumerate fields of objects) caused the crash.

I'm not sure if this assertion has any security implications, so I'm filing this as a security issue as a precaution.

Group: core-security → javascript-core-security

This might be a duplicate of bug 1810711.

Flags: needinfo?(iireland)

I confirm that the patch for bug 1810711 also fixes this failure.

Status: NEW → RESOLVED
Closed: 2 years ago
Duplicate of bug: CVE-2023-25735
Flags: needinfo?(iireland)
Resolution: --- → DUPLICATE
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: