Closed Bug 1814880 Opened 1 year ago Closed 1 year ago

Assertion failure: !chain[i]->is<GlobalObject>() && !chain[i]->is<NonSyntacticVariablesObject>(), at vm/EnvironmentObject.cpp:3328

Tracking

()

Status:

RESOLVED FIXED

Milestone:

111 Branch

Tracking Flags:

Tracking

Status

firefox111

---

fixed

People

(Reporter: lukas.bernhard, Assigned: arai)

References

(Blocks 2 open bugs)

Details

(Keywords: sec-other, Whiteboard: [adv-main111-])

Attachments

(1 file)

Bug 1814880 - Disallow all unqualified variables objects in envChainObject option in evaluate function. r?mgaudet! 1 year ago Tooru Fujisawa [:arai] 48 bytes, text/x-phabricator-request		Details \| Review

lukas.bernhard

Reporter

Description

•

1 year ago

Steps to reproduce:

On git commit a7156afbfa575f12f60b1c8bf099d547c29bcadf the attached sample triggers an assertion violation:
Assertion failure: !chain[i]->is<GlobalObject>() && !chain[i]->is<NonSyntacticVariablesObject>(), at js/src/vm/EnvironmentObject.cpp:3328
Older commits such as c7854bdaa6bfa104bb6e94a5b84ecd3d32551425 from Dec 29 2021 are affected as well.
Precautiously marking this as s-s; I didn't investigate further.

commandline:
obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js

crash.js:

const v1 = new Uint8ClampedArray();
Uint32Array.envChainObject = this.evalReturningScope(v1);
this.evaluate("toLowerCase", Uint32Array);

#0  0x00005555577d2bfa in js::CreateObjectsForEnvironmentChain (cx=0x7ffff7433f00, chain=...,
    terminatingEnv=..., envObj=...) at js/src/vm/EnvironmentObject.cpp:3327
#1  0x00005555577d28c2 in js::CreateNonSyntacticEnvironmentChain (cx=0x7ffff7433f00, envChain=...,
    env=...) at js/src/vm/EnvironmentObject.cpp:880
#2  0x00005555577978d2 in ExecuteScript (cx=0x7ffff7433f00, envChain=..., script=..., rval=...)
    at js/src/vm/CompilationAndEvaluation.cpp:479
#3  0x00005555577977de in JS_ExecuteScript (cx=0x7ffff7433f00, envChain=..., scriptArg=..., rval=...)
    at js/src/vm/CompilationAndEvaluation.cpp:503
#4  0x0000555557368550 in Evaluate (cx=0x7ffff7433f00, argc=2, vp=0x7ffff4cfc090)
    at js/src/shell/js.cpp:2459
#5  0x000055555755d58e in CallJSNative (cx=0x7ffff7433f00,
    native=0x555557366900 <Evaluate(JSContext*, unsigned int, JS::Value*)>, reason=js::CallReason::Call,
    args=...) at js/src/vm/Interpreter.cpp:459
#6  0x000055555755cdcd in js::InternalCallOrConstruct (cx=0x7ffff7433f00, args=...,
    construct=js::NO_CONSTRUCT, reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:547
#7  0x000055555755e161 in InternalCall (cx=0x7ffff7433f00, args=..., reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:614
#8  0x000055555755df25 in js::CallFromStack (cx=0x7ffff7433f00, args=..., reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:619
#9  0x000055555754ec54 in Interpret (cx=0x7ffff7433f00, state=...)
    at js/src/vm/Interpreter.cpp:3362
#10 0x0000555557540d30 in js::RunScript (cx=0x7ffff7433f00, state=...)
    at js/src/vm/Interpreter.cpp:431
#11 0x000055555755fd1c in js::ExecuteKernel (cx=0x7ffff7433f00, script=..., envChainArg=...,
    evalInFrame=..., result=...) at js/src/vm/Interpreter.cpp:812
#12 0x00005555575605c5 in js::Execute (cx=0x7ffff7433f00, script=..., envChain=..., rval=...)
    at js/src/vm/Interpreter.cpp:844
#13 0x00005555577975b6 in ExecuteScript (cx=0x7ffff7433f00, envChain=..., script=..., rval=...)
    at js/src/vm/CompilationAndEvaluation.cpp:473

lukas.bernhard

Reporter

Updated

•

1 year ago

Blocks: l11d-js-fuzzing, sm-runtime

Group: firefox-core-security → core-security

Component: Untriaged → JavaScript Engine

Product: Firefox → Core

:Gijs (he/him)

Updated

•

1 year ago

Group: core-security → javascript-core-security

Nicolas B. Pierron [:nbp]

Comment 1

•

1 year ago

•

Edited

The only references to envChainObject seems to be in the JS shell, as a property expected on the option object given as argument.
So this is most likely not affecting Firefox.

Arai, maybe you would know what needs to be checked about the envChainObject that is not checked early on in the Evaluate function?

Flags: needinfo?(arai.unmht)

Nicolas B. Pierron [:nbp]

Updated

•

1 year ago

Severity: -- → S4

Priority: -- → P2

Matthew Gaudet (he/him) [:mgaudet]

Comment 2

•

1 year ago

Likely we just want to add an extra guard to here stopping NonSyntacticVariablesObjects from being passed too.

Tooru Fujisawa [:arai]

Assignee

Updated

•

1 year ago

Assignee: nobody → arai.unmht

Status: NEW → ASSIGNED

Tooru Fujisawa [:arai]

Assignee

Comment 3

•

1 year ago

Attached file Bug 1814880 - Disallow all unqualified variables objects in envChainObject option in evaluate function. r?mgaudet! — Details

Daniel Veditz [:dveditz]

Comment 4

•

1 year ago

If this doesn't affect Firefox is there another reason to keep the bug hidden?

Keywords: sec-other

Tooru Fujisawa [:arai]

Assignee

Comment 5

•

1 year ago

No reason to keep this hidden.
This can be opened up.

Flags: needinfo?(arai.unmht)

Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)

Comment 6

•

1 year ago

Landed: https://hg.mozilla.org/integration/autoland/rev/3dd4a5d6bef63c1ebc00ad93a9d43c864e07d673

Backed out for failing modified js/src/jit-test/tests/environments/evaluate_envChainObject.js: https://hg.mozilla.org/integration/autoland/rev/ab1ca2678cfe79a8080924c835e86a4d94e604ab

Push with failures: https://treeherder.mozilla.org/jobs?repo=autoland&group_state=expanded&selectedTaskRun=F28LzBaXQl-2--2O9uVUqg.0&resultStatus=testfailed%2Cbusted%2Cexception&searchStr=sm&revision=3dd4a5d6bef63c1ebc00ad93a9d43c864e07d673
Failure log: https://treeherder.mozilla.org/logviewer?job_id=405095365&repo=autoland

/builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13 Error: Assertion failed: expected exception Error, no exception thrown
TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/environments/evaluate_envChainObject.js | /builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13 Error: Assertion failed: expected exception Error, no exception thrown (code 3, args "--no-blinterp --no-baseline --no-ion --more-compartments") [0.1 s]
INFO stderr 2> /builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13 Error: Assertion failed: expected exception Error, no exception thrown
/builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13 Error: Assertion failed: expected exception Error, no exception thrown
TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/environments/evaluate_envChainObject.js | /builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13 Error: Assertion failed: expected exception Error, no exception thrown (code 3, args "--ion-eager --ion-offthread-compile=off --more-compartments") [0.1 s]
INFO stderr 2> /builds/worker/checkouts/gecko/js/src/jit-test/lib/../../tests/non262/shell.js:149:13 Error: Assertion failed: expected exception Error, no exception thrown

Flags: needinfo?(arai.unmht)

Ryan VanderMeulen [:RyanVM]

Updated

•

1 year ago

Group: javascript-core-security

Pulsebot

Comment 7

•

1 year ago

Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/827af82bc925
Disallow all unqualified variables objects in envChainObject option in evaluate function. r=mgaudet

Tooru Fujisawa [:arai]

Assignee

Updated

•

1 year ago

Flags: needinfo?(arai.unmht)

Cristina Horotan [:chorotan]

Comment 8

•

1 year ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/827af82bc925

Status: ASSIGNED → RESOLVED

Closed: 1 year ago

status-firefox111: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → 111 Branch

Cosmin Sabou [:CosminS]

Updated

•

1 year ago

Regressions: 1788334

Tooru Fujisawa [:arai]

Assignee

Updated

•

1 year ago

No longer regressions: 1788334

Tom Ritter [:tjr] (OOTO until 4/30 at least)

Updated

•

1 year ago

Whiteboard: [adv-main111-]

Matthew Gaudet (he/him) [:mgaudet]

Updated

•

13 days ago