Closed Bug 1823384 Opened 3 years ago Closed 3 years ago

[WASM][ARM64] SEGV in js::jit::MDefinition::type

Categories

(Core :: JavaScript: WebAssembly, defect, P2)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
ARM64
Unspecified
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1823379

People

(Reporter: cz18811105578, Assigned: jseward)

References

Details

(Keywords: crash, csectype-nullptr, testcase)

Attachments

(1 file)

Reproducible poc
941 bytes, text/javascript
Details
Attached file Reproducible poc

Steps to reproduce:

The vulnerability exists in the Javascript engine under the ARM64 architecture, so it needs to be reproduced in the gecko in ARM64. The configuration for building is as follows:

ac_add_options --enable-fuzzing
ac_add_options --enable-gczeal
ac_add_options --enable-project=js
ac_add_options --enable-optimize
ac_add_options --enable-debug

Commit: 8ed22fcd56968c95a73a6c82b42f732f01a4bdae

Actual results:

This is the full crash log of the debug build:

UndefinedBehaviorSanitizer:DEADLYSIGNAL
==15818==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000041 (pc 0x00010436d4e4 bp 0x00016d1aabb0 sp 0x00016d1aaab0 T651096)
==15818==The signal is caused by a READ memory access.
==15818==Hint: address points to the zero page.
    #0 0x10436d4e4 in EmitLoop((anonymous namespace)::FunctionCompiler&)+0x4f0 (js:arm64+0x10171d4e4) (BuildId: 4c4c44b255553144a1deaf01cdd3b98d32000000200000000100000000000b00)
    #1 0x104326024 in EmitBodyExprs((anonymous namespace)::FunctionCompiler&)+0x2f0 (js:arm64+0x1016d6024) (BuildId: 4c4c44b255553144a1deaf01cdd3b98d32000000200000000100000000000b00)
    #2 0x1043248fc in js::wasm::IonCompileFunctions(js::wasm::ModuleEnvironment const&, js::wasm::CompilerEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*)+0xdb4 (js:arm64+0x1016d48fc) (BuildId: 4c4c44b255553144a1deaf01cdd3b98d32000000200000000100000000000b00)
    #3 0x1042d2914 in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*)+0x19c (js:arm64+0x101682914) (BuildId: 4c4c44b255553144a1deaf01cdd3b98d32000000200000000100000000000b00)
    #4 0x1042d4870 in js::wasm::ModuleGenerator::finishFuncDefs()+0x40 (js:arm64+0x101684870) (BuildId: 4c4c44b255553144a1deaf01cdd3b98d32000000200000000100000000000b00)
    #5 0x1042a1138 in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&)+0x44c (js:arm64+0x101651138) (BuildId: 4c4c44b255553144a1deaf01cdd3b98d32000000200000000100000000000b00)
    #6 0x1042a0bd4 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*)+0x300 (js:arm64+0x101650bd4) (BuildId: 4c4c44b255553144a1deaf01cdd3b98d32000000200000000100000000000b00)
    #7 0x10433cf60 in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*)+0x21c (js:arm64+0x1016ecf60) (BuildId: 4c4c44b255553144a1deaf01cdd3b98d32000000200000000100000000000b00)
    #8 0x102d32e90 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)+0x1a4 (js:arm64+0x1000e2e90) (BuildId: 4c4c44b255553144a1deaf01cdd3b98d32000000200000000100000000000b00)
    #9 0x102d41f00 in CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+0xa4 (js:arm64+0x1000f1f00) (BuildId: 4c4c44b255553144a1deaf01cdd3b98d32000000200000000100000000000b00)
    #10 0x102d34400 in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason)+0x368 (js:arm64+0x1000e4400) (BuildId: 4c4c44b255553144a1deaf01cdd3b98d32000000200000000100000000000b00)
    #11 0x102d29c74 in Interpret(JSContext*, js::RunState&)+0x6830 (js:arm64+0x1000d9c74) (BuildId: 4c4c44b255553144a1deaf01cdd3b98d32000000200000000100000000000b00)
    #12 0x102d23030 in js::RunScript(JSContext*, js::RunState&)+0x1e8 (js:arm64+0x1000d3030) (BuildId: 4c4c44b255553144a1deaf01cdd3b98d32000000200000000100000000000b00)
    #13 0x102d3511c in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>)+0x288 (js:arm64+0x1000e511c) (BuildId: 4c4c44b255553144a1deaf01cdd3b98d32000000200000000100000000000b00)
    #14 0x102d35624 in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>)+0x200 (js:arm64+0x1000e5624) (BuildId: 4c4c44b255553144a1deaf01cdd3b98d32000000200000000100000000000b00)
    #15 0x102e81f58 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>)+0x100 (js:arm64+0x100231f58) (BuildId: 4c4c44b255553144a1deaf01cdd3b98d32000000200000000100000000000b00)
    #16 0x102e82160 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>)+0xd8 (js:arm64+0x100232160) (BuildId: 4c4c44b255553144a1deaf01cdd3b98d32000000200000000100000000000b00)
    #17 0x102cbcd30 in RunFile(JSContext*, char const*, __sFILE*, CompileUtf8, bool, bool)+0x450 (js:arm64+0x10006cd30) (BuildId: 4c4c44b255553144a1deaf01cdd3b98d32000000200000000100000000000b00)
    #18 0x102cbc2ac in Process(JSContext*, char const*, bool, FileKind)+0x8a4 (js:arm64+0x10006c2ac) (BuildId: 4c4c44b255553144a1deaf01cdd3b98d32000000200000000100000000000b00)
    #19 0x102c6088c in Shell(JSContext*, js::cli::OptionParser*)+0x115c (js:arm64+0x10001088c) (BuildId: 4c4c44b255553144a1deaf01cdd3b98d32000000200000000100000000000b00)
    #20 0x102c5ad48 in main+0x690 (js:arm64+0x10000ad48) (BuildId: 4c4c44b255553144a1deaf01cdd3b98d32000000200000000100000000000b00)
    #21 0x195867e4c  (<unknown module>)
    #22 0x575d7ffffffffffc  (<unknown module>)

==15818==Register values:
 x[0] = 0x0000000000000003   x[1] = 0x0000000000000000   x[2] = 0x0000000000000000   x[3] = 0x000000016d1aab20
 x[4] = 0x0000000108537d80   x[5] = 0x0000000104326020   x[6] = 0x00000001049fed00   x[7] = 0x000000016d1aaa18
 x[8] = 0x0000000000000000   x[9] = 0x0000000000000d48  x[10] = 0x0000000106422e00  x[11] = 0xff80000b00004003
x[12] = 0x0000000000000d40  x[13] = 0x1c004002003fffff  x[14] = 0x0000000000000001  x[15] = 0x00000001049ff8c4
x[16] = 0x0000000195bbfba0  x[17] = 0x000000000000020f  x[18] = 0x0000000000000000  x[19] = 0x000000016d1ab020
x[20] = 0x0000000108537b90  x[21] = 0x000000016d1ab028  x[22] = 0x0000000105c542f0  x[23] = 0x0000000000000000
x[24] = 0x0000000000000003  x[25] = 0x0000000000000000  x[26] = 0x000000016d1aafa8  x[27] = 0x0000000105d79000
x[28] = 0x0000000000000002     fp = 0x000000016d1aabb0     lr = 0x000000010436d4d4     sp = 0x000000016d1aaab0
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV (js:arm64+0x10171d4e4) (BuildId: 4c4c44b255553144a1deaf01cdd3b98d32000000200000000100000000000b00) in EmitLoop((anonymous namespace)::FunctionCompiler&)+0x4f0
==15818==ABORTING

This is reported by P1umer and xmzyshypnc.
In addition, this issue may be related to issue 1823379, I haven't analyzed them in detail yet. But in order to avoid missing potential bugs, we make this issue a new one.

Group: core-security → javascript-core-security
See Also: → CVE-2023-32211
Hardware: Unspecified → ARM64
Summary: [WASM] SEGV in js::jit::MDefinition::type → [WASM][ARM64] SEGV in js::jit::MDefinition::type
Assignee: nobody → jseward
Severity: -- → S3
Priority: -- → P2

We believe this is likely a dupe of bug 1823379. Will confirm that once we have a fix for that bug.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Duplicate of bug: CVE-2023-32211
Resolution: --- → DUPLICATE
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: