Closed Bug 1863391 Opened 2 years ago Closed 2 years ago

Assertion failure: CurrentThreadCanAccessRuntime(cell->runtimeFromAnyThread()) || CurrentThreadIsPerformingGC(), at gc/StableCellHasher-inl.h:29

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
121 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox119 --- unaffected
firefox120 --- unaffected
firefox121 --- fixed

People

(Reporter: decoder, Assigned: allstars.chh)

References

(Regression)

Details

(4 keywords, Whiteboard: [bugmon:update,bisect][fuzzblocker])

Attachments

(4 files)

Detailed Crash Information
3.12 KB, text/plain
Details
Testcase
92 bytes, text/plain
Details
Bug 1863391 - Use Symbol::hash to get hashes.
48 bytes, text/x-phabricator-request
Details | Review
Bug 1863391 - tests.
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20231106-925231a8fb5e (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

evalInWorker(`
  a = new WeakMap
  b = Symbol
  a.set(b )
  c = b.hasInstance;
  a.get(c)
`)

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555557225428 in js::gc::MaybeGetUniqueId(js::gc::Cell*, unsigned long*) ()
#1  0x00005555575ee6ae in mozilla::detail::HashTable<mozilla::HashMapEntry<js::HeapPtr<JS::Value>, js::HeapPtr<JS::Value> >, mozilla::HashMap<js::HeapPtr<JS::Value>, js::HeapPtr<JS::Value>, js::StableCellHasher<js::HeapPtr<JS::Value> >, js::TrackedAllocPolicy<(js::TrackingKind)1> >::MapHashPolicy, js::TrackedAllocPolicy<(js::TrackingKind)1> >::readonlyThreadsafeLookup(JS::Value const&) const ()
#2  0x00005555575947ef in js::WeakMap<js::HeapPtr<JS::Value>, js::HeapPtr<JS::Value> >::lookup(JS::Value const&) const ()
#3  0x00005555575eeb19 in js::WeakMapObject::get_impl(JSContext*, JS::CallArgs const&) ()
#4  0x0000555557593068 in js::WeakMapObject::get(JSContext*, unsigned int, JS::Value*) ()
#5  0x000055555706b245 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#6  0x000055555706a81e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#7  0x000055555707bc0b in js::Interpret(JSContext*, js::RunState&) ()
#8  0x0000555557069d8f in js::RunScript(JSContext*, js::RunState&) ()
#9  0x000055555706d94b in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) ()
#10 0x000055555706df50 in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) ()
#11 0x00005555571d2b22 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#12 0x00005555571d28c8 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#13 0x0000555556ee8588 in WorkerMain(mozilla::UniquePtr<WorkerInput, JS::DeletePolicy<WorkerInput> >) ()
#14 0x0000555556ee8bda in js::detail::ThreadTrampoline<void (&)(mozilla::UniquePtr<WorkerInput, JS::DeletePolicy<WorkerInput> >), mozilla::UniquePtr<WorkerInput, JS::DeletePolicy<WorkerInput> > >::Start(void*) ()
#15 0x0000555556f350bd in set_alt_signal_stack_and_start(PthreadCreateParams*) ()
#16 0x00007ffff7bc16ba in start_thread (arg=0x7ffff4667700) at pthread_create.c:333
#17 0x00007ffff6e4641d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax	0x555555839ac0	93824995269312
rbx	0x7ffff4666328	140737293738792
rcx	0x55555898edc8	93825046998472
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7ffff4666310	140737293738768
rsp	0x7ffff46662e0	140737293738720
r8	0x7ffff7105770	140737338431344
r9	0x7ffff4667700	140737293743872
r10	0x2	2
r11	0x0	0
r12	0x555557592f80	93825026043776
r13	0x1fcaaeb29858	34955374794840
r14	0x9e18c03b090	10864321343632
r15	0x9e18c000000	10864321101824
rip	0x555557225428 <js::gc::MaybeGetUniqueId(js::gc::Cell*, unsigned long*)+504>
=> 0x555557225428 <_ZN2js2gc16MaybeGetUniqueIdEPNS0_4CellEPm+504>:	movl   $0x1d,0x0
   0x555557225433 <_ZN2js2gc16MaybeGetUniqueIdEPNS0_4CellEPm+515>:	callq  0x555556f349c0 <abort>

This is a fuzzblocker, happening with high frequency. Also marking s-s because I don't know the impact of this GC assert.

Attached file Testcase

Possible regression from bug 1828144.

Flags: needinfo?(allstars.chh)

Unable to reproduce bug 1863391 using build mozilla-central 20231106094018-925231a8fb5e. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Duplicate of this bug: 1863447
Assignee: nobody → allstars.chh
Flags: needinfo?(allstars.chh)
Regressed by: 1828144

Set release status flags based on info from the regressing bug 1828144

status-firefox119: --- → unaffected
status-firefox120: --- → unaffected
status-firefox-esr115: --- → unaffected
Severity: -- → S3
Priority: -- → P1
Attachment #9362392 - Attachment description: Bug 1863391 - Relax the assertions when accessing uniqueIds. → Bug 1863391 - Use Symbol::hash to get hashes.

An actual collision looks racy, but maybe this could be sec-high? As a fuzzblocker clearly it will be easy for other people to find if it does turn out to be exploitable.

Keywords: sec-high

Comment on attachment 9362392 [details]
Bug 1863391 - Use Symbol::hash to get hashes.

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Difficult. This patch is trying to get the hash number from the Symbol directly to get the entry in HashMap.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: No
  • If not all supported branches, which bug introduced the flaw?: Bug 1828144
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: Other branches won't have any risk as this bug is introduced in Bug 1828144.
  • How likely is this patch to cause regressions; how much testing does it need?: Unlikely, this patch only gets the hash number from the Symbols.
    The test is provided in a separate commit.
  • Is Android affected?: Yes
Attachment #9362392 - Flags: sec-approval?

The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:allstars.chh, could you consider increasing the severity of this security bug?

For more information, please visit BugBot documentation.

Flags: needinfo?(allstars.chh)
Severity: S3 → S2
Flags: needinfo?(allstars.chh)

Comment on attachment 9362392 [details]
Bug 1863391 - Use Symbol::hash to get hashes.

Nightly-only bugs don't need sec-approval.

Attachment #9362392 - Flags: sec-approval?
Attachment #9362782 - Flags: sec-approval?

(In reply to Ryan VanderMeulen [:RyanVM] from comment #12)

Comment on attachment 9362392 [details]
Bug 1863391 - Use Symbol::hash to get hashes.

Nightly-only bugs don't need sec-approval.

oh, that's right, thanks for the reminding, I forgot that.

https://hg.mozilla.org/mozilla-central/rev/4c400fa02bee
https://hg.mozilla.org/mozilla-central/rev/0c78e4ad3659

Group: javascript-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox121: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 121 Branch
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Group: core-security-release
Duplicate of this bug: 1862459
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: