Closed Bug 1871605 (CVE-2024-0754) Opened 6 months ago Closed 6 months ago

Crash [@ JSObject::getClass] with WebAssembly and Debugger

Categories

(Core :: JavaScript: WebAssembly, defect)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
123 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- disabled
firefox121 --- wontfix
firefox122 + fixed
firefox123 + fixed

People

(Reporter: decoder, Assigned: yury)

References

Details

(5 keywords, Whiteboard: [bugmon:update,bisect][adv-main122+r])

Crash Data

Attachments

(4 files)

Detailed Crash Information
1.59 KB, text/plain
Details
Testcase
1.65 KB, text/plain
Details
Bug 1871605 - Use different LeaveFrame marker for tail calls. r?rhunt
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
Details | Review
advisory.txt
137 bytes, text/plain
Details

The following testcase crashes on mozilla-central revision 20231222-e22abf3976f2 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --more-compartments):

evaluate(`
function wasmEvalText(str, imports) {
    binary = wasmTextToBinary(str)
    try {
        m = new WebAssembly.Module(binary)} catch {}
    return new WebAssembly.Instance(m, imports)}
g23 = newGlobal()
g23.parent = this
g23.eval(\`
      Debugger(parent).onEnterFrame = function() {}
\`)
base = wasmEvalText(\`(module
    (global (export "rngState")
      (mut i32) (i32.const 1)
    )
    (type $tArrayI32      (array (mut i32)))  (type $tArrayArrayI32 (array (mut (ref null $tArrayI32)))) (func (result (ref $tArrayI32))
        (i32.const 0)
        (array.new $tArrayI32
          (i32.const 0)
      )
    )
    (func (export "createPrimaryArrayLoop")
        (param i32) (param $arrarr (ref $tArrayArrayI32)) 
        (result (ref $tArrayArrayI32))
        (local.get $arrarr)
    )
)\`)
t33 =
\`(module
    (type $tArrayI32      (array (mut i32)))  (type $tArrayArrayI32 (array (mut (ref null $tArrayI32)))) (import "" "rngState" (global $rngState (mut i32)))
    (import "" "createPrimaryArrayLoop" 
      (func $createPrimaryArrayLoop
        (param i32(ref $tArrayArrayI32)) 
        (result (ref $tArrayArrayI32))))
    (func $createPrimaryArray 
                            (result (ref $tArrayArrayI32))
      (return_call $createPrimaryArrayLoop
        (i32.const 0)
        (array.new $tArrayArrayI32 (ref.null $tArrayI32) (i32.const 1500)))
    )
   (func (export "churn")  (result i32)
     (local $finalSum i32)
     (local $arrarr (ref $tArrayArrayI32))
     (local.set $arrarr (call $createPrimaryArray))
     (i32.xor (local.get $finalSum) (global.get $rngState))
   )
)\`;
i30 = wasmEvalText(t33, {"": base.exports});
fns = i30.exports;
(fns.churn())`)

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555556eaf184 in JSObject::getClass() const ()
#1  0x00005555582d18ac in js::wasm::AnyRef::toJSValue() const ()
#2  0x000055555850f856 in bool ToJSValue_anyref<js::wasm::NoDebug>(JSContext*, void*, JS::MutableHandle<JS::Value>) ()
#3  0x000055555850caf1 in bool js::wasm::ToJSValue<js::wasm::NoDebug>(JSContext*, void const*, js::wasm::PackedType<js::wasm::FieldTypeTraits>, JS::MutableHandle<JS::Value>, js::wasm::CoercionLevel) ()
#4  0x0000555558415708 in js::wasm::ResultsToJSValue(JSContext*, js::wasm::ResultType, void*, mozilla::Maybe<char*>, JS::MutableHandle<JS::Value>, js::wasm::CoercionLevel) ()
#5  0x00005555583dbce0 in js::wasm::DebugFrame::updateReturnJSValue(JSContext*) ()
#6  0x00005555583b551d in WasmHandleDebugTrap() ()
#7  0x00001182f491283b in ?? ()
#8  0x00007fffffffbc60 in ?? ()
#9  0x0e5f1dd2a9ce8f04 in ?? ()
#10 0x0000000000000000 in ?? ()
rax	0xffffd555559925c0	-46912491674176
rbx	0xffffd555559925c0	-46912491674176
rcx	0x0	0
rdx	0x7fffffffbdf8	140737488338424
rsi	0xffffd555559925c0	-46912491674176
rdi	0xffffd555559925c0	-46912491674176
rbp	0x7fffffffba20	140737488337440
rsp	0x7fffffffba20	140737488337440
r8	0x0	0
r9	0xf98ffe1	261685217
r10	0x5555558d7ce6	93824995917030
r11	0x4d4	1236
r12	0x7fffffffbaa8	140737488337576
r13	0xc8	200
r14	0x7ffff3d34900	140737284098304
r15	0x7fffffffbde8	140737488338408
rip	0x555556eaf184 <JSObject::getClass() const+4>
=> 0x555556eaf184 <_ZNK8JSObject8getClassEv+4>:	mov    (%rdi),%rax
   0x555556eaf187 <_ZNK8JSObject8getClassEv+7>:	test   $0x7,%al

Marking s-s due to type of crash, but this involves the Debugger, so likely not more than sec-moderate at most.

Attached file Testcase 

    
    

    
  
Unable to reproduce bug 1871605 using build mozilla-central 20231222164453-e22abf3976f2.  Without a baseline, bugmon is unable to analyze this bug.

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Keywords: bugmon
Assignee: nobody → ydelendik
Status: NEW → ASSIGNED

    
  
Blocks: 1866839

    
    

    
  
The implementation of bug 1866839 was incomplete: reference type results needs to be discarded/not tracked.



    
    

    
  
Pushed by ydelendik@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4e6235b33d7a
Use different LeaveFrame marker for tail calls. r=rhunt

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/4e6235b33d7a


Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 6 months ago

          status-firefox123:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 123 Branch

    
    

    
  
:yury, out of caution I set the affected versions - though this still needs the correct regressor set.

Could you confirm the regressor, and then a beta uplift request as needed?



          status-firefox121:
          --- → wontfix

          status-firefox122:
          --- → affected

          status-firefox-esr115:
          --- → disabled

          tracking-firefox122:
          --- → +

          tracking-firefox123:
          --- → +
Flags: needinfo?(ydelendik)

    
    

    
  
(In reply to Donal Meehan [:dmeehan] from comment #8)




Could you confirm the regressor,




Bug 1866839 can be considered as regressor or incomplete implementation.




and then a beta uplift request as needed?




The beta uplift will be requested.


Flags: needinfo?(ydelendik)

    
    

    
  
Comment on attachment 9370963 [details]

Bug 1871605 - Use different LeaveFrame marker for tail calls. r?rhunt


Beta/Release Uplift Approval Request


    

  • User impact if declined: Crash in devtools with some wasm files
    • 

  • Is this code covered by automated tests?: Yes
    • 

  • Has the fix been verified in Nightly?: Yes
    • 

  • Needs manual test from QE?: No
    • 

  • If yes, steps to reproduce:
    • 

  • List of other uplifts needed: None
    • 

  • Risk to taking this patch: Low
    • 

  • Why is the change risky/not risky? (and alternatives if risky): Affects only debugger and wasm (tail calls)
    • 

  • String changes made/needed:
    • 

  • Is Android affected?: Unknown
    • 




        Attachment #9370963 -
        Flags: approval-mozilla-beta?

    
    

    
  
Comment on attachment 9370963 [details]

Bug 1871605 - Use different LeaveFrame marker for tail calls. r?rhunt


Approved for 122.0b8



        Attachment #9370963 -
        Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisect][adv-main122+]
Whiteboard: [bugmon:update,bisect][adv-main122+] → [bugmon:update,bisect][adv-main122+r]
Alias: CVE-2024-0754

    
    

    
  
Making Firefox 122 security bugs public.  [bugspam filter string: Pilgarlic-Towers]


Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: