Closed Bug 1880770 Opened 1 year ago Closed 1 year ago

Crash [@ __strlen_avx2] or [@ UTF8CharsToString]

Categories

(Core :: JavaScript: WebAssembly, defect, P2)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
125 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox124 --- disabled
firefox125 --- fixed

People

(Reporter: gkw, Assigned: yury)

References

(Blocks 1 open bug)

Details

(Keywords: reporter-external, testcase)

Attachments

(2 files)

Bug 1880770 - Protect UTF8CharsToString from OOM. r?rhunt
48 bytes, text/x-phabricator-request
Details | Review
Bug 1880770 - Check proper handling of OOM during segments creation. r?rhunt
48 bytes, text/x-phabricator-request
Details | Review 
var x = {};
Object.defineProperty(x, "", {
  enumerable: true,
  get: function () {
    new WebAssembly.Instance(
      new WebAssembly.Module(
        wasmTextToBinary(
          '(func $f (result f32) f32.const 0)(table (export "g") 1 funcref) (elem (i32.const 0) $f)'
        )
      )
    ).exports.g
      .get(0)
      .type(WebAssembly, "", WebAssembly.Module, {});
  },
});
oomTest(function () {
  Object.values(x);
});

(gdb) bt
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:74
#1  0x00005555586e1a78 in UTF8CharsToString (cx=cx@entry=0x7ffff6b2d100, chars=0x0)
    at /home/w11x500-lin/trees/mozilla-central/js/src/wasm/WasmJS.cpp:772
#2  0x00005555586e1727 in ValTypesToArray (cx=cx@entry=0x7ffff6b2d100, valTypes=...)
    at /home/w11x500-lin/trees/mozilla-central/js/src/wasm/WasmJS.cpp:783
#3  0x000055555868a5d8 in FuncTypeToObject (cx=cx@entry=0x7ffff6b2d100, type=...)
    at /home/w11x500-lin/trees/mozilla-central/js/src/wasm/WasmJS.cpp:805
#4  0x000055555869ee8a in WasmFunctionTypeImpl (cx=cx@entry=0x7ffff6b2d100, args=...)
    at /home/w11x500-lin/trees/mozilla-central/js/src/wasm/WasmJS.cpp:4057
#5  0x000055555869f3d2 in JS::CallNonGenericMethod<&(IsWasmFunction(JS::Handle<JS::Value>)), &(WasmFunctionTypeImpl(JSContext*, JS::CallArgs const&))> (cx=0x7ffff6b2d100, args=...)
    at /home/w11x500-lin/shell-cache/js-dbg-64-linux-x86_64-2af34b4c9adf/objdir-js/dist/include/js/CallNonGenericMethod.h:103
#6  WasmFunctionType (cx=0x7ffff6b2d100, argc=<optimized out>, vp=<optimized out>)
    at /home/w11x500-lin/trees/mozilla-central/js/src/wasm/WasmJS.cpp:4067
#7  0x000007535501a3ec in ?? ()
#8  0xaaaaaa0100015905 in ?? ()
#9  0x00007fffffffb800 in ?? ()
#10 0x0000000000000000 in ?? ()
(gdb)

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 2af34b4c9adf.

This seems to go as far back as 3 months prior, I'll keep trying to bisect. Let me know if this is a benign OOM issue.

Setting s-s to be safe. Yury/Jan, I'm guessing it's WebAssembly here, the patch for bug 1878673 seems to not fix this issue so it might be a separate issue.

Flags: sec-bounty?
Flags: needinfo?(ydelendik)
The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a8a44a065f73
user:        Lars T Hansen
date:        Tue Feb 08 07:42:28 2022 +0000
summary:     Bug 1753061 - revert bug 1742053 part 11. r=rhunt

It seems to point to a revert but I'm guessing it may (or may not) be related to bug 1753061 or bug 1742053 then. I'll let Yury/Ryan set the regressor here.

(Also setting needinfo? from Ryan)

Flags: needinfo?(rhunt)
Group: core-security → javascript-core-security

It looks like wasm::ToString is using DuplicateString and may return nullptr (in this case, during oomTest). Subsequent operations may dereference nullptr, e.g. UTF8CharsToString, and crash. Triaging similar to the bug 1878673.

Severity: -- → S3
Flags: needinfo?(ydelendik)
Priority: -- → P2

Yes, agree with Yury. This is caused by OOM conditions. In these cases we'll always have a safe nullptr crash, so this should not be sec-sensitive.

The function called is also in a nightly-only feature (js-type-reflection).

Flags: needinfo?(rhunt)
Group: javascript-core-security
status-firefox124: --- → disabled
status-firefox-esr115: --- → unaffected

Setting a needinfo? on Ryan as requested by Yury. No immediate rush, but a patch would be nice! :)

Flags: needinfo?(rhunt)
Assignee: nobody → ydelendik
Status: NEW → ASSIGNED
Pushed by ydelendik@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/cee87f81024b Protect UTF8CharsToString from OOM. r=rhunt https://hg.mozilla.org/integration/autoland/rev/e91a65ccf1f0 Check proper handling of OOM during segments creation. r=rhunt

https://hg.mozilla.org/mozilla-central/rev/cee87f81024b
https://hg.mozilla.org/mozilla-central/rev/e91a65ccf1f0

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox125: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 125 Branch
Flags: sec-bounty? → sec-bounty-
Flags: needinfo?(rhunt)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: