Closed Bug 1881417 (CVE-2024-3860) Opened 7 months ago Closed 7 months ago

Crash [@ js::NativeObject::setDenseInitializedLengthInternal]

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
125 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox123 --- wontfix
firefox124 --- wontfix
firefox125 --- fixed

People

(Reporter: gkw, Assigned: jonco)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [adv-main125+])

Attachments

(3 files)

debug stack
5.68 KB, text/plain
Details
Bug 1881417 - Skip tracing empty shape lists that may be present due to OOM r?jandem
48 bytes, text/x-phabricator-request
Details | Review
advisory.txt
192 bytes, text/plain
Details
Attached file debug stack 
for (let x = 0; x < 2; (function() { x++; })()) {};
function f() {
  var y = new (function () {})();
  (function () {
    Reflect.apply(y.toString, [], [0]);
  })();
}
f();
var z = [];
z.keepFailing = [];
oomTest(f, z);
dumpHeap();

(gdb) bt
#0  js::NativeObject::setDenseInitializedLengthInternal (this=0x8ce34b412f8, length=0) at /home/yksubu/trees/mozilla-central/js/src/vm/NativeObject.h:1477
#1  0x0000555557ee776a in js::NativeObject::setDenseInitializedLength (this=0x8ce34b412f8, length=0) at /home/yksubu/trees/mozilla-central/js/src/vm/NativeObject.h:1483
#2  js::jit::ShapeListObject::traceWeak (this=0x8ce34b412f8, trc=<optimized out>) at /home/yksubu/trees/mozilla-central/js/src/jit/BaselineCacheIRCompiler.cpp:2188
#3  0x000055555752369e in JSClass::doTrace (trc=0x7fffffffc780, obj=0x8ce34b412f8, this=<optimized out>) at /home/yksubu/shell-cache/js-dbg-64-linux-x86_64-f8dd4015fa59/objdir-js/dist/include/js/Class.h:653
#4  JSObject::traceChildren (this=0x8ce34b412f8, trc=0x7fffffffc780) at /home/yksubu/trees/mozilla-central/js/src/vm/JSObject.cpp:3343
#5  0x0000555557d687fb in JS::TraceChildren(JSTracer*, JS::GCCellPtr)::$_0::operator()<JSObject*>(JSObject*) const (t=0x8ce34b412f8, this=<optimized out>) at /home/yksubu/trees/mozilla-central/js/src/gc/Tracer.cpp:62
#6  JS::MapGCThingTyped<JS::TraceChildren(JSTracer*, JS::GCCellPtr)::$_0>(void*, JS::TraceKind, JS::TraceChildren(JSTracer*, JS::GCCellPtr)::$_0&&) (thing=0x8ce34b412f8, traceKind=<optimized out>, f=...) at /home/yksubu/shell-cache/js-dbg-64-linux-x86_64-f8dd4015fa59/objdir-js/dist/include/js/TraceKind.h:253
#7  JS::ApplyGCThingTyped<JS::TraceChildren(JSTracer*, JS::GCCellPtr)::$_0>(void*, JS::TraceKind, JS::TraceChildren(JSTracer*, JS::GCCellPtr)::$_0&&) (thing=0x8ce34b412f8, traceKind=<optimized out>, f=...) at /home/yksubu/shell-cache/js-dbg-64-linux-x86_64-f8dd4015fa59/objdir-js/dist/include/js/TraceKind.h:268
#8  JS::TraceChildren (trc=trc@entry=0x7fffffffc780, thing=...) at /home/yksubu/trees/mozilla-central/js/src/gc/Tracer.cpp:59
/snip

(Edit: see comment 2 for the real regressor)

Run with --fuzzing-safe --no-threads --ion-eager, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev f8dd4015fa59.

Setting s-s to be safe. I'll set needinfo? from Jan as a start.

Flags: sec-bounty?
Flags: needinfo?(jdemooij)

(Also not sure if this is a JIT or a GC issue, but I'll let Jan decide)

I've got something clearer now.

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/9882c0d924b8
user:        Jon Coppeard
date:        Fri Jul 07 17:05:44 2023 +0000
summary:     Bug 1837620 - Part 6: Make edges for multiple shape guard weak too r=sfink

Jon, is bug 1837620 a likely regressor?

Flags: needinfo?(jcoppeard)
Keywords: regression
Regressed by: 1837620

Set release status flags based on info from the regressing bug 1837620

status-firefox123: --- → affected
status-firefox124: --- → affected
status-firefox-esr115: --- → unaffected
Group: core-security → javascript-core-security
Flags: needinfo?(jdemooij)

I haven't had a change to look into this yet, but it probably depends on dumpHeap() touching otherwise unreachable objects.

This crash requires dumping the heap. The testcase does this with the dumpHeap() function that's not present in release builds but it could probably also be done using the facilitles present in about:memory. I'm therefore marking this as sec-moderate.

Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Keywords: sec-moderate

The crash happens because we try to set the dense elements length of an object
that's using the empty elements header. We can skip tracing if there are no
elements.

Normally there we wouldn't create an empty shape list but this can happen due
to OOM as these are being initialized.

Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/75e12d12d89c Skip tracing empty shape lists that may be present due to OOM r=jandem

https://hg.mozilla.org/mozilla-central/rev/75e12d12d89c

Group: javascript-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 7 months ago
status-firefox125: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 125 Branch

The patch landed in nightly and beta is affected.
:jonco, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox124 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(jcoppeard)
Flags: sec-bounty? → sec-bounty+

Comment on attachment 9382249 [details]
Bug 1881417 - Skip tracing empty shape lists that may be present due to OOM r?jandem

Beta/Release Uplift Approval Request

  • User impact if declined: Possible crash / security vulnerability.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This is a very simple change and has been on nightly for a week.
  • String changes made/needed: None
  • Is Android affected?: Yes
Flags: needinfo?(jcoppeard)
Attachment #9382249 - Flags: approval-mozilla-beta?

Backing out of beta (for 124.0b8) for causing test failures

ReferenceError: oomTest is not defined
Failure log
Backout push

Flags: needinfo?(jcoppeard)
Attachment #9382249 - Flags: approval-mozilla-beta+ → approval-mozilla-beta?

Comment on attachment 9382249 [details]
Bug 1881417 - Skip tracing empty shape lists that may be present due to OOM r?jandem

TBH this is not super important to uplift and the end of the train is close anyway. Cancelling uplift request.

Flags: needinfo?(jcoppeard)
Attachment #9382249 - Flags: approval-mozilla-beta?
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [adv-main125+]
Attached file advisory.txt
Alias: CVE-2024-3860
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: