Closed Bug 1893651 Opened 1 year ago Closed 1 year ago

TypedArrayObject::getElements doesn't handle concurrent modifications when growing shared array buffer

Tracking

()

Status:

RESOLVED FIXED

Milestone:

127 Branch

Tracking Flags:

Tracking

Status

firefox-esr115

---

unaffected

firefox125

---

disabled

firefox126

---

disabled

firefox127

---

fixed

People

(Reporter: anba, Assigned: anba)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-race, reporter-external, sec-high)

Attachments

(1 file)

Bug 1893651: Avoid repeated typed array length reads. r=jandem! 1 year ago André Bargull [:anba] 48 bytes, text/x-phabricator-request		Details \| Review

André Bargull [:anba]

Assignee

Description

•

1 year ago

Run with while js --enable-arraybuffer-resizable /tmp/test.js; do true ; done.

Expected: No crash
Actual: *** stack smashing detected ***: terminated

Test case:

let maxByteLength = 500 * 1000;
let sab = new SharedArrayBuffer(0, {maxByteLength});

setSharedObject(sab);
evalInWorker(`
  let sab = getSharedObject();
  while (sab.byteLength < sab.maxByteLength) {
    sab.grow(Math.min(sab.byteLength + 13, sab.maxByteLength));
  }
  print("done worker");
`);

let ta = new Int8Array(sab);
while (ta.byteLength < maxByteLength) {
  Math.min.apply(null, ta);
}
print("done main");

Ryan VanderMeulen [:RyanVM]

Updated

•

1 year ago

Group: core-security → javascript-core-security

André Bargull [:anba]

Assignee

Comment 1

•

1 year ago

Attached file Bug 1893651: Avoid repeated typed array length reads. r=jandem! — Details

Andrew McCreight (out of office until 8/21) [:mccr8]

Updated

•

1 year ago

Keywords: csectype-race, sec-high

Steven DeTar [:sdetar]

Updated

•

1 year ago

Severity: -- → S2

Priority: -- → P1

André Bargull [:anba]

Assignee

Comment 2

•

1 year ago

Resizable array buffers can only be enabled through a (defaulted to off) preference in Nightly builds, so Release, Beta, and ESR are all unaffected.

status-firefox125: --- → unaffected

status-firefox126: --- → unaffected

status-firefox-esr115: --- → unaffected

Pulsebot

Comment 3

•

1 year ago

Pushed by andre.bargull@gmail.com: https://hg.mozilla.org/integration/autoland/rev/a6ce02781fe2 Avoid repeated typed array length reads. r=jandem

Andrew McCreight (out of office until 8/21) [:mccr8]

Updated

•

1 year ago

status-firefox127: --- → disabled

Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)

Comment 4

•

1 year ago

https://hg.mozilla.org/mozilla-central/rev/a6ce02781fe2

Group: javascript-core-security → core-security-release

Status: ASSIGNED → RESOLVED

Closed: 1 year ago

Resolution: --- → FIXED

Target Milestone: --- → 127 Branch

Ryan VanderMeulen [:RyanVM]

Updated

•

1 year ago

status-firefox125: unaffected → disabled

status-firefox126: unaffected → disabled

status-firefox127: disabled → fixed

Andrei Vaida [:avaida]

Updated

•

1 year ago

QA Whiteboard: [post-critsmash-triage]

Flags: qe-verify-

Daniel Veditz [:dveditz]

Updated

•

1 year ago

Keywords: reporter-external

Daniel Veditz [:dveditz]

Updated

•

5 months ago

Group: core-security-release

You need to log in before you can comment on or make changes to this bug.

Bugzilla

TypedArrayObject::getElements doesn't handle concurrent modifications when growing shared array buffer

Categories

(Core :: JavaScript Engine, defect, P1)

Tracking

()

People

(Reporter: anba, Assigned: anba)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-race, reporter-external, sec-high)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Comment 1

Updated

Updated

Comment 2

Comment 3

Updated

Comment 4

Updated

Updated

Updated

Updated

Attachment

General

Description

File Name

Content Type