Closed Bug 1900525 Opened 1 year ago Closed 6 months ago

Assertion failure: inputSizeChecked.isValid(), at mfbt/Compression.cpp:25

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
144 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- wontfix
firefox-esr140 --- wontfix
firefox126 --- wontfix
firefox127 --- wontfix
firefox128 --- wontfix
firefox129 --- wontfix
firefox143 --- wontfix
firefox144 --- fixed

People

(Reporter: sm-bugs, Assigned: mccr8)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: regression)

Attachments

(3 files)

input_size_checked_01.js
188 bytes, text/plain
Details
debug stack
3.28 KB, text/plain
Details
Bug 1900525 - Make the LZ4 shell functions fuzzing unsafe.
48 bytes, text/x-phabricator-request
Details | Review

Steps to reproduce:

Steps to reproduce:

Checkout commit d9496bfef09039b2642da45585ca821c36917c6d and invoke the js shell as follows:

./js-spidermonkey-shell --fast-warmup --fuzzing-safe input_size_checked_01.js

Actual results:

Assertion failure: inputSizeChecked.isValid(), at mfbt/Compression.cpp:25
Group: firefox-core-security → core-security
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Version: Firefox 125 → Trunk

This looks like a problem with the compressLZ4 shell function. We probably need to ensure the size doesn't overflow INT32_MAX. Not security-sensitive if it only affects the shell function.

Flags: needinfo?(bvisness)
Keywords: regression
Regressed by: 1856635
Status: UNCONFIRMED → NEW
Ever confirmed: true

Set release status flags based on info from the regressing bug 1856635

status-firefox126: --- → affected
status-firefox127: --- → affected
status-firefox128: --- → affected
status-firefox-esr115: --- → unaffected
See Also: → 1898572
Group: core-security → javascript-core-security
Blocks: sm-shell
Severity: -- → S4
Priority: -- → P3
Attachment #9405436 - Attachment mime type: application/x-javascript → application/text-plain
Attachment #9405436 - Attachment mime type: application/text-plain → text/plain

This only affects the JS shell and therefore is not a security issue.

Flags: needinfo?(bvisness)
Group: javascript-core-security

Set release status flags based on info from the regressing bug 1856635

status-firefox129: --- → affected
Blocks: 1903968
Attached file debug stack 
compressLZ4(new ArrayBuffer(2**31));

$ ~/shell-cache/js-dbg-64-linux-x86_64-c0927f7f515e-582651/js-dbg-64-linux-x86_64-c0927f7f515e-582651 --fuzzing-safe --no-threads --no-baseline --no-ion testcase.js
[297253] Assertion failure: inputSizeChecked.isValid(), at /home/msf2/trees/firefox/mozglue/static/Compression.cpp:25

Tested with gh rev c0927f7f515e.

(gdb) bt
#0  0x00005555589ce57f in MOZ_CrashSequence (aAddress=0x0, aLine=25) at /home/msf2/shell-cache/js-dbg-64-linux-x86_64-c0927f7f515e-582651/objdir-js/dist/include/mozilla/Assertions.h:248
#1  mozilla::Compression::LZ4::compress (aSource=<optimized out>, aInputSize=<optimized out>, aDest=<optimized out>) at /home/msf2/trees/firefox/mozglue/static/Compression.cpp:25
#2  0x00005555571d90f1 in CompressLZ4 (cx=cx@entry=0x7ffff5e3c200, argc=<optimized out>, vp=<optimized out>) at /home/msf2/trees/firefox/js/src/shell/js.cpp:9368
#3  0x00005555572f1be5 in CallJSNative (cx=cx@entry=0x7ffff5e3c200, native=0x5555571d8de0 <CompressLZ4(JSContext*, unsigned int, JS::Value*)>, reason=<optimized out>, args=...)
    at /home/msf2/trees/firefox/js/src/vm/Interpreter.cpp:501
#4  0x00005555572cdfa6 in js::InternalCallOrConstruct (cx=0x7ffff5e3c200, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call)
    at /home/msf2/trees/firefox/js/src/vm/Interpreter.cpp:597
#5  0x00005555572ced08 in InternalCall (cx=<optimized out>, args=..., reason=25) at /home/msf2/trees/firefox/js/src/vm/Interpreter.cpp:664
/snip

Jan, this is an updated testcase. With the simplicity, it's really easy to trigger. If it is not a priority, can we please get at least a patch or ignore it under --fuzzing-safe for now?

Flags: needinfo?(jdemooij)
Duplicate of this bug: 1988079
See Also: → 1988170

compressLZ4 has some unfixed overflow integer issues that at least 3
different fuzzing people have stumbled over. Given that this was first reported
more than a year ago without being fixed, let's at least keep fuzzing people
from hitting this.

Assignee: nobody → continuation
Status: NEW → ASSIGNED

I tested load-mod.js and compression.js in a shell build and they still seem to pass.

Flags: needinfo?(jdemooij)

https://hg.mozilla.org/mozilla-central/rev/76e7a3b5c9ad

Status: ASSIGNED → RESOLVED
Closed: 6 months ago
status-firefox144: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 144 Branch
QA Whiteboard: [qa-triage-done-c145/b144]
Duplicate of this bug: 1901404
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: