Closed
Bug 1902906
Opened 22 days ago
Closed 21 days ago
OOB Read in WasmShareable.h:70
Categories
(Core :: JavaScript: WebAssembly, defect)
Core
JavaScript: WebAssembly
Tracking
()
RESOLVED
DUPLICATE
of bug 1886703
People
(Reporter: nils.bars, Unassigned)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
681 bytes,
text/plain
|
Details |
Steps to reproduce:
Checkout commit 97eeb1c55a5c73bd3938d4899685321a7967333b and invoke the js shell as follows:
js --fuzzing-safe --fast-warmup --gc-zeal=14,134 <testcase>
Actual results:
[COV] no shared memory bitmap available, skipping
[COV] edge counters initialized. Shared memory: (null) with 321857 edges
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==3778461==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x17b66f45c1c8 (pc 0x555557af1023 bp 0x7fffffffd2b0 sp 0x7fffffffd250 T3778461)
==3778461==The signal is caused by a READ memory access.
#0 0x555557af1023 in void mozilla::detail::VectorImpl<unsigned char, 0ul, js::SystemAllocPolicy, true>::new_<unsigned char const&>(unsigned char*, unsigned char const&) /home/user/fuzzilli-ng/targets/spidermonkey/src/fuzzbuild/dist/include/mozilla/Vector.h:251:12
#1 0x555557af1023 in void mozilla::detail::VectorImpl<unsigned char, 0ul, js::SystemAllocPolicy, true>::copyConstruct<unsigned char>(unsigned char*, unsigned char const*, unsigned char const*) /home/user/fuzzilli-ng/targets/spidermonkey/src/fuzzbuild/dist/include/mozilla/Vector.h:284:7
#2 0x555557af1023 in void mozilla::Vector<unsigned char, 0ul, js::SystemAllocPolicy>::internalAppend<unsigned char>(unsigned char const*, unsigned long) /home/user/fuzzilli-ng/targets/spidermonkey/src/fuzzbuild/dist/include/mozilla/Vector.h:1443:3
#3 0x555557af0cfd in bool mozilla::Vector<unsigned char, 0ul, js::SystemAllocPolicy>::append<unsigned char>(unsigned char const*, unsigned char const*) /home/user/fuzzilli-ng/targets/spidermonkey/src/fuzzbuild/dist/include/mozilla/Vector.h:1433:3
#4 0x555557acc486 in bool mozilla::Vector<unsigned char, 0ul, js::SystemAllocPolicy>::append<unsigned char>(unsigned char const*, unsigned long) /home/user/fuzzilli-ng/targets/spidermonkey/src/fuzzbuild/dist/include/mozilla/Vector.h:1516:10
#5 0x555557acc486 in js::wasm::ShareableBytes::append(unsigned char const*, unsigned long) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/wasm/WasmShareable.h:70:18
#6 0x555557acc486 in WasmDumpIon(JSContext*, unsigned int, JS::Value*) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/builtin/TestingFunctions.cpp:2110:18
#7 0x5555572a2f6e in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/vm/Interpreter.cpp:487:13
#8 0x5555572a21cf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/vm/Interpreter.cpp:581:12
#9 0x5555572b8781 in js::CallFromStack(JSContext*, JS::CallArgs const&, js::CallReason) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/vm/Interpreter.cpp:653:10
#10 0x5555572b8781 in js::Interpret(JSContext*, js::RunState&) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/vm/Interpreter.cpp:3291:16
#11 0x5555572a11d1 in js::RunScript(JSContext*, js::RunState&) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/vm/Interpreter.cpp:459:13
#12 0x5555572a63b1 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/vm/Interpreter.cpp:846:13
#13 0x5555572a6bbc in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/vm/Interpreter.cpp:878:10
#14 0x5555574efe79 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/vm/CompilationAndEvaluation.cpp:494:10
#15 0x5555574f00f7 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/vm/CompilationAndEvaluation.cpp:518:10
#16 0x5555571e0cfe in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/shell/js.cpp:1194:10
#17 0x5555571e0065 in Process(JSContext*, char const*, bool, FileKind) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/shell/js.cpp
#18 0x55555719a91e in ProcessArgs(JSContext*, js::cli::OptionParser*) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/shell/js.cpp:11257:10
#19 0x55555719a91e in Shell(JSContext*, js::cli::OptionParser*) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/shell/js.cpp:11509:12
#20 0x555557192921 in main /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/shell/js.cpp:12035:12
#21 0x7ffff7a44d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#22 0x7ffff7a44e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#23 0x55555715c5c8 in _start (/home/user/fuzzilli-ng/targets/spidermonkey/src/fuzzbuild/dist/bin/js+0x1c085c8) (BuildId: 4fb545216ce3e6743aa599f3a1718dda)
Group: firefox-core-security → core-security
Component: Untriaged → JavaScript: WebAssembly
Flags: sec-bounty?
Product: Firefox → Core
Updated•21 days ago
|
Group: core-security → javascript-core-security
Updated•21 days ago
|
Attachment #9407731 -
Attachment mime type: application/x-javascript → text/plain
Comment 1•21 days ago
|
||
The stack trace has WasmDumpIon
. Is this a duplicate of bug 1886703?
Flags: needinfo?(ydelendik)
Comment 2•21 days ago
|
||
I think so. I'm going to get a fix for that one soon.
Summary from that bug:
Yes, this test is using that shell builtin. This looks like a bug in that code due to the MIR dumping logic not performing the initialization that ModuleGenerator normally does in, which assigns offsets to global variables. Low severity because this is only available in the shell for helping debug code generation. I'll see if I can get a fix written.
Flags: needinfo?(ydelendik)
Updated•21 days ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 21 days ago
Duplicate of bug: 1886703
Resolution: --- → DUPLICATE
Updated•20 days ago
|
Group: javascript-core-security
Updated•20 days ago
|
Flags: sec-bounty? → sec-bounty-
You need to log in
before you can comment on or make changes to this bug.
Description
•