Closed Bug 1904648 Opened 1 year ago Closed 1 year ago

Hit MOZ_CRASH(setFromOverlappingTypedArray with a typed array with bogus type) at js/src/vm/TypedArrayObject-inl.h:759

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
129 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- disabled
firefox127 --- disabled
firefox128 --- disabled
firefox129 --- fixed

People

(Reporter: sm-bugs, Assigned: dminor)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: regression, reporter-external)

Attachments

(2 files)

bug.js
112 bytes, application/x-javascript
Details
Bug 1904648 - Support Float16Array in setFromOverlappingTypedArray; r=jandem!
48 bytes, text/x-phabricator-request
Details | Review
Attached file bug.js

Steps to reproduce:

Checkout commit 9fcc11127fbfbdc88cbf37489dac90542e141c77 and invoke the js shell as follows:

js --fuzzing-safe <test-case>

Actual results:

Hit MOZ_CRASH(setFromOverlappingTypedArray with a typed array with bogus type) at js/src/vm/TypedArrayObject-inl.h:759
Blocks: 1903968
Group: firefox-core-security → core-security
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Group: core-security → javascript-core-security
Keywords: reporter-external

Reduced test below. We're not handling Float16Array in setFromOverlappingTypedArray.

var ta1 = new Uint8Array(6);
var ta2 = new Float16Array(ta1.buffer);
ta1.set(ta2);
Flags: needinfo?(dminor)
Keywords: regression
Regressed by: 1833647
Status: UNCONFIRMED → NEW
Ever confirmed: true

Set release status flags based on info from the regressing bug 1833647

status-firefox127: --- → affected
status-firefox128: --- → affected
status-firefox129: --- → affected
status-firefox-esr115: --- → unaffected
Assignee: nobody → dminor
Status: NEW → ASSIGNED
Flags: needinfo?(dminor)
Blocks: sm-security
Severity: -- → S3
Priority: -- → P1

Is this actually a security issue? It looks like we're hitting a release crash.

Flags: needinfo?(dminor)

I don't think this is a sec issue, unless there are implications outside of the location of the crash. Jan, could we make this a non-sec bug?

Flags: needinfo?(dminor) → needinfo?(jdemooij)

Yes this is a safe crash.

Group: javascript-core-security
Flags: needinfo?(jdemooij)
Pushed by dminor@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c700d0b5a07c Support Float16Array in setFromOverlappingTypedArray; r=jandem

https://hg.mozilla.org/mozilla-central/rev/c700d0b5a07c

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox129: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 129 Branch

The patch landed in nightly and beta is affected.
:dminor, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox128 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(dminor)

This was previously off by default on Nightly prior to Firefox 129.

status-firefox128: affectedwontfix
Flags: needinfo?(dminor)

Set release status flags based on info from the regressing bug 1833647

status-firefox-esr128: --- → affected
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: