Closed Bug 1914963 Opened 1 year ago Closed 1 year ago

Segmentation fault with wasm tail calls on aarch64

Categories

(Core :: JavaScript: WebAssembly, defect, P1)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
ARM64
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
132 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 131+ fixed
firefox130 --- wontfix
firefox131 + fixed
firefox132 + fixed

People

(Reporter: yury, Assigned: yury)

References

Details

(Keywords: csectype-uninitialized, sec-high, Whiteboard: [adv-main131+r][adv-esr128.3+r])

Attachments

(2 files)

Bug 1914963 - Combine wasmMarkSlowCall and call(reg). r?jseward
48 bytes, text/x-phabricator-request
diannaS
: approval-mozilla-beta+
diannaS
: approval-mozilla-esr128+
tjr
: sec-approval+
Details | Review
test case that is fixed by this patch.
3.17 KB, application/x-javascript
Details

Similar to bug 1913445 but involves non-trampoline code for wasm tail calls: the constants pool may be injected between call and (slow call) marker. I did not find confirmation in form of a bug/crash, but expecting that to be a problem. The refactoring might involve touching all platforms, so it will be nice to do incremental (non-uplift) patching.

Group: core-security → javascript-core-security
Severity: -- → S3
Priority: -- → P1
Keywords: sec-high

What versions are affected? Is it the same as for bug 1913445?

status-firefox131: --- → affected
status-firefox-esr128: --- → affected
Flags: needinfo?(ydelendik)

The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:yury, could you consider increasing the severity of this security bug?

For more information, please visit BugBot documentation.

Flags: needinfo?(ydelendik)
Severity: S3 → S2

What versions are affected? Is it the same as for bug 1913445?

That's correct. Also, tail calls were enabled in FF121.

Flags: needinfo?(ydelendik)

Here is test that is found by wasm-calls.js

Crash signature:

UndefinedBehaviorSanitizer:DEADLYSIGNAL
==80065==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0xf94012e8f94003a5 (pc 0x28f9f78c446c bp 0x00016f2c5c40 sp 0x00016f2c5bf0 T17123598)
==80065==The signal is caused by a WRITE memory access.
    #0 0x28f9f78c446c  (<unknown module>)
    #1 0x28f9f78c4644  (<unknown module>)
    #2 0x1027099a8 in js::wasm::Instance::callExport(JSContext*, unsigned int, JS::CallArgs const&, js::wasm::CoercionLevel)+0xad0 (js:arm64+0x101bd19a8)
    #3 0x1027086b4 in WasmCall(JSContext*, unsigned int, JS::Value*)+0x18c (js:arm64+0x101bd06b4)
    #4 0x100c254e0 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)+0x118 (js:arm64+0x1000ed4e0)
    #5 0x100c24bec in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)+0x2a0 (js:arm64+0x1000ecbec)
    #6 0x100c3345c in js::Interpret(JSContext*, js::RunState&)+0x8e9c (js:arm64+0x1000fb45c)
Summary: Possible segmentation fault with wasm tail calls on aarch64 → Segmentation fault with wasm tail calls on aarch64

Other possible signature:

[63075] Assertion failure: code_ == &instance()->code(), at /Users/yury/Work/mozilla-unified/js/src/wasm/WasmFrameIter.cpp:307
#01: js::wasm::WasmFrameIter::popFrame()[/Users/yury/Work/mozilla-unified/obj-aarch64-apple-darwin23.5.0/dist/bin/js +0x1b58d08]
#02: js::JitFrameIter::operator++()[/Users/yury/Work/mozilla-unified/obj-aarch64-apple-darwin23.5.0/dist/bin/js +0x48343c]
#03: js::jit::TraceJitActivations(JSContext*, JSTracer*)[/Users/yury/Work/mozilla-unified/obj-aarch64-apple-darwin23.5.0/dist/bin/js +0x138b70c]
#04: js::gc::GCRuntime::traceRuntimeCommon(JSTracer*, js::gc::GCRuntime::TraceOrMarkRuntime)[/Users/yury/Work/mozi
Attachment #9420826 - Attachment description: WIP: Bug 1914963 - Combine wasmMarkSlowCall and call(reg). → Bug 1914963 - Combine wasmMarkSlowCall and call(reg). r?jseward

The uplifting will require the applied bug 1913445 patch.

Comment on attachment 9420826 [details]
Bug 1914963 - Combine wasmMarkSlowCall and call(reg). r?jseward

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Wasm programs can crash/corrupt memory on ARM(64) machines
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: since ff121
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: it depends on bug 1913445
  • How likely is this patch to cause regressions; how much testing does it need?:
  • Is the patch ready to land after security approval is given?: Yes
  • Is Android affected?: Yes
Attachment #9420826 - Flags: sec-approval?
status-firefox132: --- → affected

Comment on attachment 9420826 [details]
Bug 1914963 - Combine wasmMarkSlowCall and call(reg). r?jseward

Approved to land and request uplift

Attachment #9420826 - Flags: sec-approval? → sec-approval+
Pushed by ydelendik@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/506a1f94f7a1 Combine wasmMarkSlowCall and call(reg). r=jseward

https://hg.mozilla.org/mozilla-central/rev/506a1f94f7a1

Group: javascript-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox132: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 132 Branch

The patch landed in nightly and beta is affected.
:yury, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox131 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(ydelendik)

Comment on attachment 9420826 [details]
Bug 1914963 - Combine wasmMarkSlowCall and call(reg). r?jseward

Beta/Release Uplift Approval Request

  • User impact if declined: Some wasm programs with tail calls may crash on aarch64
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Affects only wasm programs and aarch64
  • String changes made/needed:
  • Is Android affected?: Yes

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined: Some wasm programs with tail calls may crash on aarch64
  • Fix Landed on Version:
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Affects only wasm programs and aarch64
Flags: needinfo?(ydelendik)
Attachment #9420826 - Flags: approval-mozilla-esr128?
Attachment #9420826 - Flags: approval-mozilla-beta?

Comment on attachment 9420826 [details]
Bug 1914963 - Combine wasmMarkSlowCall and call(reg). r?jseward

Approved for 131.0b6

Attachment #9420826 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment on attachment 9420826 [details]
Bug 1914963 - Combine wasmMarkSlowCall and call(reg). r?jseward

Approved for 128.3esr

Attachment #9420826 - Flags: approval-mozilla-esr128? → approval-mozilla-esr128+
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [adv-main131+r]
Whiteboard: [adv-main131+r] → [adv-main131+r][adv-esr128.3+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: