Closed Bug 1929623 (CVE-2025-0240) Opened 1 year ago Closed 1 year ago

MOZ_CRASH(*** Compartment mismatch 7f95a68d0b30 vs. 7f95a68d0030 at argument 1) at s/src/vm/JSContext-inl.h:56

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
135 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 134+ fixed
firefox132 --- wontfix
firefox133 --- wontfix
firefox134 + fixed
firefox135 + fixed

People

(Reporter: sm-bugs, Assigned: jonco)

References

(Blocks 2 open bugs, Regression)

Details

(4 keywords, Whiteboard: [adv-main134+][adv-ESR128.6+])

Attachments

(2 files)

Bug 1929623 - The result of evaluating a JSON module should be |undefined| r?jandem
48 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
pascalc
: approval-mozilla-esr128+
Details | Review
advisory.txt
217 bytes, text/plain
Details

Steps to reproduce:

Version: ff95c781c335e83ba8f5be401e479201fe28a3f5
Args js --fuzzing-safe <test-case>
Input:

a = "".startsWith("")
function b() { return newGlobal(b) }
b.newCompartment = a
with (b()) this.moduleEvaluate(parseModule("45172", "", "json"))

Actual results:

MOZ_CRASH(*** Compartment mismatch 7f95a68d0b30 vs. 7f95a68d0030 at argument 1) at s/src/vm/JSContext-inl.h:56

#0 0x56530ecb0ade in MOZ_Crash(char const*, int, char const*) reproducebuild/dist/include/mozilla/Assertions.h:324:3
#1 0x56530ecb0ade in js::ContextChecks::fail(JS::Compartment*, JS::Compartment*, int) js/src/vm/JSContext-inl.h:55:5
#2 0x56530ecb0ade in js::ContextChecks::check(JS::Compartment*, int) js/src/vm/JSContext-inl.h:71:7
#3 0x56530ecb0ade in js::ContextChecks::check(JSObject*, int) js/src/vm/JSContext-inl.h:84:7
#4 0x56530ee2a144 in void JSContext::checkImpl<JS::Handle<JSObject*>, JS::Handle<JS::Value>>(JS::Handle<JSObject*> const&, JS::Handle<JS::Value> const&) js/src/vm/JSContext-inl.h:207:33
#5 0x56530f16b63f in void JSContext::check<JS::Handle<JSObject*>, JS::Handle<JS::Value>>(JS::Handle<JSObject*> const&, JS::Handle<JS::Value> const&) js/src/vm/JSContext-inl.h:214:5
#6 0x56530f16b63f in js::ResolvePromiseInternal(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>) js/src/builtin/Promise.cpp:1228:7
#7 0x56530f0feabe in SyntheticModuleEvaluate(JSContext*, JS::Handle<js::ModuleObject*>, JS::MutableHandle<JS::Value>) js/src/vm/Modules.cpp:1508:8
#8 0x56530f0feabe in JS::ModuleEvaluate(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) js/src/vm/Modules.cpp:243:12
#9 0x56530ebea7d6 in ModuleEvaluate(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:5774:10
#10 0x56530ecb811e in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) js/src/vm/Interpreter.cpp:528:13
#11 0x56530ecb737f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) js/src/vm/Interpreter.cpp:624:12
#12 0x56530eccf574 in js::CallFromStack(JSContext*, JS::CallArgs const&, js::CallReason) js/src/vm/Interpreter.cpp:696:10
#13 0x56530eccf574 in js::Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:3326:16
#14 0x56530ecb61b0 in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:498:13
#15 0x56530ecbb561 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:889:13
#16 0x56530ecbbd6c in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:922:10
#17 0x56530ef0ac69 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) js/src/vm/CompilationAndEvaluation.cpp:496:10
#18 0x56530ef0aee7 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) js/src/vm/CompilationAndEvaluation.cpp:520:10
#19 0x56530ec12cee in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) js/src/shell/js.cpp:1324:10
#20 0x56530ec11d95 in Process(JSContext*, char const*, bool, FileKind) js/src/shell/js.cpp
#21 0x56530ebcb0a9 in ProcessArgs(JSContext*, js::cli::OptionParser*) js/src/shell/js.cpp:11861:10
#22 0x56530ebcb0a9 in Shell(JSContext*, js::cli::OptionParser*) js/src/shell/js.cpp:12128:12
#23 0x56530ebc1f0d in main js/src/shell/js.cpp:12690:12
#24 0x7f882f3c23b7 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#25 0x7f882f3c247a in __libc_start_main csu/../csu/libc-start.c:360:3
#26 0x56530eb8b428 in _start (reproducebuild/dist/bin/js+0x1bdb428) (BuildId: 03865d17428dc19438af43dd1374a02f)
Blocks: 1903968
Group: firefox-core-security → core-security
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Version: Firefox 132 → Trunk
Group: core-security → javascript-core-security

Reduced:

var m = parseModule("{}", "", "json");
newGlobal({newCompartment: true}).moduleEvaluate(m);

The JS shell ModuleEvaluate function calls JS::ModuleEvaluate which calls SyntheticModuleEvaluate. This function does this:

  if (!AsyncFunctionReturned(cx, resultPromise, result)) {
    return false;
  }

I think the problem is that result is the original args.rval() from the shell function and hasn't been set yet?

Flags: needinfo?(jcoppeard)
Keywords: regression
Regressed by: 1877791

Set release status flags based on info from the regressing bug 1877791

status-firefox132: --- → affected
status-firefox133: --- → affected
status-firefox134: --- → affected
status-firefox-esr128: --- → affected

parseModule and moduleEvaluate are shell-only functions and not available in the browser. However the underlying functions do get called and I'm not sure what consumes the evaluation result in the browser so there's a possibility that something could go awry.

Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)

The result of evaluation a JSON module should be |undefined| as per https://tc39.es/proposal-json-modules/#sec-smr-Evaluate step 10 and the |steps| set by https://tc39.es/proposal-json-modules/#sec-smr-Evaluate .

Comment on attachment 9436848 [details]
Bug 1929623 - The result of evaluating a JSON module should be |undefined| r?jandem

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Not possible as it uses shell-only functions.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: Everything back to 125
  • If not all supported branches, which bug introduced the flaw?: Bug 1877791
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: Should be trivial.
  • How likely is this patch to cause regressions; how much testing does it need?: Very unlikely. It just sets a return value to undefined in one place.
  • Is the patch ready to land after security approval is given?: Yes
  • Is Android affected?: Yes
Blocks: sm-security
Severity: -- → S3
Priority: -- → P1

So, is this is a security problem or not? Comment 3 says you aren't sure, but comment 6 says there's no way to construct an exploit. What should the security rating for this be if any? Can it be unhidden? Thanks.

Flags: needinfo?(jcoppeard)

User script can certainly import an empty JSON module, but that will be loaded into the existing compartment won't it? How could user script trigger the creation of a new compartment with it?

(In reply to Andrew McCreight [:mccr8] from comment #7)
Oh I guess I was thinking based on the test code rather than based on the patch which is what the question asks. The answer is it would be very difficult to create an exploit based on the patch as it's not clear what the problem is.

I'd like to keep this a sec issue out of caution but I think it can be sec-moderate.

Flags: needinfo?(jcoppeard)
Flags: sec-bounty?

Set release status flags based on info from the regressing bug 1877791

status-firefox135: --- → affected
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/72c0f9e48dfb The result of evaluating a JSON module should be |undefined| r=jandem
Backout by amarc@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c90592d2c066 Backed out changeset 72c0f9e48dfb for causing linting failures @ testcase.js CLOSED TREE

Backed out for causing linting failures @ testcase.js

TEST-UNEXPECTED-ERROR | /builds/worker/checkouts/gecko/js/src/testcase.js:1:1 | 'a' is not defined. (no-undef)
Flags: needinfo?(jcoppeard)
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/964fb7c2ab4e The result of evaluating a JSON module should be |undefined| r=jandem
Flags: needinfo?(jcoppeard)

https://hg.mozilla.org/mozilla-central/rev/964fb7c2ab4e

Group: javascript-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox135: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 135 Branch

The patch landed in nightly and beta is affected.
:jonco, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox134 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(jcoppeard)
Flags: sec-bounty? → sec-bounty+

We think it's unlikely to be exploitable by web content (comment 9) but we're still glad to have it fixed so we don't have to worry about it.

Comment on attachment 9436848 [details]
Bug 1929623 - The result of evaluating a JSON module should be |undefined| r?jandem

Beta/Release Uplift Approval Request

  • User impact if declined/Reason for urgency: Possible security vulnerability.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This is a simple change that has been on central without for 6 days with no problems.
  • String changes made/needed:
  • Is Android affected?: Yes
Flags: needinfo?(jcoppeard)
Attachment #9436848 - Flags: approval-mozilla-beta?

Comment on attachment 9436848 [details]
Bug 1929623 - The result of evaluating a JSON module should be |undefined| r?jandem

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: I don't think this is exploitable but I'd like to err on the side of caution. The fix is simple.
  • User impact if declined: Possible security vulnerability.
  • Fix Landed on Version: 135
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This is a simple change that has been on central without for 6 days with no problems.
Attachment #9436848 - Flags: approval-mozilla-esr128?
Attachment #9436848 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9436848 - Flags: approval-mozilla-esr128? → approval-mozilla-esr128+

Jon, the uplift in esr128 is causing failures, could you have a look? https://treeherder.mozilla.org/jobs?repo=mozilla-esr128&selectedTaskRun=Ue-a8NncTJKqOVQAFAJrrg.0

Flags: needinfo?(jcoppeard)
Regressions: 1936853
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [adv-main134+][adv-ESR128.6+]
Flags: needinfo?(jcoppeard)
Alias: CVE-2025-0240
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: