Closed Bug 1957544 Opened 3 months ago Closed 3 months ago

ASAN heap-buffer-overflow [@ js::SharedArrayRawBuffer::isGrowable] or Assertion failure: !view->isSharedMemory(), at vm/ArrayBufferViewObject.cpp:95

Categories

(Core :: JavaScript: WebAssembly, defect, P1)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
All
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
139 Branch
Tracking Flags:
Tracking Status
firefox-esr128 --- unaffected
firefox137 --- unaffected
firefox138 --- wontfix
firefox139 --- fixed

People

(Reporter: gkw, Assigned: rhunt)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, reporter-external, testcase)

Attachments

(4 files)

Debug stack
3.69 KB, text/plain
Details
ASan stack
9.64 KB, text/plain
Details
Opt stack
6.64 KB, text/plain
Details
Bug 1957544 - Fix IsBufferSource for shared array buffer. r?yury
48 bytes, text/x-phabricator-request
Details | Review
Attached file Debug stack 
streamCacheEntry(new DataView(new SharedArrayBuffer()))

(gdb) bt
#0  0x00005555574053a3 in MOZ_CrashSequence (aAddress=0x0, aLine=95) at /home/msf1/shell-cache/js-dbg-64-linux-x86_64-4bbc39703afd/objdir-js/dist/include/mozilla/Assertions.h:267
#1  js::ArrayBufferViewObject::ensureNonInline (cx=<optimized out>, view=...) at /home/msf1/trees/mozilla-central/js/src/vm/ArrayBufferViewObject.cpp:95
#2  0x00005555577abbee in js::IsBufferSource (cx=cx@entry=0x7ffff693a200, object=0x458ff00818, allowShared=true, allowResizable=true, dataPointer=dataPointer@entry=0x7fffffffcb40, byteLength=byteLength@entry=0x7fffffffcb08) at /home/msf1/trees/mozilla-central/js/src/vm/TypedArrayObject.cpp:4861
#3  0x0000555557236a07 in StreamCacheEntryObject::construct (cx=cx@entry=0x7ffff693a200, argc=<optimized out>, vp=<optimized out>) at /home/msf1/trees/mozilla-central/js/src/shell/js.cpp:8238
#4  0x0000555557324a25 in CallJSNative (cx=cx@entry=0x7ffff693a200, native=0x555557236920 <StreamCacheEntryObject::construct(JSContext*, unsigned int, JS::Value*)>, reason=<optimized out>, args=...) at /home/msf1/trees/mozilla-central/js/src/vm/Interpreter.cpp:493
#5  0x0000555557300f86 in js::InternalCallOrConstruct (cx=0x7ffff693a200, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call) at /home/msf1/trees/mozilla-central/js/src/vm/Interpreter.cpp:589
/snip

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a7073f2be4d9
user:        Ryan Hunt
date:        Mon Mar 24 18:05:38 2025 +0000
summary:     Bug 1931407 - wasm: Disallow shared memory for buffer compilation methods. r=yury

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 4bbc39703afd.

Ryan, is bug 1931407 a likely regressor?

Flags: sec-bounty?
Flags: needinfo?(rhunt)
Attached file ASan stack 
=================================================================
==1684711==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000005b91 at pc 0x63a036d3e060 bp 0x7ffdecf6cec0 sp 0x7ffdecf6ceb8
READ of size 1 at 0x502000005b91 thread T0
    #0 0x63a036d3e05f in js::SharedArrayRawBuffer::isGrowable() const /home/msf1/trees/mozilla-central/js/src/vm/SharedArrayObject.h:102:36
    #1 0x63a036d3e05f in js::SharedArrayBufferObject::isGrowable() const /home/msf1/trees/mozilla-central/js/src/vm/SharedArrayObject.h:368:55
    #2 0x63a036e7d6b0 in js::ArrayBufferViewObject::length() const /home/msf1/trees/mozilla-central/js/src/vm/ArrayBufferViewObject.cpp:354:17
    #3 0x63a03733bcf6 in js::DataViewObject::byteLength() /home/msf1/trees/mozilla-central/js/src/builtin/DataViewObject.h:69:35
    #4 0x63a03733bcf6 in js::IsBufferSource(JSContext*, JSObject*, bool, bool, SharedMem<unsigned char*>*, unsigned long*) /home/msf1/trees/mozilla-central/js/src/vm/TypedArrayObject.cpp:4865:25
    #5 0x63a036b811a1 in StreamCacheEntryObject::construct(JSContext*, unsigned int, JS::Value*) /home/msf1/trees/mozilla-central/js/src/shell/js.cpp:8238:10
/snip

Compile the ASan build with AR=ar sh ../configure --enable-fuzzing --without-sysroot --enable-address-sanitizer --disable-jemalloc --disable-stdcxx-compat --enable-undefined-sanitizer --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, run with the same flags.

Attached file Opt stack 
(gdb) bt                                                                                                                                                     #0  0x0000555556f5d0f9 in MOZ_CrashSequence (aAddress=0x0, aLine=252) at /home/msf1/shell-cache/js-64-linux-x86_64-4bbc39703afd/objdir-js/dist/include/mozilla/Assertions.h:267
#1  js::SharedArrayRawBuffer::dropReference (this=0x7ffff5803088) at /home/msf1/trees/mozilla-central/js/src/vm/SharedArrayObject.cpp:252
#2  0x0000555556f5e00d in js::SharedArrayBufferObject::dropRawBuffer (this=0x6b4e4f6d038) at /home/msf1/trees/mozilla-central/js/src/vm/SharedArrayObject.cpp:594
#3  js::SharedArrayBufferObject::Finalize (gcx=<optimized out>, obj=0x6b4e4f6d038) at /home/msf1/trees/mozilla-central/js/src/vm/SharedArrayObject.cpp:616
#4  0x0000555557318832 in JSClass::doFinalize (gcx=0x7ffff692c590, obj=0x6b4e4f6d038, this=<optimized out>) at /home/msf1/shell-cache/js-64-linux-x86_64-4bbc39703afd/objdir-js/dist/include/js/Class.h:656
#5  JSObject::finalize (this=0x6b4e4f6d038, gcx=0x7ffff692c590) at /home/msf1/trees/mozilla-central/js/src/vm/JSObject-inl.h:95
/snip

Compile the opt build with AR=ar sh ../configure --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests.

Group: core-security → javascript-core-security

Set release status flags based on info from the regressing bug 1931407

status-firefox137: --- → unaffected
status-firefox138: --- → affected
status-firefox-esr128: --- → unaffected

The issue here is that streamCacheEntry is using js::IsBufferSource which is calling ArrayBufferViewObject::ensureNonInline on a shared array buffer. This is not allowed by that method. In debug builds it will assert, in release builds it looks like it will do a heap buffer overflow.

streamCacheEntry is a JS shell testing function not in the browser. The only browser exposed usage of js::IsBufferSource is in wasm [1] and it explicitly disallows shared array buffers, which will prevent this issue. With that, this is not security sensitive.

[1] https://searchfox.org/mozilla-central/rev/e600058b50ddb4932be63d5a8926fb154398b679/js/src/wasm/WasmJS.cpp#1571-1572

Assignee: nobody → rhunt
Flags: needinfo?(rhunt)
Group: javascript-core-security
Severity: -- → S3
Priority: -- → P1
Pushed by rhunt@eqrion.net: https://hg.mozilla.org/integration/autoland/rev/3aa88521931d Fix IsBufferSource for shared array buffer. r=yury

https://hg.mozilla.org/mozilla-central/rev/3aa88521931d

Status: NEW → RESOLVED
Closed: 3 months ago
status-firefox139: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 139 Branch

The patch landed in nightly and beta is affected.
:rhunt, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox138 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(rhunt)
Duplicate of this bug: 1958690

This can only be reproduced in the JS shell using a testing function, not the browser. No uplift necessary.

Flags: needinfo?(rhunt)
Flags: sec-bounty? → sec-bounty-
QA Whiteboard: [qa-triage-done-c140/b139]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: