Closed Bug 1972235 Opened 9 months ago Closed 9 months ago

Crash [@ JSObject::getClass] involving [@ JSObject::is<js::FixedLengthSharedArrayBufferObject>]

Categories

(Core :: JavaScript: WebAssembly, defect, P3)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
All
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
141 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox-esr140 --- wontfix
firefox139 --- wontfix
firefox140 --- wontfix
firefox141 --- fixed

People

(Reporter: gkw, Assigned: yury)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, reporter-external, testcase)

Attachments

(2 files)

debug stack
6.96 KB, text/plain
Details
Bug 1972235 - Handle properly OOM in toFixedLengthBufferImpl. r?rhunt
48 bytes, text/x-phabricator-request
Details | Review
Attached file debug stack 
function f() {
  var x = { initial: 0, maximum: 1 };
  x.shared = {};
  y = new WebAssembly.Memory(x);
  y.toFixedLengthBuffer(y.grow(x.maximum));
  oomTest(f);
}
f();

(gdb) bt
#0  JSObject::getClass (this=0x0) at /home/msf1/trees/mozilla-central/js/src/vm/JSObject.h:115
#1  0x00005555587efb6d in JSObject::is<js::FixedLengthSharedArrayBufferObject> (this=0x0) at /home/msf1/trees/mozilla-central/js/src/vm/JSObject.h:505
#2  js::WasmMemoryObject::refreshBuffer (cx=cx@entry=0x7ffff5e40400, memoryObj=memoryObj@entry=..., buffer=buffer@entry=...)
    at /home/msf1/trees/mozilla-central/js/src/wasm/WasmJS.cpp:2185
#3  0x00005555587f14b6 in js::WasmMemoryObject::toFixedLengthBufferImpl (cx=cx@entry=0x7ffff5e40400, args=...)
    at /home/msf1/trees/mozilla-central/js/src/wasm/WasmJS.cpp:2327
#4  0x00005555587f1b7d in JS::CallNonGenericMethod<&(IsMemory(JS::Handle<JS::Value>)), &js::WasmMemoryObject::toFixedLengthBufferImpl> (cx=0x7ffff5e40400,
    args=...) at /home/msf1/shell-cache/js-dbg-64-linux-x86_64-f466599094b7/objdir-js/dist/include/js/CallNonGenericMethod.h:103
#5  js::WasmMemoryObject::toFixedLengthBuffer (cx=cx@entry=0x7ffff5e40400, argc=<optimized out>, vp=<optimized out>)
    at /home/msf1/trees/mozilla-central/js/src/wasm/WasmJS.cpp:2357
/snip

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/8adc13e23e8f
user:        Yury Delendik
date:        Mon Apr 21 13:29:38 2025 +0000
summary:     Bug 1925083 - Integrate WebAssembly.Memory with ResizableArrayBuffer proposal. r=rhunt

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev f466599094b7.

Yury, is bug 1925083 a likely regressor?

Flags: sec-bounty?
Flags: needinfo?(ydelendik)

Set release status flags based on info from the regressing bug 1925083

status-firefox139: --- → affected
status-firefox140: --- → affected
status-firefox-esr128: --- → unaffected
Group: core-security → javascript-core-security
Assignee: nobody → ydelendik
Status: NEW → ASSIGNED

The toFixedLengthBuffer has missing OOM check, which could cause value to be defined as bitsFromTagAndPayload(JSVAL_TAG_OBJECT, PayloadType(nullptr)); and returned as result.

Severity: -- → S3
Priority: -- → P3

Having a JSVAL_TAG_OBJECT with a nullptr should always result in a nullptr crash down the road. Triggered only by an OOM condition. Removing the security flag.

Group: javascript-core-security
Flags: needinfo?(ydelendik)

https://hg.mozilla.org/mozilla-central/rev/73c94c0054da

Status: ASSIGNED → RESOLVED
Closed: 9 months ago
status-firefox141: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 141 Branch
Flags: sec-bounty? → sec-bounty-
QA Whiteboard: [qa-triage-done-c142/b141]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: