Closed
Bug 1987290
Opened 8 months ago
Closed 8 months ago
FinalizationRegistryObject::unregister can read arguments out of bound when no arguments are supplied
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
144 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | unaffected |
| firefox-esr140 | --- | unaffected |
| firefox142 | --- | unaffected |
| firefox143 | --- | unaffected |
| firefox144 | + | fixed |
People
(Reporter: csmantle, Assigned: csmantle)
References
(Regression)
Details
(4 keywords)
Attachments
(4 files)
Internal fuzzing report
This code snippet causes the JS shell to crash on Nightly:
const v = new FinalizationRegistry(() => {});
v.unregister();
> ../gecko-dev/obj-x86_64-pc-windows-msvc/dist/bin/js.exe poc.js
[26100] Assertion failure: i < argc_, at D:/Workspace/gecko-dev/obj-x86_64-pc-windows-msvc/dist/include\js/CallArgs.h:213
#01: js::FinalizationRegistryObject::unregister (D:\Workspace\gecko-dev\js\src\builtin\FinalizationRegistryObject.cpp:592)
#02: CallJSNative (D:\Workspace\gecko-dev\js\src\vm\Interpreter.cpp:501)
#03: js::InternalCallOrConstruct (D:\Workspace\gecko-dev\js\src\vm\Interpreter.cpp:597)
#04: js::Interpret (D:\Workspace\gecko-dev\js\src\vm\Interpreter.cpp:3287)
#05: js::RunScript (D:\Workspace\gecko-dev\js\src\vm\Interpreter.cpp:471)
#06: js::ExecuteKernel (D:\Workspace\gecko-dev\js\src\vm\Interpreter.cpp:866)
#07: js::Execute (D:\Workspace\gecko-dev\js\src\vm\Interpreter.cpp:895)
#08: ExecuteScript (D:\Workspace\gecko-dev\js\src\vm\CompilationAndEvaluation.cpp:548)
#09: JS_ExecuteScript (D:\Workspace\gecko-dev\js\src\vm\CompilationAndEvaluation.cpp:573)
#10: RunFile (D:\Workspace\gecko-dev\js\src\shell\js.cpp:1315)
#11: Process (D:\Workspace\gecko-dev\js\src\shell\js.cpp:2086)
#12: Shell (D:\Workspace\gecko-dev\js\src\shell\js.cpp:12260)
#13: main (D:\Workspace\gecko-dev\js\src\shell\js.cpp:12663)
#14: __scrt_common_main_seh (D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288)
#15: BaseThreadInitThunk[C:\WINDOWS\System32\KERNEL32.DLL +0x2e8d7]
#16: RtlUserThreadStart[C:\WINDOWS\SYSTEM32\ntdll.dll +0x8d9c]
>
This is regressed by Bug 1863140 Part 3 (D263113), where a args[0] is used to get an element rather than args.get(0) at https://searchfox.org/firefox-main/rev/f985f336deeb9f7cb63d43c4f8dc8612d27b79e4/js/src/builtin/FinalizationRegistryObject.cpp#592.
|
Assignee | |
Updated•8 months ago
|
Keywords: regression
Regressed by: 1863140
|
|
Assignee | |
Comment 1•8 months ago
|
||
|
||
Updated•8 months ago
|
Assignee: nobody → webmaster
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
|
||
Comment 2•8 months ago
|
||
Set release status flags based on info from the regressing bug 1863140
status-firefox142:
--- → unaffected
status-firefox143:
--- → unaffected
status-firefox144:
--- → affected
status-firefox-esr128:
--- → unaffected
status-firefox-esr140:
--- → unaffected
|
|
||
Updated•8 months ago
|
Attachment #9511857 -
Attachment description: Bug 1987290 - Use get() instead of operator[] to get arguments in FinalizationRegistryObject::unregister. r=jandem,jonco → Bug 1987290 - Part 1: Use get() instead of operator[] to get arguments in FinalizationRegistryObject::unregister. r=jandem,jonco
|
|
Assignee | |
Comment 3•8 months ago
|
||
|
||
Updated•8 months ago
|
Group: javascript-core-security
|
|
||
Updated•8 months ago
|
Keywords: csectype-bounds,
sec-high
|
|
||
Updated•8 months ago
|
Attachment #9511857 -
Attachment description: Bug 1987290 - Part 1: Use get() instead of operator[] to get arguments in FinalizationRegistryObject::unregister. r=jandem,jonco → (secure)
|
|
||
Updated•8 months ago
|
Attachment #9511941 -
Attachment description: Bug 1987290 - Part 2: Add FinalizationRegistry/unregister-no-args.js non262 test case. r=jonco → (secure)
Pushed by jcoppeard@mozilla.com:
https://github.com/mozilla-firefox/firefox/commit/2b8155c2c4c2
https://hg.mozilla.org/integration/autoland/rev/9ecc08118361
Part 1: Use get() instead of operator[] to get arguments in FinalizationRegistryObject::unregister. r=jonco
https://github.com/mozilla-firefox/firefox/commit/dad31486e264
https://hg.mozilla.org/integration/autoland/rev/85925ba3c8a3
Part 2: Add FinalizationRegistry/unregister-no-args.js non262 test case. r=jonco
|
||
Comment 6•8 months ago
|
||
Note that we also found this bug internally on 9/6/2025 11:09 UTC with the following test case:
a = function() {}
new FinalizationRegistry(a).unregister()
|
|
||
Comment 7•8 months ago
|
||
|
||
Updated•8 months ago
|
Keywords: reporter-external
|
||
Comment 8•8 months ago
|
||
https://hg.mozilla.org/mozilla-central/rev/9ecc08118361
https://hg.mozilla.org/mozilla-central/rev/85925ba3c8a3
Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 8 months ago
Resolution: --- → FIXED
Target Milestone: --- → 144 Branch
|
||
Updated•8 months ago
|
status-firefox-esr115:
--- → unaffected
tracking-firefox144:
--- → +
|
|
||
Comment 9•8 months ago
|
||
Flagging for bounty consideration at reporter's request to security@
Flags: sec-bounty?
|
||
Comment 10•8 months ago
|
||
While this is a legit report, because it was found internally within the grace period defined in the Bounty Policy it does not qualify. (Sorry)
Flags: sec-bounty? → sec-bounty-
|
||
Updated•7 months ago
|
QA Whiteboard: [sec] [qa-triage-done-c145/b144]
Flags: qe-verify-
|
|
||
Updated•27 days ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•