Closed Bug 2003589 Opened 7 months ago Closed 6 months ago

Assertion failure: !cx->runtime()->jitRuntime()->disallowArbitraryCode(), at vm/Interpreter.cpp:407

Categories

(Core :: JavaScript Engine, defect)

All
Linux
defect

Tracking

()

RESOLVED FIXED
147 Branch
Tracking Status
firefox-esr140 --- unaffected
firefox145 --- unaffected
firefox146 --- unaffected
firefox147 --- fixed

People

(Reporter: gkw, Assigned: alexical)

References

(Blocks 1 open bug, Regression)

Details

(5 keywords)

Attachments

(2 files)

Attached file debug stack
for (var i = 0 ; i < 99 ; i++) {
  [].__proto__.__proto__ = new Proxy(Object, Object);
  Object.keys([]);
}
(gdb) bt
#0  0x0000555557370638 in MOZ_CrashSequence (aAddress=0x0, aLine=407)
    at /home/msf2/shell-cache/js-dbg-64-linux-x86_64-256e8bad1a52-598750/objdir-js/dist/include/mozilla/Assertions.h:237
#1  js::RunScript (cx=cx@entry=0x7ffff5e3c200, state=...) at /home/msf2/trees/firefox/js/src/vm/Interpreter.cpp:406
#2  0x00005555573710fc in js::InternalCallOrConstruct (cx=0x7ffff5e3c200, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=<optimized out>)
    at /home/msf2/trees/firefox/js/src/vm/Interpreter.cpp:618
#3  0x0000555557371da8 in InternalCall (cx=<optimized out>, args=..., reason=407, reason@entry=js::CallReason::Call)
    at /home/msf2/trees/firefox/js/src/vm/Interpreter.cpp:653
#4  0x0000555557371fbd in js::Call (cx=<optimized out>, fval=fval@entry=..., thisv=thisv@entry=..., args=..., rval=...,
    reason=reason@entry=js::CallReason::Call) at /home/msf2/trees/firefox/js/src/vm/Interpreter.cpp:685
#5  0x00005555574399a7 in js::Call (cx=0x7ffff5e3c200, fval=..., thisObj=<optimized out>, arg0=..., arg1=..., rval=...)
    at /home/msf2/trees/firefox/js/src/vm/Interpreter.h:145
/snip
7c0e78c0e457-597167
7c0e78c0e4575dda295abed143b32888ac5a8f5d is the first interesting commit
commit 7c0e78c0e4575dda295abed143b32888ac5a8f5d
Author: Alex Thayer
Date:   Wed Nov 19 21:05:46 2025 +0000

    Bug 1995077 - Integrate with existing iterator indices optimizations r=iain

Run with --fuzzing-safe --no-threads --ion-eager, compile with AR=ar sh ~/trees/firefox/js/src/configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on gh rev 256e8bad1a52af07e29574baf4aaf02f05b39d93.

Note that a previous similar-looking bug 1853180 was marked sec-moderate.

Alex/Iain, is bug 1995077 a likely regressor?

Flags: sec-bounty?
Flags: needinfo?(iireland)
Flags: needinfo?(dothayer)
Group: core-security → javascript-core-security

Set release status flags based on info from the regressing bug 1995077

Assignee: nobody → dothayer
Status: NEW → ASSIGNED
Flags: needinfo?(dothayer)
Attached file (secure)

Our fuzzers are hitting this multiple times a day, also. See bug 1897240. Could be a different triggering issue, especially since yours was a more recent regression.

This is a fairly general assertion that can catch a variety of problems. Bug 1897240 is a case where it is likely too picky, but it's hard to be completely sure. This is a real bug, though, and probably exploitable.

Flags: needinfo?(iireland)

(In reply to Iain Ireland [:iain] from comment #5)

This is a real bug, though, and probably exploitable.

Just checking, sec-moderate is still the most appropriate here, in case it's a different problem?

Flags: needinfo?(iireland)
Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 6 months ago
Resolution: --- → FIXED
Target Milestone: --- → 147 Branch
Flags: in-testsuite+

This is a more significant bug than bug 1897240. It's probably exploitable. Consider a case where we're indexing into an array twice at the same index with an Object.keys in between. We think that we can reuse the bounds check, but in fact the Object.keys triggers a proxy handler that shrinks the array. Suddenly we have an OOB access.

Sec-high seems reasonable to me.

Flags: needinfo?(iireland)

Just checking, sec-moderate is still the most appropriate here, in case it's a different problem?

Sec-high seems reasonable to me.

Forwarding to Dan.

Flags: needinfo?(dveditz)
Flags: needinfo?(dveditz)

Not sure how much it matters, but I think this is probably csectype-jit. (Although I don't know the exact definitions of the various categories. Are they written down anywhere?)

QA Whiteboard: [sec] [qa-triage-done-c148/b147]
Flags: sec-bounty? → sec-bounty+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: