Closed
Bug 371292
Opened 17 years ago
Closed 17 years ago
Crash [@ js_AtomToPrintableString]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: jruderman, Assigned: mrbkap)
References
Details
(Keywords: crash, regression, verified1.8.1.15, Whiteboard: [sg:critical?])
Crash Data
Attachments
(1 file)
1001 bytes,
patch
|
brendan
:
review+
dveditz
:
approval1.8.1.15+
|
Details | Diff | Splinter Review |
This crash occurred about 5 times last night (out of about a hundred tests related to bug 326633). I can't reproduce it on demand so I can't make a reduced testcase. Regression from bug 365869? Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000009 Thread 0 Crashed: 0 libmozjs.dylib 0x01023ff0 js_AtomToPrintableString + 15 (jsatom.c:63) 1 libmozjs.dylib 0x0105e5fb js_CheckRedeclaration + 740 (jsinterp.c:1814) 2 libmozjs.dylib 0x01074fdf js_Interpret + 91003 (jsinterp.c:5290) 3 libmozjs.dylib 0x0105d41a js_Invoke + 3423 (jsinterp.c:1367) 4 libmozjs.dylib 0x0105d7b0 js_InternalInvoke + 309 (jsinterp.c:1442) 5 libmozjs.dylib 0x0101d53b JS_CallFunctionValue + 60 (jsapi.c:4368) 6 libgklayout.dylib 0x18781e2a nsJSContext::CallEventHandler(nsISupports*, void*, void*, nsIArray*, nsIVariant**) + 1228 (nsJSEnvironment.cpp:1774) 7 libgklayout.dylib 0x187a4574 nsGlobalWindow::RunTimeout(nsTimeout*) + 1778 (nsGlobalWindow.cpp:6772) 8 libgklayout.dylib 0x187a4a62 nsGlobalWindow::TimerCallback(nsITimer*, void*) + 54 (nsGlobalWindow.cpp:7103) 9 libxpcom_core.dylib 0x0134c7f4 nsTimerImpl::Fire() + 892 (nsTimerImpl.cpp:384) 10 libxpcom_core.dylib 0x0134c9a1 nsTimerEvent::Run() + 191 (nsTimerImpl.cpp:458) 11 libxpcom_core.dylib 0x01348a58 nsThread::ProcessNextEvent(int, int*) + 556 (nsThread.cpp:483) ...
Assignee | ||
Comment 1•17 years ago
|
||
Oops, this is all me.
Assignee | ||
Comment 2•17 years ago
|
||
Assignee | ||
Comment 3•17 years ago
|
||
Oh, and the reduced testcase is: js> ({1:1,1:2}) typein:1: strict warning: redeclaration of property 1
Comment 4•17 years ago
|
||
Comment on attachment 256066 [details] [diff] [review] Fix Yoiks. Should have seen this too. Did I ever file that bug on eliminating jsid by making it be jsval? /be
Attachment #256066 -
Flags: review?(brendan) → review+
Assignee | ||
Comment 5•17 years ago
|
||
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Comment 6•17 years ago
|
||
Back in the day, I couldn't reproduce the crash in this bug but I've added the reduced testcase in comment 3 to /cvsroot/mozilla/js/tests/js1_5/extensions/regress-365869.js,v <-- regress-365869.js new revision: 1.2; previous revision: 1.1
Flags: in-testsuite+
Comment 9•16 years ago
|
||
The bug exists on the 1.8 branch and leads to branch crashes with the following example: "012345".__defineSetter__(5, function(){});
Group: security
Comment 10•16 years ago
|
||
I nominate this bug to 1.8.1.15 as the bug 431409 (marked as a dup of this bug) is blocking .15 release.
Flags: blocking1.8.1.15?
Comment 11•16 years ago
|
||
Comment on attachment 256066 [details] [diff] [review] Fix The patch applies as-is to the 1.8 branch.
Attachment #256066 -
Flags: approval1.8.1.15?
Updated•16 years ago
|
Flags: blocking1.8.1.15? → blocking1.8.1.15+
Comment 12•16 years ago
|
||
Comment on attachment 256066 [details] [diff] [review] Fix Approved for 1.8.1.15, a=dveditz for release-drivers
Attachment #256066 -
Flags: approval1.8.1.15? → approval1.8.1.15+
Comment 13•16 years ago
|
||
Is this really a regression? It appears to affect the 1.8 branch as well, but the proposed regressing bug 365869 didn't land there.
Comment 14•16 years ago
|
||
And how bad is it as a security bug? so far we've only seen accesses (not execution) of small offsets from null.
Flags: wanted1.8.1.x+
Comment 15•16 years ago
|
||
(In reply to comment #14) > And how bad is it as a security bug? so far we've only seen accesses (not > execution) of small offsets from null. Just replace the number 5 in the example from the bug 431409 (also duplicated in the comment 9 here) by any other number and the access can be made at the arbitrary odd address from 0..2**32 range. Since the code then accesses a word at that address that is feed to js_ValueToPrintableString, one can prepare a pointer there that resembles JSObject* with the toString converter pointing to a script-prepared native code.
Comment 16•16 years ago
|
||
I'd like to say that sounds impossible to exploit in practice, but given recent amazingly hacks -- like http://www.matasano.com/log/1032/this-new-vulnerability-dowds-inhuman-flash-exploit/ -- I wouldn't want to stake my life on it.
Whiteboard: [sg:critical?]
Comment 17•16 years ago
|
||
mrbkap's out for the month and I can't check in to mozilla/js -- Igor, Gavin or Crowder, could any of you check this in on the 1.8 branch please? Thanks
Keywords: checkin-needed
Comment 18•16 years ago
|
||
I can verify that the patch in the bug does nicely stop the crash.
Comment 19•16 years ago
|
||
random-three-o-eight:~/moz/branch18/mozilla/js/src jwalden$ cvs st jsinterp.c =================================================================== File: jsinterp.c Status: Locally Modified Working revision: 3.181.2.99 Repository revision: 3.181.2.99 /cvsroot/mozilla/js/src/jsinterp.c,v Sticky Tag: MOZILLA_1_8_BRANCH (branch: 3.181.2) Sticky Date: (none) Sticky Options: (none) random-three-o-eight:~/moz/branch18/mozilla/js/src jwalden$ cvs ci -m "Bug 371292 - p=igor, r=brendan, a=dveditz" jsinterp.c Checking in jsinterp.c; /cvsroot/mozilla/js/src/jsinterp.c,v <-- jsinterp.c new revision: 3.181.2.100; previous revision: 3.181.2.99 done
Keywords: checkin-needed → fixed1.8.1.15
Comment 20•16 years ago
|
||
1.8.1.15/1.9.0 linux/mac/win tested with comment 9 added to js1_5/extensions/regress-365869.js with no crashes.
Keywords: fixed1.8.1.15 → verified1.8.1.15
Updated•16 years ago
|
Group: security
Updated•13 years ago
|
Crash Signature: [@ js_AtomToPrintableString]
You need to log in
before you can comment on or make changes to this bug.
Description
•