Closed Bug 371292 Opened 17 years ago Closed 17 years ago

Crash [@ js_AtomToPrintableString]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: mrbkap)

References

Details

(Keywords: crash, regression, verified1.8.1.15, Whiteboard: [sg:critical?])

Crash Data

Attachments

(1 file)

Fix
1001 bytes, patch
brendan
: review+
dveditz
: approval1.8.1.15+
Details | Diff | Splinter Review 
This crash occurred about 5 times last night (out of about a hundred tests related to bug 326633).  I can't reproduce it on demand so I can't make a reduced testcase.

Regression from bug 365869?

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000009

Thread 0 Crashed:
0   libmozjs.dylib           	0x01023ff0 js_AtomToPrintableString + 15 (jsatom.c:63)
1   libmozjs.dylib           	0x0105e5fb js_CheckRedeclaration + 740 (jsinterp.c:1814)
2   libmozjs.dylib           	0x01074fdf js_Interpret + 91003 (jsinterp.c:5290)
3   libmozjs.dylib           	0x0105d41a js_Invoke + 3423 (jsinterp.c:1367)
4   libmozjs.dylib           	0x0105d7b0 js_InternalInvoke + 309 (jsinterp.c:1442)
5   libmozjs.dylib           	0x0101d53b JS_CallFunctionValue + 60 (jsapi.c:4368)
6   libgklayout.dylib        	0x18781e2a nsJSContext::CallEventHandler(nsISupports*, void*, void*, nsIArray*, nsIVariant**) + 1228 (nsJSEnvironment.cpp:1774)
7   libgklayout.dylib        	0x187a4574 nsGlobalWindow::RunTimeout(nsTimeout*) + 1778 (nsGlobalWindow.cpp:6772)
8   libgklayout.dylib        	0x187a4a62 nsGlobalWindow::TimerCallback(nsITimer*, void*) + 54 (nsGlobalWindow.cpp:7103)
9   libxpcom_core.dylib      	0x0134c7f4 nsTimerImpl::Fire() + 892 (nsTimerImpl.cpp:384)
10  libxpcom_core.dylib      	0x0134c9a1 nsTimerEvent::Run() + 191 (nsTimerImpl.cpp:458)
11  libxpcom_core.dylib      	0x01348a58 nsThread::ProcessNextEvent(int, int*) + 556 (nsThread.cpp:483)
...
Oops, this is all me.
Attached patch FixSplinter Review 
Assignee: general → mrbkap
Status: NEW → ASSIGNED

        Attachment #256066 -
        Flags: review?(brendan)

    
    

    
  
Oh, and the reduced testcase is:
js> ({1:1,1:2})
typein:1: strict warning: redeclaration of property 1

    
    

    
  
Comment on attachment 256066 [details] [diff] [review]
Fix

Yoiks. Should have seen this too. Did I ever file that bug on eliminating jsid by making it be jsval?

/be

        Attachment #256066 -
        Flags: review?(brendan) → review+
Blocks: 365869

    
    

    
  
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED

    
    

    
  
Back in the day, I couldn't reproduce the crash in this bug but I've added the reduced testcase in comment 3 to 

/cvsroot/mozilla/js/tests/js1_5/extensions/regress-365869.js,v  <--  regress-365869.js
new revision: 1.2; previous revision: 1.1

Flags: in-testsuite+

    
    

    
  
verified fixed 1.9.0 20070320 win/mac*/linux
Status: RESOLVED → VERIFIED

    
    

    
  
The bug exists on the 1.8 branch and leads to branch crashes with the following example:

"012345".__defineSetter__(5, function(){});


Group: security

    
    

    
  
I nominate this bug to 1.8.1.15 as the bug 431409 (marked as a dup of this bug) is blocking .15 release.
Flags: blocking1.8.1.15?

    
    

    
  
Comment on attachment 256066 [details] [diff] [review]
Fix

The patch applies as-is to the 1.8 branch.

        Attachment #256066 -
        Flags: approval1.8.1.15?
Flags: blocking1.8.1.15? → blocking1.8.1.15+

    
    

    
  
Comment on attachment 256066 [details] [diff] [review]
Fix

Approved for 1.8.1.15, a=dveditz for release-drivers

        Attachment #256066 -
        Flags: approval1.8.1.15? → approval1.8.1.15+

    
    

    
  
Is this really a regression? It appears to affect the 1.8 branch as well, but the proposed regressing bug 365869 didn't land there.

    
    

    
  
And how bad is it as a security bug? so far we've only seen accesses (not execution) of small offsets from null.
Flags: wanted1.8.1.x+

    
    

    
  
(In reply to comment #14)
> And how bad is it as a security bug? so far we've only seen accesses (not
> execution) of small offsets from null.

Just replace the number 5 in the example from the bug 431409 (also duplicated in the comment 9 here) by any other number and the access can be made at the arbitrary odd address from 0..2**32 range. Since the code then accesses a word at that address that is feed to js_ValueToPrintableString, one can prepare a pointer there that resembles JSObject* with the toString converter pointing to a script-prepared native code. 


    
    

    
  
I'd like to say that sounds impossible to exploit in practice, but given recent amazingly hacks -- like http://www.matasano.com/log/1032/this-new-vulnerability-dowds-inhuman-flash-exploit/ -- I wouldn't want to stake my life on it.
Whiteboard: [sg:critical?]

    
    

    
  
mrbkap's out for the month and I can't check in to mozilla/js -- Igor, Gavin or Crowder, could any of you check this in on the 1.8 branch please? Thanks
Keywords: checkin-needed

    
    

    
  
I can verify that the patch in the bug does nicely stop the crash.

    
    

    
  
random-three-o-eight:~/moz/branch18/mozilla/js/src jwalden$ cvs st jsinterp.c 
===================================================================
File: jsinterp.c        Status: Locally Modified

   Working revision:    3.181.2.99
   Repository revision: 3.181.2.99      /cvsroot/mozilla/js/src/jsinterp.c,v
   Sticky Tag:          MOZILLA_1_8_BRANCH (branch: 3.181.2)
   Sticky Date:         (none)
   Sticky Options:      (none)

random-three-o-eight:~/moz/branch18/mozilla/js/src jwalden$ cvs ci -m "Bug 371292 - p=igor, r=brendan, a=dveditz" jsinterp.c
Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.181.2.100; previous revision: 3.181.2.99
done
Keywords: checkin-neededfixed1.8.1.15

    
    

    
  
1.8.1.15/1.9.0 linux/mac/win tested with comment 9 added to js1_5/extensions/regress-365869.js with no crashes.
Keywords: fixed1.8.1.15verified1.8.1.15
Group: security
Crash Signature: [@ js_AtomToPrintableString]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: