Last Comment Bug 436741 - (CVE-2008-5014) "Assertion failure: OBJ_IS_NATIVE(obj)" with __proto__ mangling
(CVE-2008-5014)
: "Assertion failure: OBJ_IS_NATIVE(obj)" with __proto__ mangling
Status: VERIFIED FIXED
[sg:critical?]
: assertion, hang, testcase, verified1.8.1.18, verified1.9.0.2
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: -- critical (vote)
: ---
Assigned To: Blake Kaplan (:mrbkap)
:
Mentors:
Depends on:
Blocks: 326633
  Show dependency treegraph
 
Reported: 2008-05-31 20:42 PDT by Jesse Ruderman
Modified: 2009-05-07 14:58 PDT (History)
9 users (show)
dveditz: wanted1.9.0.x+
dveditz: blocking1.8.1.18+
dveditz: wanted1.8.1.x+
bob: in‑testsuite+
bob: in‑litmus-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (crashes or hangs Firefox when loaded) (146 bytes, text/html)
2008-05-31 20:42 PDT, Jesse Ruderman
no flags Details
stack trace (6.15 KB, text/plain)
2008-05-31 20:43 PDT, Jesse Ruderman
no flags Details
Guess (1.15 KB, patch)
2008-06-23 07:53 PDT, Blake Kaplan (:mrbkap)
brendan: review+
Details | Diff | Splinter Review
Better (1.62 KB, patch)
2008-06-24 01:48 PDT, Blake Kaplan (:mrbkap)
brendan: review+
dveditz: approval1.8.1.18+
samuel.sidler+old: approval1.9.0.2+
asac: approval1.8.0.next+
Details | Diff | Splinter Review
js1_5/extensions/regress-436741.js (2.50 KB, text/plain)
2008-08-08 01:14 PDT, Bob Clary [:bc:]
no flags Details

Description Jesse Ruderman 2008-05-31 20:42:23 PDT
Created attachment 323256 [details]
testcase (crashes or hangs Firefox when loaded)

Loading the testcase kills Firefox.

Debug:
Assertion failure: OBJ_IS_NATIVE(obj), at /Users/jruderman/central/mozilla/js/src/jslock.cpp:1187

Opt:
Hang.

Security-sensitive for now because I don't know whether this is a memory safety bug in opt builds.
Comment 1 Jesse Ruderman 2008-05-31 20:43:04 PDT
Created attachment 323257 [details]
stack trace
Comment 2 Brendan Eich [:brendan] 2008-06-01 17:27:20 PDT
Blake, can you take this one?

/be
Comment 3 Jeff Walden [:Waldo] (remove +bmo to email) 2008-06-01 17:45:58 PDT
mrbkap's out for a couple, few more weeks still, isn't he?
Comment 4 Blake Kaplan (:mrbkap) 2008-06-23 07:53:42 PDT
Created attachment 326322 [details] [diff] [review]
Guess

This seems like an ancient bug dating back to bug 72354 (2001!). The code currently always locks obj2 when it is returned from a newresolve hook. Furthermore, when it finds out that obj2 is not native, it unlocks it. But both js_LockObj and js_UnlockObj (called directly via JS_{UN,}LOCK_OBJ) assert that the given object is native!

The fix proposed here is to not try to lock (or unlock) a non-native object. Note that in this case, the non-native object is a shavarray, but could just as easily be a liveconnect object.
Comment 5 Brendan Eich [:brendan] 2008-06-23 17:55:46 PDT
Comment on attachment 326322 [details] [diff] [review]
Guess

Yeah, this makes sense. Although for liveconnect do we have thread safety issues? For shavarrays my hope is to convert 'em to sparse upon crossing a thread boundary.

/be
Comment 6 Blake Kaplan (:mrbkap) 2008-06-24 01:48:02 PDT
Created attachment 326444 [details] [diff] [review]
Better

Looking further down the loop shows that if the non-native object fails to resolve the id, we'll try to unlock the non-native obj2.
Comment 7 Brendan Eich [:brendan] 2008-06-24 10:56:16 PDT
Comment on attachment 326444 [details] [diff] [review]
Better

Glad someone's looking!

/be
Comment 8 Blake Kaplan (:mrbkap) 2008-06-25 05:12:40 PDT
Fix pushed as changeset 8eac0738eaab.
Comment 9 Mike Schroepfer 2008-06-25 08:10:34 PDT
Want for branch blake?
Comment 10 Blake Kaplan (:mrbkap) 2008-06-25 08:31:19 PDT
Comment on attachment 326444 [details] [diff] [review]
Better

Yeah. I think this is necessary for the array prototype functions getting "this" wrong bug.
Comment 11 Samuel Sidler (old account; do not CC) 2008-07-20 11:35:14 PDT
Comment on attachment 326444 [details] [diff] [review]
Better

Approved for 1.9.0.2. Please land in CVS. a=ss
Comment 12 Bob Clary [:bc:] 2008-08-08 01:14:01 PDT
Created attachment 332904 [details]
js1_5/extensions/regress-436741.js
Comment 13 Blake Kaplan (:mrbkap) 2008-08-11 11:29:51 PDT
Fix checked into the 1.9 branch.
Comment 14 Bob Clary [:bc:] 2008-08-19 12:27:04 PDT
verified fixed 1.9.0/trunk linux/mac/win.
Comment 15 Blake Kaplan (:mrbkap) 2008-10-21 13:41:57 PDT
Comment on attachment 326444 [details] [diff] [review]
Better

This applies cleanly to the 1.8 branch.
Comment 16 Daniel Veditz [:dveditz] 2008-10-22 14:53:21 PDT
Comment on attachment 326444 [details] [diff] [review]
Better

Approved for 1.8.1.18, a=dveditz for release-drivers
Comment 17 Blake Kaplan (:mrbkap) 2008-10-23 14:38:55 PDT
Fixed on the 1.8 branch too (although it isn't showing up in bonsai, probably because I hit ctl+c in the middle of checking in).
Comment 18 Bob Clary [:bc:] 2008-10-25 09:47:43 PDT
v 1.8.1.18
Comment 19 Alexander Sack 2008-11-10 09:49:38 PST
Comment on attachment 326444 [details] [diff] [review]
Better

a=asac for 1.8.0
Comment 20 Bob Clary [:bc:] 2008-12-04 05:21:23 PST
test landed http://hg.mozilla.org/mozilla-central/rev/dcddc30c2960 and cvs

Note You need to log in before you can comment on or make changes to this bug.