Closed Bug 487049 Opened 15 years ago Closed 15 years ago

TraceMonkey: Some corner-case ARM branches may be invalid.

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
ARM
All
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jbramley, Assigned: jbramley)

References

Details

(Whiteboard: fixed-in-tracemonkey) 

It is fairly typical in the ARM nanojit to see this kind of construct for branch construction:

offs = PC_OFFSET_FROM(...);
if (isS24(offs))
{
   underrunProtect(4);
   // Recalculate offs as underrunProtect may have moved _nIns to a different page.
   offs = PC_OFFSET_FROM(...);
}

There's a flaw in the above logic: If underrunProtect moves _nIns to a new page, there's a small change that the new page may be out of range of a branch instruction (as checked by isS24) whilst the old page was fine. This will cause execution to jump to some weird place in memory and start executing whatever's there.

Is this a remote code execution risk? Well, it is, but it'd be almost impossible to make use of it.

A better solution (which is actually used in a couple of places) is to do underrunProtect(4) before checking the offset.


I'm working on something in this area for bug 486639 so I'll create a patch for this bug whilst I'm at it.
Assembler::BL is one of the afflicted methods, but this is removed by the patch in bug 487607 so I have marked this bug as depending on bug 487607 and will produce an appropriate patch to fix any remaining instances of this bug.
Status: NEW → ASSIGNED
Depends on: 487607
All other methods that I can see implement valid logic, so this bug will be fixed once BL is removed (as a result of bug 487607).
Bug 487607 was just fixed, so I'm closing this one.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-tracemonkey
You need to log in before you can comment on or make changes to this bug.