Closed Bug 507292 Opened 16 years ago Closed 16 years ago

Incorrect upvar access on trace involving top-level scripts

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- beta1-fixed
blocking1.9.1 --- .3+
status1.9.1 --- .3-fixed

People

(Reporter: cbook, Assigned: gal)

References

(
URL
)

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical?], fixed-in-tracemonkey)

Attachments

(3 files, 4 obsolete files)

fully reduced testcase
195 bytes, application/x-javascript
Details
patch based on dmandelin's stack math
781 bytes, patch
dmandelin
: review+
dveditz
: approval1.9.1.3+
Details | Diff | Splinter Review
slightly different test
334 bytes, text/plain
Details
BuildID=20090727101705 Steps to reproduce: Load http://www.warcraftlatino.com/ulduar/rank.html (c20.bb4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=04859130 ebx=7ffdf000 ecx=072a0410 edx=c0000005 esi=0000000f edi=00c8f6f0 eip=00519bd4 esp=0012e718 ebp=0012ee44 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 js3250!js_Interpret+0x103b4: 00519bd4 8b02 mov eax,dword ptr [edx] ds:0023:c0000005=???????? 0:000> !exploitable -v HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0xffffffffc0000005 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Read Access Violation Faulting Instruction:00519bd4 mov eax,dword ptr [edx] Basic Block: 00519bd4 mov eax,dword ptr [edx] Tainted Input Operands: edx 00519bd6 mov ecx,dword ptr [eax+0ch] Tainted Input Operands: eax 00519bd9 call ecx Tainted Input Operands: ecx, edx Exception Hash (Major/Minor): 0x2a690d26.0x1548251d Stack Trace: js3250!js_Interpret+0x103b4 js3250!js_Execute+0x2e6 js3250!JS_EvaluateUCScriptForPrincipals+0xe7 gklayout!nsJSContext::EvaluateString+0x2c0 gklayout!nsScriptLoader::EvaluateScript+0x37a gklayout!nsScriptLoader::ProcessRequest+0xfd gklayout!nsScriptLoader::ProcessScriptElement+0x1040 gklayout!nsScriptElement::MaybeProcessScript+0x149 gklayout!nsHTMLScriptElement::MaybeProcessScript+0x24 gklayout!nsHTMLScriptElement::DoneAddingChildren+0x1f gklayout!HTMLContentSink::ProcessSCRIPTEndTag+0xcf gklayout!SinkContext::CloseContainer+0x31d gklayout!HTMLContentSink::CloseContainer+0xa0 gkparser!CNavDTD::CloseContainer+0x18a gkparser!CNavDTD::HandleEndToken+0x214 gkparser!CNavDTD::HandleToken+0x4ae gkparser!CNavDTD::BuildModel+0x298 gkparser!nsParser::BuildModel+0xe2 gkparser!nsParser::ResumeParse+0x1bc gkparser!nsParser::ContinueInterruptedParsing+0xe5 gklayout!nsContentSink::ContinueInterruptedParsingIfEnabled+0x54 gklayout!nsRunnableMethod<nsContentSink>::Run+0x24 xpcom_core!nsThread::ProcessNextEvent+0x1fa xpcom_core!NS_ProcessNextEvent_P+0x53 gkwidget!nsBaseAppShell::Run+0x5d tkitcmps!nsAppStartup::Run+0x6b xul!XRE_main+0x3000 firefox!NS_internal_main+0x2b2 firefox!wmain+0x119 firefox!__tmainCRTStartup+0x1a6 firefox!wmainCRTStartup+0xd kernel32!BaseProcessStart+0x23 Instruction Address: 0x0000000000519bd4 Description: Data from Faulting Address controls Code Flow Short Description: TaintedDataControlsCodeFlow Exploitability Classification: PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at js3250!js_Interpret+0x00000000000103b4 (Hash=0x2a690d26.0x1548251d) The data from the faulting address is later used as the target for a branch.
stack: js3250!js_Interpret(struct JSContext * cx = 0x04859130)+0x103b4 [c:\work\mozilla\builds\1.9.1\mozilla\js\src\jsinterp.cpp @ 4838] js3250!js_Execute(struct JSContext * cx = 0x04859130, struct JSObject * chain = 0x072806c0, struct JSScript * script = 0x05d15bf0, struct JSStackFrame * down = 0x00000000, unsigned int flags = 0, int * result = 0x00000000)+0x2e6 [c:\work\mozilla\builds\1.9.1\mozilla\js\src\jsinterp.cpp @ 1622] js3250!JS_EvaluateUCScriptForPrincipals(struct JSContext * cx = 0x04859130, struct JSObject * obj = 0x072806c0, struct JSPrincipals * principals = 0x05cb7e0c, unsigned short * chars = 0x05d0e358, unsigned int length = 0x7a8, char * filename = 0x05c72720 "http://www.warcraftlatino.com/ulduar/rank.html", unsigned int lineno = 0xf, int * rval = 0x00000000)+0xe7 [c:\work\mozilla\builds\1.9.1\mozilla\js\src\jsapi.cpp @ 5145] gklayout!nsJSContext::EvaluateString(class nsAString_internal * aScript = 0x0012f0bc, void * aScopeObject = 0x072806c0, class nsIPrincipal * aPrincipal = 0x05cb7e08, char * aURL = 0x05c72720 "http://www.warcraftlatino.com/ulduar/rank.html", unsigned int aLineNo = 0xf, unsigned int aVersion = 0, class nsAString_internal * aRetValue = 0x00000000, int * aIsUndefined = 0x0012f07c)+0x2c0 [c:\work\mozilla\builds\1.9.1\mozilla\dom\src\base\nsjsenvironment.cpp @ 1631] gklayout!nsScriptLoader::EvaluateScript(class nsScriptLoadRequest * aRequest = 0x05d0e2e0, class nsString * aScript = 0x0012f0bc)+0x37a [c:\work\mozilla\builds\1.9.1\mozilla\content\base\src\nsscriptloader.cpp @ 686] gklayout!nsScriptLoader::ProcessRequest(class nsScriptLoadRequest * aRequest = 0x05d0e2e0)+0xfd [c:\work\mozilla\builds\1.9.1\mozilla\content\base\src\nsscriptloader.cpp @ 600] gklayout!nsScriptLoader::ProcessScriptElement(class nsIScriptElement * aElement = 0x05d0d844)+0x1040 [c:\work\mozilla\builds\1.9.1\mozilla\content\base\src\nsscriptloader.cpp @ 554] gklayout!nsScriptElement::MaybeProcessScript(void)+0x149 [c:\work\mozilla\builds\1.9.1\mozilla\content\base\src\nsscriptelement.cpp @ 193] gklayout!nsHTMLScriptElement::MaybeProcessScript(void)+0x24 [c:\work\mozilla\builds\1.9.1\mozilla\content\html\content\src\nshtmlscriptelement.cpp @ 546] gklayout!nsHTMLScriptElement::DoneAddingChildren(int aHaveNotified = 1)+0x1f [c:\work\mozilla\builds\1.9.1\mozilla\content\html\content\src\nshtmlscriptelement.cpp @ 484] gklayout!HTMLContentSink::ProcessSCRIPTEndTag(class nsGenericHTMLElement * content = 0x05d0d820, int aMalformed = 0)+0xcf [c:\work\mozilla\builds\1.9.1\mozilla\content\html\document\src\nshtmlcontentsink.cpp @ 3145] gklayout!SinkContext::CloseContainer(nsHTMLTag aTag = eHTMLTag_script (83), int aMalformed = 0)+0x31d [c:\work\mozilla\builds\1.9.1\mozilla\content\html\document\src\nshtmlcontentsink.cpp @ 1022] gklayout!HTMLContentSink::CloseContainer(nsHTMLTag aTag = eHTMLTag_script (83))+0xa0 [c:\work\mozilla\builds\1.9.1\mozilla\content\html\document\src\nshtmlcontentsink.cpp @ 2396] gkparser!CNavDTD::CloseContainer(nsHTMLTag aTag = eHTMLTag_script (83), int aMalformed = 0)+0x18a [c:\work\mozilla\builds\1.9.1\mozilla\parser\htmlparser\src\cnavdtd.cpp @ 2804] gkparser!CNavDTD::HandleEndToken(class CToken * aToken = 0x05c7f6f0)+0x214 [c:\work\mozilla\builds\1.9.1\mozilla\parser\htmlparser\src\cnavdtd.cpp @ 1683] gkparser!CNavDTD::HandleToken(class CToken * aToken = 0x05c7f6f0, class nsIParser * aParser = 0x05cb8578)+0x4ae [c:\work\mozilla\builds\1.9.1\mozilla\parser\htmlparser\src\cnavdtd.cpp @ 760] gkparser!CNavDTD::BuildModel(class nsIParser * aParser = 0x05cb8578, class nsITokenizer * aTokenizer = 0x05cd4c70, class nsITokenObserver * anObserver = 0x00000000, class nsIContentSink * aSink = 0x05cbaf9c)+0x298 [c:\work\mozilla\builds\1.9.1\mozilla\parser\htmlparser\src\cnavdtd.cpp @ 332] gkparser!nsParser::BuildModel(void)+0xe2 [c:\work\mozilla\builds\1.9.1\mozilla\parser\htmlparser\src\nsparser.cpp @ 2400] gkparser!nsParser::ResumeParse(int allowIteration = 1, int aIsFinalChunk = 1, int aCanInterrupt = 1)+0x1bc [c:\work\mozilla\builds\1.9.1\mozilla\parser\htmlparser\src\nsparser.cpp @ 2273] gkparser!nsParser::ContinueInterruptedParsing(void)+0xe5 [c:\work\mozilla\builds\1.9.1\mozilla\parser\htmlparser\src\nsparser.cpp @ 1773]
FAULTING_IP: js3250!js_Interpret+103b4 [c:\work\mozilla\builds\1.9.1\mozilla\js\src\jsinterp.cpp @ 4838] 00519bd4 8b02 mov eax,dword ptr [edx] EXCEPTION_RECORD: ffffffff -- (.exr ffffffffffffffff) ExceptionAddress: 00519bd4 (js3250!js_Interpret+0x000103b4) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: c0000005 Attempt to read from address c0000005 FAULTING_THREAD: 00000bb4 DEFAULT_BUCKET_ID: APPLICATION_FAULT PROCESS_NAME: firefox.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". READ_ADDRESS: c0000005 BUGCHECK_STR: ACCESS_VIOLATION LAST_CONTROL_TRANSFER: from 005080e6 to 00519bd4 FOLLOWUP_IP: js3250!js_Interpret+103b4 [c:\work\mozilla\builds\1.9.1\mozilla\js\src\jsinterp.cpp @ 4838] 00519bd4 8b02 mov eax,dword ptr [edx] FAULTING_SOURCE_CODE: 4834: if (!js_InternNonIntElementId(cx, obj, rval, &id)) 4835: goto error; 4836: } 4837: > 4838: if (!OBJ_GET_PROPERTY(cx, obj, id, &rval)) 4839: goto error; 4840: end_getelem: 4841: regs.sp--; 4842: STORE_OPND(-1, rval); 4843: END_CASE(JSOP_GETELEM) SYMBOL_STACK_INDEX: 0 FOLLOWUP_NAME: MachineOwner MODULE_NAME: js3250 IMAGE_NAME: js3250.dll DEBUG_FLR_IMAGE_TIMESTAMP: 4a6de171 SYMBOL_NAME: js3250!js_Interpret+103b4 STACK_COMMAND: ~0s ; kb FAILURE_BUCKET_ID: ACCESS_VIOLATION_js3250!js_Interpret+103b4 BUCKET_ID: ACCESS_VIOLATION_js3250!js_Interpret+103b4
crashes mac 1.9.1/1.9.2 debug Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0xc0000005 0x002fbaee in js_Interpret (cx=0x1441200) at /work/mozilla/builds/1.9.1/mozilla/js/src/jsinterp.cpp:4838 4838 if (!OBJ_GET_PROPERTY(cx, obj, id, &rval)) (gdb) bt #0 0x002fbaee in js_Interpret (cx=0x1441200) at /work/mozilla/builds/1.9.1/mozilla/js/src/jsinterp.cpp:4838 #1 0x00312c82 in js_Execute (cx=0x1441200, chain=0x16f80aa0, script=0x1d2ad2d0, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1622 #2 0x0028f201 in JS_EvaluateUCScriptForPrincipals (cx=0x1441200, obj=0x16f80aa0, principals=0x17489954, chars=0x15bd808, length=1960, filename=0x16e95938 "http://www.warcraftlatino.com/ulduar/rank.html", lineno=15, rval=0x0) at /work/mozilla/builds/1.9.1/mozilla/js/src/jsapi.cpp:5145 #3 0x134a7531 in nsJSContext::EvaluateString (this=0x1c56ea00, aScript=@0xbfffc974, aScopeObject=0x16f80aa0, aPrincipal=0x17489950, aURL=0x16e95938 "http://www.warcraftlatino.com/ulduar/rank.html", aLineNo=15, aVersion=0, aRetValue=0x0, aIsUndefined=0xbfffc8f4) at /work/mozilla/builds/1.9.1/mozilla/dom/src/base/nsJSEnvironment.cpp:1631 #4 0x1327bb50 in nsScriptLoader::EvaluateScript (this=0x17489870, aRequest=0x1c9436a0, aScript=@0xbfffc974) at /work/mozilla/builds/1.9.1/mozilla/content/base/src/nsScriptLoader.cpp:686 ...
Keywords: crash, testcase-wanted
OS: Windows XP → All
Version: 1.9.1 Branch → Trunk
Reproduced on Linux. The interpreter has a JSString that is tagged as an Object. With trace spew enabled this crashes in NativeToValue because it can't print the object classname.
This is the same kind of bug that was exploited with the heap spray. High priority to fix.
(In reply to comment #4) > Reproduced on Linux. The interpreter has a JSString that is tagged as an > Object. With trace spew enabled this crashes in NativeToValue because it can't > print the object classname. I had a bug with that basic cause before. Is there some way we can prevent this condition earlier with more asserts or a LIR validator?
Maybe. This is probably another case of missing globals. Still investigating.
Andreas: we're currently at the testing phase of Firefox 3.5.2; we can stop to pick up this fix and respin at the cost of a day's work. I guess the question is: can someone get trivially from the previous exploit to this one, or do you think it can wait for 3.5.3 which would be released in early September?
Trying to figure that out now. Keep doing what you are doing for now. We will post an update asap.
This does not seem to crash on Tracemonkey tip debug, so we might have fixed this inadvertently (and very recently, if 1.9.2 still crashes). Could someone help out with bisecting this to the changeset in Tracemonkey that makes the crash go away? We will debug 1.9.1 in the meantime (where we can reproduce it).
Keywords: qawanted
1.9.2 tip (post graydon's backout is crashing too now, so no QA help needed for the moment.
Keywords: qawanted
Attached file shell testcase (unreduced) (obsolete) —
Attachment #391746 - Attachment is patch: false
Attached file partially reduced testcase (obsolete) —
Attached file reduced testcase (obsolete) —
Attachment #391746 - Attachment is obsolete: true
Attachment #391749 - Attachment is obsolete: true
We have an upvar inside a constructor here.
Constructor is not necessary.
Attachment #391751 - Attachment is obsolete: true
Attached file fully reduced testcase
Attachment #391753 - Attachment is obsolete: true
The invocation of f has an extra arg. That seems to cause the upvar access of b in g to go wrong.
Keywords: testcase-wanted
Please block 3.5.3 on this. We are testing the patch right now.
The bug is caused by an incorrect computation of |spoffset| in the special case of |callDepth == 0| (i.e., top-level script), as fixed in the patch: if (callDepth == 0) - fi->spoffset = 2 /*callee,this*/ + argc - fi->spdist; + fi->spoffset = -fp->script->nfixed; Given that the correct computation is much simpler than the incorrect one, it's hard to explain what I was thinking the first time around. :-) The key invariant for |spoffset| is that: |native_start| + |spoffset| = |slots| where |native_start| is the address of the jsval referred to by the 0th element in the native stack area |slots| is the address of the caller jsval slots area (The purpose of this invariant is that FrameInfo::spdist allows us to navigate from caller &slots[0] to callee &slots[0], which is how we navigate the frames. So we need a way to get to the trace entry active frame &slots[0].) |native_start| in this case is StackBase(fp) for the outermost frame. Thus, we should compute spoffset = slots - StackBase(fp) = slots - (slots + nfixed) = -nfixed The first time I wrote the code, I wasn't thinking about StackBase or nfixed. Also, I incorrectly assumed that at a top-level call site, the only things that would be on the stack would be the args, and from there I worked out the original computation, which is in fact correct when there are no other values on the stack, but is not correct in general.
Verified in a TM debug build with patch applied.
Attachment #391770 - Flags: review?(dmandelin)
Attachment #391770 - Flags: approval1.9.1.3?
Attachment #391770 - Flags: review?(dmandelin) → review+
Summary: Probably Exploitable - Data from Faulting Address controls Code Flow starting at js3250!js_Interpret+0x00000000000103b4 → Incorrect upvar access on trace involving top-level scripts
Whiteboard: [sg:critical?]
http://hg.mozilla.org/tracemonkey/rev/ccef1758e1b8
Hardware: x86 → All
Whiteboard: [sg:critical?] → [sg:critical?], fixed-in-tracemonkey
Assignee: general → gal
Dmandelin did most of the work on this bug.
this behaved differently for me on 1.9.1 and 1.9.2 from Andreas' test case, so I'm including here. It is fixed in the shell on tracemonkey just as Andreas' is.
I un-hid comments 5, 8, and 9. This is already a private bug. There's no reason for them to be private as well and it actually hurts us if we want to CC someone that doesn't normally have security bug access since they can't see those comments.
blocking1.9.1: ? → .3+
Flags: in-testsuite?
Flags: blocking1.9.2?
Keywords: testcase
http://hg.mozilla.org/mozilla-central/rev/ccef1758e1b8
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Just to confirm, we do not need any upvar-related fixes on the 1.9.0 branch right?
status1.9.1: --- → wanted
Flags: wanted1.9.0.x-
Comment on attachment 391770 [details] [diff] [review] patch based on dmandelin's stack math Approved for 1.9.1.3, a=dveditz for release-drivers
Attachment #391770 - Flags: approval1.9.1.3? → approval1.9.1.3+
(In reply to comment #29) > Just to confirm, we do not need any upvar-related fixes on the 1.9.0 branch > right? Right. /be
gal/sayrer: Is this going to land on 1.9.1 tonight? It's a 1.9.1.3 blocker and code freeze was technically last night, but was extended one day...
I can't land. sayrer is on a plane. Asking around for help.
Waldo just landed a JS bug, might be able to land this as well. (I was going to ping him on IRC, but he's just signed off.)
Carsten, can you verify that this is fixed in the 1.9.1 build from 8/17/2009?
This bug is basically supplanted by bug 510987. The problem is superficially mitigated here but underneath the hood, stack computation is still wrong.
verified on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3pre) Gecko/20090819 Shiretoko/3.5.3pre - no crash
I should clarify: this is not fixed. It no longer crashes but the fix is incorrect.
Group: core-security
Blocking 1.9.2 P1, but bug 510987 is a better fix for this.
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P1
this was fixed before 1.9.2 branched
status1.9.2: --- → beta1-fixed
Filter on qa-project-auto-change: Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: