Read AV decompiling function from bad ptr [@MSVCR80D!LeadUpVec] (debug only?)

RESOLVED INCOMPLETE

Status

()

RESOLVED INCOMPLETE
9 years ago
2 years ago

People

(Reporter: cbook, Assigned: Waldo)

Tracking

({sec-moderate})

1.9.0 Branch
x86
Windows XP
sec-moderate
Points:
---
Bug Flags:
wanted1.9.0.x +

Firefox Tracking Flags

(status1.9.1 ?)

Details

(Whiteboard: [sg:moderate?], URL)

Attachments

(1 attachment)

(Reporter)

Description

9 years ago
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.15pre) Gecko/2009091811 GranParadiso/3.0.15pre

Steps to reproduce:
-> Load http://www.mcmaster.com with a debugger and !exploitable
--> First Chance Exception, see below

Exception Faulting Address: 0x82cdd50
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:1023cad6 mov al,byte ptr [esi]

Basic Block:
    1023cad6 mov al,byte ptr [esi]
       Tainted Input Operands: esi
    1023cad8 mov byte ptr [edi],al
       Tainted Input Operands: al
    1023cada mov al,byte ptr [esi+1]
       Tainted Input Operands: esi
    1023cadd shr ecx,2
    1023cae0 mov byte ptr [edi+1],al
       Tainted Input Operands: al
    1023cae3 add esi,2
       Tainted Input Operands: esi
    1023cae6 add edi,2
    1023cae9 cmp ecx,8
    1023caec jb msvcr80d!memmove+0x84 (1023ca94)

Exception Hash (Major/Minor): 0x05423333.0x111d2433

Stack Trace:
MSVCR80D!LeadUpVec+0x3a
js3250!SprintPut+0x66
js3250!SprintCString+0x1d
js3250!Decompile+0xfbb
js3250!DecompileCode+0x14c
js3250!js_DecompileFunction+0x545
js3250!JS_DecompileFunction+0x8e
js3250!fun_toStringHelper+0x1ff
js3250!fun_toString+0x16
js3250!js_Interpret+0xf276
js3250!js_Invoke+0xad3
js3250!js_InvokeConstructor+0x229
js3250!js_Interpret+0x811c
js3250!js_Execute+0x32e
js3250!JS_EvaluateUCScriptForPrincipals+0x9f
gklayout!nsJSContext::EvaluateString+0x2a4
gklayout!nsScriptLoader::EvaluateScript+0x3b6
gklayout!nsScriptLoader::ProcessRequest+0xfd
gklayout!nsScriptLoader::ProcessPendingRequests+0x6f
gklayout!nsScriptLoader::OnStreamComplete+0xb3
necko!nsStreamLoader::OnStopRequest+0x6a
necko!nsHTTPCompressConv::OnStopRequest+0x23
necko!nsStreamListenerTee::OnStopRequest+0xa8
necko!nsHttpChannel::OnStopRequest+0x3e3
necko!nsInputStreamPump::OnStateStop+0xde
necko!nsInputStreamPump::OnInputStreamReady+0x90
xpcom_core!nsInputStreamReadyEvent::Run+0x4a
xpcom_core!nsThread::ProcessNextEvent+0x1fa
xpcom_core!NS_ProcessNextEvent_P+0x53
gkwidget!nsBaseAppShell::Run+0x5d
tkitcmps!nsAppStartup::Run+0x6b
xul!XRE_main+0x2edf
firefox!NS_internal_main+0x2b2
firefox!wmain+0x119
firefox!__tmainCRTStartup+0x1a6
firefox!wmainCRTStartup+0xd
kernel32!BaseProcessStart+0x23
Instruction Address: 0x000000001023cad6

Description: Read Access Violation
Short Description: ReadAV
Exploitability Classification: UNKNOWN
Recommended Bug Title: Read Access Violation starting at MSVCR80D!LeadUpVec+0x000000000000003a (Hash=0x05423333.0x111d2433)
Flags: blocking1.9.0.16?
I can reproduce this in a debug windows build: Decompile gets a bogus rval pointer from POP_STR() in case JSOP_GROUP: and passes that to SprintCString() which tries to use that as the string source.

Not sure why the testcase is converting a function to a string, is that a debug-only check and explains why this seems to be a debug-only crash?

The script it's trying to compile is
http://www.mcmaster.com/HTTPHandlers/ScriptCombiner/55_a1d96617b957e00394f5748b4564c187.js

Given the name this might be some dynamically generated thing so I'll try to capture it and attach it.
Assignee: nobody → general
Component: General → JavaScript Engine
QA Contact: general → general
Summary: Read Access Violation starting at MSVCR80D!LeadUpVec+0x000000000000003a → Read AV decompiling function from bad ptr [@MSVCR80D!LeadUpVec] (debug only?)
Whiteboard: [sg:moderate?]
Created attachment 402657 [details]
Script we die compiling
Guess I got lucky the first time I visited the site. Retrying the URL I had to open another tab and shift-reload the mcmaster site a couple times to reproduce the error.
taking a stab at an assignee
Assignee: general → jwalden+bmo
Tomcat: Does this affect 1.9.1 or trunk debug builds?
status1.9.1: --- → ?
Flags: blocking1.9.0.16? → wanted1.9.0.x+
(Assignee)

Comment 6

9 years ago
Will investigate later this week...
Group: javascript-core-security
Group: javascript-core-security
Decompiler was removed in bug 718969 so this probably isn't relevant any more.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → INCOMPLETE

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.