Crash [@ QuoteString] or "Assertion failure: (uintN)js_GetSrcNoteOffset(sn, 0) == ss->top - 1, at ../jsopcode.cpp" or "Assertion failure: strcmp(rval, exception_cookie) == 0, at ../jsopcode.cpp"

RESOLVED FIXED in mozilla1.9.3a5

Status

()

Core
JavaScript Engine
P1
critical
RESOLVED FIXED
8 years ago
5 years ago

People

(Reporter: gkw, Assigned: brendan)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla1.9.3a5
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(blocking2.0 beta1+, blocking1.9.2 -, status1.9.2 wontfix, blocking1.9.1 -, status1.9.1 wontfix)

Details

(Whiteboard: [sg:low][OOB read] fixed-in-tracemonkey, crash signature)

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
function f(code) {
  uneval(Function(code.replace(/\/\*DUPTRY\d+/,
    function(k) {
      n = k.substr(8)
      return g("try{}catch(e){}", n)
    }
  )))
}
function g(s, n) {
  if (n == 1) return s
  s2 = s + s
  r = n % 2
  d = (n - r) / 2;
  m = g(s2, d)
  return r ? m: m
}
f("if(/>/(\"\")){/*DUPTRY4968(u)}else if([]()){}")


asserts js debug shell on TM tip without -j at Assertion failure: (uintN)js_GetSrcNoteOffset(sn, 0) == ss->top - 1, at ../jsopcode.cpp:2806 . During the course of the testcase reduction, these two other asserts were also seen:

Assertion failure: strcmp(rval, exception_cookie) == 0, at ../jsopcode.cpp:2808
Assertion failure: strcmp(rval, with_cookie) == 0, at ../jsopcode.cpp:2625
(Reporter)

Comment 1

8 years ago
Nominating s-s because testcases asserting all over the place seem scary..
Group: core-security
(Reporter)

Comment 2

8 years ago
Not the smallest regression window:

Does not seem to assert with a 01 Jan 2006 js shell.
Asserts with a js shell build from 07 Nov 2008: http://hg.mozilla.org/tracemonkey/rev/04c360f123e5
blocking2.0: --- → ?
"" + eval("(function () { if (x) {" +
          Array(4968).join("try{}catch(e){}") +
          "} else if (y()) ;})");
(Reporter)

Comment 4

8 years ago
function f(code) {
  code = code.replace(/\/\*DUPTRY\d+\*\//,
  function(k) {
    n = parseInt(k.substr(8))
    return g("try{}catch(e){}", n)
  })
  v = new Function(code) + f
}
function g(s, n) {
  if (n == 1)
  return s
  s2 = s + s
  r = n % 2;
  d = (n - r) / 2
  m = g(s2, d);
  return r ? s: m
}
f("if([]())i;else if(*){/*DUPTRY4470*/for each(d in[]){}with({}){}}")

This similar testcase asserts at Assertion failure: (size_t)(index_) < js_common_atom_count, at ../jsopcode.cpp:4026 but I've also seen this assert at:

Assertion failure: top != 0, at ../jsopcode.cpp:1030
(Assignee)

Comment 5

8 years ago
Created attachment 441872 [details] [diff] [review]
fix

I think this bug goes back to bug 352268 -- you buddied that patch ;-). It's not a hard review, actually: span-dependent instruction selection requires dependent source note offsets to be adjusted, so they must all have the same offsetBias. I forgot this and biased the second offset by the first offset!

/be
Attachment #441872 - Flags: review?(mrbkap)
(Assignee)

Updated

8 years ago
Assignee: general → brendan
Blocks: 352268
Status: NEW → ASSIGNED
OS: Mac OS X → All
Priority: -- → P1
Hardware: x86 → All
Target Milestone: --- → mozilla1.9.3a5

Comment 6

8 years ago
is this exploitable?

Updated

8 years ago
blocking2.0: ? → beta1+
(Assignee)

Comment 7

8 years ago
The decompiler can run off the end of bytecode reading nonsense, based on which it will do its best. I can't prove it's not exploitable, yet. But so far it looks like we don't overwrite any memory, or prematurely free memory. We do read off the end, which could leak information. Best to restrict access for now but this might not be exploitable after all.

Gary, what opt crash addresses can you generate? Read or write access?

/be
(Reporter)

Comment 8

8 years ago
(In reply to comment #7)
> Gary, what opt crash addresses can you generate? Read or write access?
> 
> /be

Compile error with changeset http://hg.mozilla.org/tracemonkey/rev/394cdeb4fc38 (TM tip at time of writing), so I'm testing with changeset http://hg.mozilla.org/tracemonkey/rev/38330447a7e4

Testcase in comment 4 crashes opt shell without -j at QuoteString near null.

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000008
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   js-opt-32-tm-darwin           	0x00087954 QuoteString(Sprinter*, JSString*, unsigned int) + 52
1   js-opt-32-tm-darwin           	0x0008cfae Decompile(SprintStack*, unsigned char*, int, JSOp) + 21086
2   js-opt-32-tm-darwin           	0x000971d7 DecompileCode(JSPrinter*, JSScript*, unsigned char*, unsigned int, unsigned int) + 759
3   js-opt-32-tm-darwin           	0x000993a2 js_DecompileFunction + 930
4   js-opt-32-tm-darwin           	0x00086a77 js_DecompileToString + 87
5   js-opt-32-tm-darwin           	0x0000e30c JS_DecompileFunction + 92
6   js-opt-32-tm-darwin           	0x000492ad fun_toStringHelper(JSContext*, unsigned int, unsigned int, long*) + 141
7   js-opt-32-tm-darwin           	0x000653db js_Invoke + 1515
8   js-opt-32-tm-darwin           	0x00065ffc js_InternalInvoke + 140
9   js-opt-32-tm-darwin           	0x000752cd js_TryMethod + 365
10  js-opt-32-tm-darwin           	0x000755db js_DefaultValue + 683
11  js-opt-32-tm-darwin           	0x0005949a js_Interpret + 18474
12  js-opt-32-tm-darwin           	0x000649a3 js_Execute + 531
13  js-opt-32-tm-darwin           	0x0000f49c JS_ExecuteScript + 60
14  js-opt-32-tm-darwin           	0x00004d2c Process(JSContext*, JSObject*, char*, int) + 1340
15  js-opt-32-tm-darwin           	0x00008e9a main + 1626
16  js-opt-32-tm-darwin           	0x0000298d _start + 208
17  js-opt-32-tm-darwin           	0x000028bc start + 40
Summary: "Assertion failure: (uintN)js_GetSrcNoteOffset(sn, 0) == ss->top - 1, at ../jsopcode.cpp" or "Assertion failure: strcmp(rval, exception_cookie) == 0, at ../jsopcode.cpp" or "Assertion failure: strcmp(rval, with_cookie) == 0, at ../jsopcode.cpp" → Crash [@ QuoteString] or "Assertion failure: (uintN)js_GetSrcNoteOffset(sn, 0) == ss->top - 1, at ../jsopcode.cpp" or "Assertion failure: strcmp(rval, exception_cookie) == 0, at ../jsopcode.cpp"
(Reporter)

Comment 9

8 years ago
Using the testcase in comment 4, I could crash 3.6.3 on WinXP at js_IsIdentifier:

bp-90255422-3a3a-45d6-a15a-8348f2100427

Doing a search at Breakpad:

http://crash-stats.mozilla.com/query/query?product=Firefox&version=ALL%3AALL&date=&range_value=1&range_unit=weeks&query_search=signature&query_type=exact&query=js_IsIdentifier&build_id=&process_type=all&do_query=1

reveals 78 crashes in total, 76 on Windows and 2 on Mac.
(Reporter)

Comment 10

8 years ago
Trapping the testcase in comment 4 in an opt shell in gdb,

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000008
0x00087364 in QuoteString ()
(gdb) 
(gdb) x/i $eip
0x87364 <_ZL11QuoteStringP8SprinterP8JSStringj+52>:     testb  $0x2,0x8(%esi)
(gdb) x/1b $esi
0x0:    Cannot access memory at address 0x0
(gdb)

Brendan on IRC mentions that this is a null pointer, and is not exploitable. (Thanks for the guidance!)

Updated

8 years ago
Whiteboard: [sg:low][OOB read]
(Reporter)

Updated

8 years ago
Keywords: crash

Updated

8 years ago
Attachment #441872 - Flags: review?(mrbkap) → review+
(Assignee)

Comment 11

8 years ago
http://hg.mozilla.org/tracemonkey/rev/37bc06ac747a

I'm gonna let this one grow a testsuite in private -- bc, can you crib from comment 0? Thanks,

/be
Flags: in-testsuite?
Whiteboard: [sg:low][OOB read] → [sg:low][OOB read] fixed-in-tracemonkey
(Assignee)

Comment 12

8 years ago
Ahem, backed out, relanded with fix for absent second offset to SRC_IF_ELSE:

http://hg.mozilla.org/tracemonkey/rev/3c1d3ae3478c

/be

Comment 13

8 years ago
http://hg.mozilla.org/mozilla-central/rev/37bc06ac747a
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
status1.9.1: --- → wanted
status1.9.2: --- → wanted
blocking1.9.1: ? → needed
blocking1.9.2: ? → needed
Is this worth taking on the branches or should we not bother and just "wontfix" it?
Crash Signature: [@ QuoteString]
Group: core-security
blocking1.9.1: needed → -
blocking1.9.2: needed → -
status1.9.1: wanted → wontfix
status1.9.2: wanted → wontfix
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.