Closed Bug 566815 Opened 14 years ago Closed 14 years ago

Crash [@ js_GetMethod] or [@ js_TryMethod]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.3a5
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+
status1.9.2 --- wanted
status1.9.1 --- wanted

People

(Reporter: gkw, Assigned: brendan)

Details

(Keywords: crash, regression, testcase, Whiteboard: [ccbr][sg:low] fixed-in-tracemonkey)

Crash Data

Attachments

(1 file)

fix
633 bytes, patch
igor
: review+
gal
: review+
Details | Diff | Splinter Review 
x = /x/
x.__proto__ = new Namespace
x > 0


crashes js opt shell on TM tip without -j at js_TryMethod, and debug shell at js_GetMethod. Tested on 64-bit Ubuntu Linux 10.04.

Opt console spew:

Program received signal SIGSEGV, Segmentation fault.
0x000000000046b2f1 in js_TryMethod ()
(gdb) bt
#0  0x000000000046b2f1 in js_TryMethod ()
#1  0x00000000004cae5f in js_ValueToSource ()
#2  0x0000000000486199 in js_DecompileValueGenerator ()
#3  0x0000000000420ab3 in js_ReportValueErrorFlags(JSContext*, unsigned int, unsigned int, int, long, JSString*, char const*, char const*) ()
#4  0x000000000044b733 in js_ReportIsNotFunction ()
#5  0x000000000044b820 in js_ValueToFunction ()
#6  0x000000000040cd0b in JS_InstanceOf ()
#7  0x00000000004df9c9 in namespace_toString(JSContext*, unsigned int, long*) ()
#8  0x00000000004584ed in js_Invoke ()
#9  0x0000000000458e42 in js_InternalInvoke ()
#10 0x000000000046b3a0 in js_TryMethod ()
#11 0x000000000046b5b9 in js_DefaultValue ()
#12 0x0000000000545faa in js_Interpret ()
#13 0x0000000000457b51 in js_Execute ()
#14 0x000000000040b176 in JS_ExecuteScript ()
#15 0x000000000040664b in Process(JSContext*, JSObject*, char*, int) ()
#16 0x0000000000406ecf in main ()
(gdb) x/i $rip
=> 0x46b2f1 <js_TryMethod+129>:	mov    0x18(%rdx),%rax
(gdb) x/b $rdx
0x0:	Cannot access memory at address 0x0

(doesn't seem scary, move by 18 from null - should be a near-null deref) Assuming [sg:dos] unless otherwise.
This seems to exist since Nov 2008, though I haven't checked in more depth.
Group: core-security
I will hide this. Seems easy to crash a browser with it. Maybe its too aggressive. Feel free to open it up on me if you think we don't need to.
(In reply to comment #2)
> I will hide this. Seems easy to crash a browser with it. Maybe its too
> aggressive. Feel free to open it up on me if you think we don't need to.

3.6.3 Firefox WinXP Breakpad report:

bp-120af9db-b7a1-4ce5-842f-2b77a2100519
blocking1.9.2: --- → ?
OS: Linux → All
Hardware: x86 → All
Found regressor by inspection:

changeset:   18651:69d14bce003f
user:        Igor Bukanov <igor@mir2.org>
date:        Fri Aug 29 10:10:34 2008 +0200
summary:     bug 445705 - eliminate Namespace and QName GC things. r=brendan
 
Bad review on my part. Post Firefox 3.0 / JS1.8.

/be
Attached patch fixSplinter Review 
Assignee: general → brendan
Status: NEW → ASSIGNED

        Attachment #446177 -
        Flags: review?(igor)
blocking1.9.1: --- → ?

    
  
Priority: -- → P1
Target Milestone: --- → mozilla1.9.3a5

    
  

        Attachment #446177 -
        Flags: review+

    
  
Whiteboard: [ccbr][sg:dos] → [ccbr][sg:critical]

    
    

    
  
This bug only reads from a jsval, never rights. It does not read instructions from any dependent load off that untagged jsval. I claim it's not exploitable, even as a data leak. It's trying to check argv[-2] aka vp[0] for a function-class object, but it's given vp instead of vp + 2, so it checks vp[-2].

Misreading memory referenced by JSVAL_TO_OBJECT(vp[-2]) could crash or in a rare case get a function object (this assumes Namespace class mismatch), and then the fun's atom, decimated to bytes. If other memory happened to look like such a deep structure, you'd leak a string.

/be
Group: core-security
Whiteboard: [ccbr][sg:critical] → [ccbr][sg:low]

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/262172f76536

/be
Whiteboard: [ccbr][sg:low] → [ccbr][sg:low] fixed-in-tracemonkey

    
  

        Attachment #446177 -
        Flags: review?(igor) → review+

    
    

    
  
Not blocking security releases but wouldn't mind taking the fix on the old branches if you want to add approval requests.
blocking1.9.1: ? → ---
blocking1.9.2: ? → ---

          status1.9.1:
          --- → wanted

          status1.9.2:
          --- → wanted

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/262172f76536
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED

    
  
blocking2.0: ? → betaN+
Crash Signature: [@ js_GetMethod]
[@ js_TryMethod]

    
    

    
  
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: