Closed
Bug 566815
Opened 15 years ago
Closed 15 years ago
Crash [@ js_GetMethod] or [@ js_TryMethod]
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla1.9.3a5
People
(Reporter: gkw, Assigned: brendan)
Details
(Keywords: crash, regression, testcase, Whiteboard: [ccbr][sg:low] fixed-in-tracemonkey)
Crash Data
Attachments
(1 file)
633 bytes,
patch
|
igor
:
review+
gal
:
review+
|
Details | Diff | Splinter Review |
x = /x/
x.__proto__ = new Namespace
x > 0
crashes js opt shell on TM tip without -j at js_TryMethod, and debug shell at js_GetMethod. Tested on 64-bit Ubuntu Linux 10.04.
Opt console spew:
Program received signal SIGSEGV, Segmentation fault.
0x000000000046b2f1 in js_TryMethod ()
(gdb) bt
#0 0x000000000046b2f1 in js_TryMethod ()
#1 0x00000000004cae5f in js_ValueToSource ()
#2 0x0000000000486199 in js_DecompileValueGenerator ()
#3 0x0000000000420ab3 in js_ReportValueErrorFlags(JSContext*, unsigned int, unsigned int, int, long, JSString*, char const*, char const*) ()
#4 0x000000000044b733 in js_ReportIsNotFunction ()
#5 0x000000000044b820 in js_ValueToFunction ()
#6 0x000000000040cd0b in JS_InstanceOf ()
#7 0x00000000004df9c9 in namespace_toString(JSContext*, unsigned int, long*) ()
#8 0x00000000004584ed in js_Invoke ()
#9 0x0000000000458e42 in js_InternalInvoke ()
#10 0x000000000046b3a0 in js_TryMethod ()
#11 0x000000000046b5b9 in js_DefaultValue ()
#12 0x0000000000545faa in js_Interpret ()
#13 0x0000000000457b51 in js_Execute ()
#14 0x000000000040b176 in JS_ExecuteScript ()
#15 0x000000000040664b in Process(JSContext*, JSObject*, char*, int) ()
#16 0x0000000000406ecf in main ()
(gdb) x/i $rip
=> 0x46b2f1 <js_TryMethod+129>: mov 0x18(%rdx),%rax
(gdb) x/b $rdx
0x0: Cannot access memory at address 0x0
(doesn't seem scary, move by 18 from null - should be a near-null deref) Assuming [sg:dos] unless otherwise.
Reporter | ||
Comment 1•15 years ago
|
||
This seems to exist since Nov 2008, though I haven't checked in more depth.
Updated•15 years ago
|
Group: core-security
Comment 2•15 years ago
|
||
I will hide this. Seems easy to crash a browser with it. Maybe its too aggressive. Feel free to open it up on me if you think we don't need to.
Reporter | ||
Comment 3•15 years ago
|
||
(In reply to comment #2)
> I will hide this. Seems easy to crash a browser with it. Maybe its too
> aggressive. Feel free to open it up on me if you think we don't need to.
3.6.3 Firefox WinXP Breakpad report:
bp-120af9db-b7a1-4ce5-842f-2b77a2100519
blocking1.9.2: --- → ?
OS: Linux → All
Hardware: x86 → All
Assignee | ||
Comment 4•15 years ago
|
||
Found regressor by inspection:
changeset: 18651:69d14bce003f
user: Igor Bukanov <igor@mir2.org>
date: Fri Aug 29 10:10:34 2008 +0200
summary: bug 445705 - eliminate Namespace and QName GC things. r=brendan
Bad review on my part. Post Firefox 3.0 / JS1.8.
/be
Assignee | ||
Comment 5•15 years ago
|
||
Reporter | ||
Updated•15 years ago
|
blocking1.9.1: --- → ?
Assignee | ||
Updated•15 years ago
|
Priority: -- → P1
Target Milestone: --- → mozilla1.9.3a5
Updated•15 years ago
|
Attachment #446177 -
Flags: review+
Updated•15 years ago
|
Whiteboard: [ccbr][sg:dos] → [ccbr][sg:critical]
Assignee | ||
Comment 6•15 years ago
|
||
This bug only reads from a jsval, never rights. It does not read instructions from any dependent load off that untagged jsval. I claim it's not exploitable, even as a data leak. It's trying to check argv[-2] aka vp[0] for a function-class object, but it's given vp instead of vp + 2, so it checks vp[-2].
Misreading memory referenced by JSVAL_TO_OBJECT(vp[-2]) could crash or in a rare case get a function object (this assumes Namespace class mismatch), and then the fun's atom, decimated to bytes. If other memory happened to look like such a deep structure, you'd leak a string.
/be
Group: core-security
Whiteboard: [ccbr][sg:critical] → [ccbr][sg:low]
Assignee | ||
Comment 7•15 years ago
|
||
Whiteboard: [ccbr][sg:low] → [ccbr][sg:low] fixed-in-tracemonkey
Updated•15 years ago
|
Attachment #446177 -
Flags: review?(igor) → review+
Comment 8•15 years ago
|
||
Not blocking security releases but wouldn't mind taking the fix on the old branches if you want to add approval requests.
Comment 9•15 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
blocking2.0: ? → betaN+
Updated•14 years ago
|
Crash Signature: [@ js_GetMethod]
[@ js_TryMethod]
Comment 10•12 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•