Crash [@ js_GetDefaultXMLNamespace] with XPCSafeJSObjectWrapper

RESOLVED WORKSFORME

Status

()

--
critical
RESOLVED WORKSFORME
9 years ago
3 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
crash, testcase
Points:
---

Firefox Tracking Flags

(blocking2.0 final+, blocking1.9.2 needed, status1.9.2 wanted, status1.9.1 unaffected)

Details

(Whiteboard: [ccbr][sg:dos], crash signature)

(Reporter)

Description

9 years ago
XPCSafeJSObjectWrapper(<x/>).l = eval

crashes xpcshell without -j on TM tip at js_GetDefaultXMLNamespace.


Program received signal SIGSEGV, Segmentation fault.
0x00007f44af004543 in js_GetDefaultXMLNamespace (cx=0x15bf6d0, vp=0x7ffffaf74458) at /home/fuzz1/tracemonkey/js/src/jsxml.cpp:7311
7311	    for (tmp = fp->scopeChain; tmp; tmp = tmp->getParent()) {
(gdb) bt
#0  0x00007f44af004543 in js_GetDefaultXMLNamespace (cx=0x15bf6d0, vp=0x7ffffaf74458) at /home/fuzz1/tracemonkey/js/src/jsxml.cpp:7311
#1  0x00007f44aeffbf04 in PutProperty (cx=0x15bf6d0, obj=0x7f44a08a3a00, id=139932973899428, vp=0x7ffffaf74dd0) at /home/fuzz1/tracemonkey/js/src/jsxml.cpp:4299
#2  0x00007f44aeffd67d in xml_setProperty (cx=0x15bf6d0, obj=0x7f44a08a3a00, id=139932973899428, vp=0x7ffffaf74dd0) at /home/fuzz1/tracemonkey/js/src/jsxml.cpp:4821
#3  0x00007f44aeeb30b2 in JSObject::setProperty (this=0x7f44a08a3a00, cx=0x15bf6d0, id=139932973899428, vp=0x7ffffaf74dd0) at /home/fuzz1/tracemonkey/js/src/jsobj.h:644
#4  0x00007f44aeeabd99 in JS_SetPropertyById (cx=0x15bf6d0, obj=0x7f44a08a3a00, id=139932973899428, vp=0x7ffffaf74dd0) at /home/fuzz1/tracemonkey/js/src/jsapi.cpp:3499
#5  0x00007f44b074a275 in XPC_SJOW_GetOrSetProperty (cx=0x15bf6d0, obj=0x7f44a08a3a40, id=139932973899428, vp=0x7ffffaf74dd0, aIsSet=1) at /home/fuzz1/tracemonkey/js/src/xpconnect/src/XPCSafeJSObjectWrapper.cpp:624
#6  0x00007f44b074a39b in XPC_SJOW_SetProperty (cx=0x15bf6d0, obj=0x7f44a08a3a40, id=139932973899428, vp=0x7ffffaf74dd0) at /home/fuzz1/tracemonkey/js/src/xpconnect/src/XPCSafeJSObjectWrapper.cpp:642
#7  0x00007f44aef66831 in JSScopeProperty::set (this=0x154bcf8, cx=0x15bf6d0, obj=0x7f44a08a3a40, vp=0x7ffffaf74dd0) at /home/fuzz1/tracemonkey/js/src/jsscope.h:1007
#8  0x00007f44aef603a4 in js_NativeSet (cx=0x15bf6d0, obj=0x7f44a08a3a40, sprop=0x154bcf8, added=true, vp=0x7ffffaf74dd0) at /home/fuzz1/tracemonkey/js/src/jsobj.cpp:4733
#9  0x00007f44aef61a17 in js_SetPropertyHelper (cx=0x15bf6d0, obj=0x7f44a08a3a40, id=139932973899428, defineHow=1, vp=0x7ffffaf74dd0) at /home/fuzz1/tracemonkey/js/src/jsobj.cpp:5140
#10 0x00007f44aef2be9f in js_Interpret (cx=0x15bf6d0) at /home/fuzz1/tracemonkey/js/src/jsops.cpp:1825
#11 0x00007f44aef41e9c in js_Execute (cx=0x15bf6d0, chain=0x7f44a08a3380, script=0x15c1950, down=0x0, flags=0, result=0x7ffffaf751e8) at /home/fuzz1/tracemonkey/js/src/jsinterp.cpp:837
#12 0x00007f44aeeafff8 in JS_ExecuteScript (cx=0x15bf6d0, obj=0x7f44a08a3380, script=0x15c1950, rval=0x7ffffaf751e8) at /home/fuzz1/tracemonkey/js/src/jsapi.cpp:4802
#13 0x0000000000405b22 in ProcessFile (cx=0x15bf6d0, obj=0x7f44a08a3380, filename=0x0, file=0x7f44ade576a0, forceTTY=0) at /home/fuzz1/tracemonkey/js/src/xpconnect/shell/xpcshell.cpp:1043
#14 0x0000000000405d34 in Process (cx=0x15bf6d0, obj=0x7f44a08a3380, filename=0x0, forceTTY=0) at /home/fuzz1/tracemonkey/js/src/xpconnect/shell/xpcshell.cpp:1082
#15 0x0000000000406456 in ProcessArgs (cx=0x15bf6d0, obj=0x7f44a08a3380, argv=0x7ffffaf76630, argc=0) at /home/fuzz1/tracemonkey/js/src/xpconnect/shell/xpcshell.cpp:1249
#16 0x0000000000407b80 in main (argc=0, argv=0x7ffffaf76630, envp=0x7ffffaf76638) at /home/fuzz1/tracemonkey/js/src/xpconnect/shell/xpcshell.cpp:1904
(gdb) x/i $rip
=> 0x7f44af004543 <js_GetDefaultXMLNamespace+45>:	mov    0x60(%rax),%rax
(gdb) x/i $rax
   0x0:	Cannot access memory at address 0x0

Seems to be a +60 null deref? Assuming [sg:dos] but s-s just to be safe.
(Reporter)

Comment 1

9 years ago
3.6.3 WinXP Crash Bang Boom:

bp-d6de7bc2-2773-4ab6-a2b7-6056a2100520
(Reporter)

Updated

9 years ago
blocking1.9.2: --- → ?
blocking2.0: --- → ?
OS: Linux → All
Hardware: x86 → All

Updated

9 years ago
blocking1.9.2: ? → needed
status1.9.1: --- → unaffected
status1.9.2: --- → wanted

Updated

8 years ago
blocking2.0: ? → final+

Comment 2

8 years ago
The wrapper work has since removed XPCSafeJSObjectWrapper entirely.  I tried the closest thing I could think of that still works:

  var g = Cu.Sandbox("about:blank");
  Cu.evalInSandbox("var y = <x/>; y", g).l = eval;

and got a proper error "can't wrap XML objects".  WFM'ing.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ js_GetDefaultXMLNamespace]

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.