Use-after-free Crash [@ JSObject::lookupProperty] after gc()

RESOLVED DUPLICATE of bug 621375

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 621375
7 years ago
6 years ago

People

(Reporter: Alex Miller, Unassigned)

Tracking

({testcase})

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dupe 621375])

(Reporter)

Description

7 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Build Identifier: 

A use-after-free issue exists in the js shell. 

Testcase:
function z() { return evalcx('split').Object.__lookupGetter__; }
var a = z();
gc();
a();



Reproducible: Always

Steps to Reproduce:
1. Load that testcase
2. Use-after-free crash (trying to access 0xdadadb32)

Actual Results:  
Crash due to invalid (possibly arbitrary) memory access. (Not a crash reading freed memory)

Expected Results:  
Syntax error or exception of sorts... Anything but an exploitable crash.

Faulting instruction: mov     eax,dword ptr [eax]
(Reporter)

Comment 1

7 years ago
Just by looking at the testcase, I think the following is happening:
evalcx('split') is splitting the returned value of the function. Because one half of the split object is a null property (or whatever it's called), that half is collected by gc() because gc() doesn't seem to collect split objects correctly. Then when the function is finally called, the half of the object containing the properties was freed, which leads to accessing freed memory.

Comment 2

7 years ago
Dup of bug 619004 / bug 621375?  The testcase seems very similar to the one in bug 621375.
(Reporter)

Comment 3

7 years ago
(In reply to comment #2)
> Dup of bug 619004 / bug 621375?  The testcase seems very similar to the one in
> bug 621375.

Yeah, it is pretty similar. I would say not quite a dup because of the different crash signature, different changeset (a6438d91ca4d), and the fact that this occurs regardless of any JITs that are enabled.
I assume this is a dupe of bug 621375 and will be fixed with it, but just in case not leaving open and "depends on" 621375 so this testcase can be separately verified.
Status: UNCONFIRMED → NEW
Depends on: 621375
Ever confirmed: true
Keywords: testcase
Whiteboard: [sg:dupe 621375] if not fixed by 621375 probably sg:critical
(Reporter)

Updated

7 years ago
Whiteboard: [sg:dupe 621375] if not fixed by 621375 probably sg:critical → [sg:dupe 621375]
Group: core-security
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 621375
You need to log in before you can comment on or make changes to this bug.