624286 - Crash [@js_TraceObject], [@nsAttrAndChildArray::Compact], or [@KERNELBASE!RaiseException] with massive array, document.write

Status: RESOLVED WONTFIX

(Core :: DOM: Core & HTML, defect)

Description

[Alex Miller]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13

I wouldn't be surprised if this bug boiled down to a boring [sg:dos] null pointer deref, but I think it's security sensitive because it crashes in either:

A post-gc null deref at js_TraceObject
A null deref at nsAttrAndChildArray::Compact
OOM
One unreproducible EIP overwrite (Illegal instruction at 41414141)

And this is all from one testcase.

Reproducible: Always

Steps to Reproduce:
1. Load the attached testcase



These crashes individually appear safe, but crashing in many places is scary.

Comment 1

[Alex Miller]

Attachment: Testcase (generally a quick crash)

Comment 2

[Alex Miller]

Attachment: Stack traces

Javascript crash
Layout crash
OOM crash

Comment 3

[Daniel Veditz [:dveditz]]

Crashes trunk as well as 3.6, but so far have only seen safe crashes.

Comment 4

[Alex Miller]

(In reply to comment #3)
> Crashes trunk as well as 3.6, but so far have only seen safe crashes.

It's probably just an sg:dos bug, but crashing in JS, layout, and OOM seemed a bit odd. None of the crashes were exploitable. Should this be opened?

Comment 5

[Alex Miller]

(In reply to comment #4)
*With an exception of one oddly exploitable crash

Comment 6

[Alex Miller]

This seems a bit odd:

001baa2c 6fddc52b KERNELBASE!RaiseException+0x58
001baa64 6fde4f13 MOZCRT19!_CxxThrowException(void * pExceptionObject = 0x001baa74, struct _s__ThrowInfo * pThrowInfo = 0x6fe4aa34)+0x46 [f:\sp\vctools\crt_bld\self_x86\crt\prebuild\eh\throw.cpp @ 161]
001baa7c 5f7280f5 MOZCRT19!operator new(unsigned int size = 0x5f689e65)+0x73 [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\obj-firefox\memory\jemalloc\crtsrc\new.cpp @ 61]
001baa98 5f689e65 xul!gfxWindowsFontGroup::MakeTextRun(wchar_t * aString = 0x7edec008 " undefined䅁undefinedundefined䅁undefinedundefinedundefined䅁undefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedu...", unsigned int aLength = 0x1fea, struct gfxTextRunFactory::Parameters * aParams = 0x001bab0c, unsigned int aFlags = 0x1100101)+0x24 [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\gfx\thebes\src\gfxwindowsfonts.cpp @ 1487]
001bb0f8 5f74a0f2 xul!TextRunWordCache::MakeTextRun(wchar_t * aText = 0x4b27b008 "undefined䅁undefinedundefined䅁undefinedundefinedundefined䅁undefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedun...", unsigned int aLength = 0x1fe9, class gfxFontGroup * aFontGroup = 0x00000003, struct gfxTextRunFactory::Parameters * aParams = 0x001bb1d0, unsigned int aFlags = 0x1100100)+0x605 [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\gfx\thebes\src\gfxtextrunwordcache.cpp @ 685]
001bb120 5f68c491 xul!MakeTextRun(wchar_t * aText = 0x4b27b008 "undefined䅁undefinedundefined䅁undefinedundefinedundefined䅁undefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedun...", unsigned int aLength = 0x1fe9, class gfxFontGroup * aFontGroup = 0x00000003, struct gfxTextRunFactory::Parameters * aParams = 0x001bb1d0, unsigned int aFlags = 0x1100100)+0x39 [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nstextframethebes.cpp @ 493]
001bc624 5f6a0ebc xul!BuildTextRunsScanner::BuildTextRunForFrames(void * aTextBuffer = 0x00000003)+0xae1 [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nstextframethebes.cpp @ 1840]
001bd654 5f6793ba xul!BuildTextRunsScanner::FlushFrames(int aFlushLineBreaks = <Memory access error>, int aSuppressTrailingBreak = 0n3)+0xac [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nstextframethebes.cpp @ 1272]
001bd684 77963b4e xul!BuildTextRuns(class gfxContext * aContext = 0x646e7564, class nsTextFrame * aForFrame = 0x6e696665, class nsIFrame * aLineContainer = 0x00000003, class nsLineList_iterator * aForFrameLine = 0x6e756465)+0x32a [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nstextframethebes.cpp @ 1206]
001bd714 5f6add05 ntdll32!RtlAllocateHeap+0x23a
001bd758 5f5e9dea xul!SearchTable(struct PLDHashTable * table = 0x03c02558, void * key = 0x0000000f, unsigned int keyHash = 5, PLDHashOperator op = 0n62927040 (No matching enumerant))+0xf5 [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\obj-firefox\xpcom\build\pldhash.c @ 439]
001bd820 5f6112e7 xul!gfxFontGroup::FontResolverProc(class nsAString_internal * aName = 0x6a5756c3, void * aClosure = 0x8bf18b08)+0x11 [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\gfx\thebes\src\gfxfont.cpp @ 1522]
001bd86c 5f6beefd xul!nsPrefBranch::AddRef(void)+0xe [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\modules\libpref\src\nsprefbranch.cpp @ 116]
001bd8a0 5f7183d0 xul!nsAString_internal::Assign(wchar_t * data = 0x00000000 "", unsigned int length = 0x6a5756c3)+0xbd [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\xpcom\string\src\nstsubstring.cpp @ 362]
001bd8b0 5f6ad07e xul!nsPrefService::Release(void)+0x10 [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\modules\libpref\src\nsprefservice.cpp @ 94]
001bd8b8 5f65dcdf xul!nsCOMPtr_base::~nsCOMPtr_base(void)+0xe [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\obj-firefox\xpcom\build\nscomptr.cpp @ 82]
001bda6a ffff0727 xul!gfxFontGroup::ForEachFontInternal(class nsAString_internal * aFamilies = 0x1fe9ffff, class nsACString_internal * aLangGroup = 0x00000000, int aResolveGeneric = 0n-1231028224, int aResolveFontName = 0n1831, <function> * fc = 0x00010000, void * closure = 0x00000000)+0x86f [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\gfx\thebes\src\gfxfont.cpp @ 1515]
WARNING: Frame IP not in any known module. Following frames may be wrong.
001bda6e 1fe9ffff 0xffff0727
001bda72 00000000 0x1fe9ffff

Those non-function addresses seem weird, and look like corruption. (Why no access violation at ffff0727 though?)

Comment 7

[Alex Miller]

Also, fwiw, |this| is null if the crash occurs in layout, and unsigned int |slots| is a seemingly random invalid address, but the crash isn't because of |slots|.

Comment 8

[Alex Miller]

(In reply to comment #3)
> Crashes trunk as well as 3.6, but so far have only seen safe crashes.

Can you post the stack traces? Or are they oom...

Comment 9

[Alex Miller]

Also, the traceObject crash is on this line:
   JSContext *cx = trc->context;
according to my debugger, and |trc| shouldn't be nulled. (or |context| shouldn't be nulled? I don't know C++ well)

The layout crash occurs at:
   mImpl->mBufferSize = newSize;
Which is a little concerning, because a buffer of null bytes is an issue.

Comment 10

[Daniel Veditz [:dveditz]]

I can confirm the crashes, but so far I've only seen the OOM safe/DoS type crashes. There may be a critical bug hiding in here somewhere based on your description, but given the unreliability of this testcase I can't yet call it critical as it would be an extremely low-success attack.

Can you improve on that? It'd make a better attack, and it would also help us pinpoint where the critical bug is lurking.

Comment 11

[Alex Miller]

(In reply to comment #10)
> I can confirm the crashes, but so far I've only seen the OOM safe/DoS type
> crashes. There may be a critical bug hiding in here somewhere based on your
> description, but given the unreliability of this testcase I can't yet call it
> critical as it would be an extremely low-success attack.
> 
> Can you improve on that? It'd make a better attack, and it would also help us
> pinpoint where the critical bug is lurking.
I've tried modifying the testcase, but the one line that causes the crash (document.write) is unreliable in itself. I'll try more though.

Also, I was discussing this with sicking, and the crash in layout almost certainly isn't a null deref because of oom.

Also, I've got a crazy theory that the null is because of the constant repetition of undefined.

Comment 12

[Alex Miller]

The compact() crashes are almost certainly related to bug 557545, so if the null deref issue there is fixed bug 557545 may actually become sg:critical due to a higher attack success chance. And, fwiw, I continue to be unable to reproduce anything that isn't a null pointer dereference or OOM, so this is really looking sg:dos.

Comment 13

[Johnny Stenback (:jst)]

There's no value in keeping this closed, marking this an sg:dos and opening this up.

Comment 14

[Sylvestre Ledru [:Sylvestre]]

Closing because no crash reported since 12 weeks.

Comment 15

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Reopening because crash bugs **with testcases** should not be resolved **as WONTFIX** based on queries of crash-stats.  Other resolutions may be appropriate for other reasons.

(Crash signatures are not the same as bug identity; they're merely a search aid to find and group similar crashes.  The bug may still be present, but the signature may have changed slightly, or the bug may even still be present with the same signature but there are simply no recent reports of crashes in that function.)

Comment 16

[Andrew McCreight [:mccr8]]

The test case doesn't actually crash for me any more. It sits there and the memory keeps growing, but it is fairly slow. After a few minutes, it was a little over a gig of memory in the content process. In a debug process, the content process didn't exit when I exited the browser, and the memory kept growing until it was about 4GB until it hit some kind of crash.

Anyways, it looks like this test case is now a fairly run of the mill resource exhaustion issue. In the current world where we have e10s and Fission, a website going out of control like this will really only hurt itself: the UI and even other pages should still be okay. It is often requested that we should have some way to limit how many resources a website uses, but it can be hard to do so without interfering with something people are interested in. For instance, a user might be more willing for a game they love to use a lot of resources than some ad iframe on a news article they clicked on. Anyways, I don't think there's really much to do here now.