Closed Bug 624286 Opened 14 years ago Closed 1 year ago

Crash [@js_TraceObject], [@nsAttrAndChildArray::Compact], or [@KERNELBASE!RaiseException] with massive array, document.write

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: alexander.miller, Unassigned)

Details

(4 keywords)

Crash Data

Attachments

(2 files)

Testcase (generally a quick crash)
211 bytes, text/html
Details
Stack traces
21.61 KB, text/plain
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13

I wouldn't be surprised if this bug boiled down to a boring [sg:dos] null pointer deref, but I think it's security sensitive because it crashes in either:

A post-gc null deref at js_TraceObject
A null deref at nsAttrAndChildArray::Compact
OOM
One unreproducible EIP overwrite (Illegal instruction at 41414141)

And this is all from one testcase.

Reproducible: Always

Steps to Reproduce:
1. Load the attached testcase



These crashes individually appear safe, but crashing in many places is scary.

    
    

    
  

      
      
      
      

        Attached file
          
        Stack traces
      

    


  
Javascript crash
Layout crash
OOM crash
Assignee: nobody → general
Component: Security → JavaScript Engine
QA Contact: toolkit → general

    
    

    
  
Crashes trunk as well as 3.6, but so far have only seen safe crashes.

    
    

    
  
(In reply to comment #3)
> Crashes trunk as well as 3.6, but so far have only seen safe crashes.

It's probably just an sg:dos bug, but crashing in JS, layout, and OOM seemed a bit odd. None of the crashes were exploitable. Should this be opened?

    
    

    
  
(In reply to comment #4)
*With an exception of one oddly exploitable crash

    
    

    
  
This seems a bit odd:

001baa2c 6fddc52b KERNELBASE!RaiseException+0x58
001baa64 6fde4f13 MOZCRT19!_CxxThrowException(void * pExceptionObject = 0x001baa74, struct _s__ThrowInfo * pThrowInfo = 0x6fe4aa34)+0x46 [f:\sp\vctools\crt_bld\self_x86\crt\prebuild\eh\throw.cpp @ 161]
001baa7c 5f7280f5 MOZCRT19!operator new(unsigned int size = 0x5f689e65)+0x73 [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\obj-firefox\memory\jemalloc\crtsrc\new.cpp @ 61]
001baa98 5f689e65 xul!gfxWindowsFontGroup::MakeTextRun(wchar_t * aString = 0x7edec008 " undefined䅁undefinedundefined䅁undefinedundefinedundefined䅁undefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedu...", unsigned int aLength = 0x1fea, struct gfxTextRunFactory::Parameters * aParams = 0x001bab0c, unsigned int aFlags = 0x1100101)+0x24 [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\gfx\thebes\src\gfxwindowsfonts.cpp @ 1487]
001bb0f8 5f74a0f2 xul!TextRunWordCache::MakeTextRun(wchar_t * aText = 0x4b27b008 "undefined䅁undefinedundefined䅁undefinedundefinedundefined䅁undefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedun...", unsigned int aLength = 0x1fe9, class gfxFontGroup * aFontGroup = 0x00000003, struct gfxTextRunFactory::Parameters * aParams = 0x001bb1d0, unsigned int aFlags = 0x1100100)+0x605 [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\gfx\thebes\src\gfxtextrunwordcache.cpp @ 685]
001bb120 5f68c491 xul!MakeTextRun(wchar_t * aText = 0x4b27b008 "undefined䅁undefinedundefined䅁undefinedundefinedundefined䅁undefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined䅁undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedun...", unsigned int aLength = 0x1fe9, class gfxFontGroup * aFontGroup = 0x00000003, struct gfxTextRunFactory::Parameters * aParams = 0x001bb1d0, unsigned int aFlags = 0x1100100)+0x39 [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nstextframethebes.cpp @ 493]
001bc624 5f6a0ebc xul!BuildTextRunsScanner::BuildTextRunForFrames(void * aTextBuffer = 0x00000003)+0xae1 [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nstextframethebes.cpp @ 1840]
001bd654 5f6793ba xul!BuildTextRunsScanner::FlushFrames(int aFlushLineBreaks = <Memory access error>, int aSuppressTrailingBreak = 0n3)+0xac [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nstextframethebes.cpp @ 1272]
001bd684 77963b4e xul!BuildTextRuns(class gfxContext * aContext = 0x646e7564, class nsTextFrame * aForFrame = 0x6e696665, class nsIFrame * aLineContainer = 0x00000003, class nsLineList_iterator * aForFrameLine = 0x6e756465)+0x32a [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nstextframethebes.cpp @ 1206]
001bd714 5f6add05 ntdll32!RtlAllocateHeap+0x23a
001bd758 5f5e9dea xul!SearchTable(struct PLDHashTable * table = 0x03c02558, void * key = 0x0000000f, unsigned int keyHash = 5, PLDHashOperator op = 0n62927040 (No matching enumerant))+0xf5 [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\obj-firefox\xpcom\build\pldhash.c @ 439]
001bd820 5f6112e7 xul!gfxFontGroup::FontResolverProc(class nsAString_internal * aName = 0x6a5756c3, void * aClosure = 0x8bf18b08)+0x11 [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\gfx\thebes\src\gfxfont.cpp @ 1522]
001bd86c 5f6beefd xul!nsPrefBranch::AddRef(void)+0xe [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\modules\libpref\src\nsprefbranch.cpp @ 116]
001bd8a0 5f7183d0 xul!nsAString_internal::Assign(wchar_t * data = 0x00000000 "", unsigned int length = 0x6a5756c3)+0xbd [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\xpcom\string\src\nstsubstring.cpp @ 362]
001bd8b0 5f6ad07e xul!nsPrefService::Release(void)+0x10 [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\modules\libpref\src\nsprefservice.cpp @ 94]
001bd8b8 5f65dcdf xul!nsCOMPtr_base::~nsCOMPtr_base(void)+0xe [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\obj-firefox\xpcom\build\nscomptr.cpp @ 82]
001bda6a ffff0727 xul!gfxFontGroup::ForEachFontInternal(class nsAString_internal * aFamilies = 0x1fe9ffff, class nsACString_internal * aLangGroup = 0x00000000, int aResolveGeneric = 0n-1231028224, int aResolveFontName = 0n1831, <function> * fc = 0x00010000, void * closure = 0x00000000)+0x86f [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\gfx\thebes\src\gfxfont.cpp @ 1515]
WARNING: Frame IP not in any known module. Following frames may be wrong.
001bda6e 1fe9ffff 0xffff0727
001bda72 00000000 0x1fe9ffff

Those non-function addresses seem weird, and look like corruption. (Why no access violation at ffff0727 though?)

    
  
Assignee: general → nobody
Component: JavaScript Engine → DOM: Core & HTML
Keywords: crash
QA Contact: general → general

    
    

    
  
Also, fwiw, |this| is null if the crash occurs in layout, and unsigned int |slots| is a seemingly random invalid address, but the crash isn't because of |slots|.

    
    

    
  
(In reply to comment #3)
> Crashes trunk as well as 3.6, but so far have only seen safe crashes.

Can you post the stack traces? Or are they oom...

    
  
Summary: Various crashes in many places with massive array, document.write → Crash [@js_TraceObject], [@nsAttrAndChildArray::Compact], or [@KERNELBASE!RaiseException] with massive array, document.write

    
    

    
  
Also, the traceObject crash is on this line:
   JSContext *cx = trc->context;
according to my debugger, and |trc| shouldn't be nulled. (or |context| shouldn't be nulled? I don't know C++ well)

The layout crash occurs at:
   mImpl->mBufferSize = newSize;
Which is a little concerning, because a buffer of null bytes is an issue.

    
  
OS: Windows 7 → Windows XP
Keywords: testcase
Whiteboard: [sg:needinfo]

    
    

    
  
I can confirm the crashes, but so far I've only seen the OOM safe/DoS type crashes. There may be a critical bug hiding in here somewhere based on your description, but given the unreliability of this testcase I can't yet call it critical as it would be an extremely low-success attack.

Can you improve on that? It'd make a better attack, and it would also help us pinpoint where the critical bug is lurking.
Status: UNCONFIRMED → NEW
Ever confirmed: true

    
    

    
  
(In reply to comment #10)
> I can confirm the crashes, but so far I've only seen the OOM safe/DoS type
> crashes. There may be a critical bug hiding in here somewhere based on your
> description, but given the unreliability of this testcase I can't yet call it
> critical as it would be an extremely low-success attack.
> 
> Can you improve on that? It'd make a better attack, and it would also help us
> pinpoint where the critical bug is lurking.
I've tried modifying the testcase, but the one line that causes the crash (document.write) is unreliable in itself. I'll try more though.

Also, I was discussing this with sicking, and the crash in layout almost certainly isn't a null deref because of oom.

Also, I've got a crazy theory that the null is because of the constant repetition of undefined.

    
    

    
  
The compact() crashes are almost certainly related to bug 557545, so if the null deref issue there is fixed bug 557545 may actually become sg:critical due to a higher attack success chance. And, fwiw, I continue to be unable to reproduce anything that isn't a null pointer dereference or OOM, so this is really looking sg:dos.
Crash Signature: [@js_TraceObject]
[@nsAttrAndChildArray::Compact]
[@KERNELBASE!RaiseException]

    
    

    
  
There's no value in keeping this closed, marking this an sg:dos and opening this up.
Group: core-security
Crash Signature: [@js_TraceObject]
[@nsAttrAndChildArray::Compact]
[@KERNELBASE!RaiseException] → [@js_TraceObject]
[@nsAttrAndChildArray::Compact]
[@KERNELBASE!RaiseException]
Whiteboard: [sg:needinfo] → [sg:dos]
Keywords: csec-dos
Whiteboard: [sg:dos]
Keywords: sec-other

    
    

    
  
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX

    
    

    
  
Reopening because crash bugs **with testcases** should not be resolved **as WONTFIX** based on queries of crash-stats.  Other resolutions may be appropriate for other reasons.

(Crash signatures are not the same as bug identity; they're merely a search aid to find and group similar crashes.  The bug may still be present, but the signature may have changed slightly, or the bug may even still be present with the same signature but there are simply no recent reports of crashes in that function.)
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---

    
  
QA Whiteboard: qa-not-actionable

    
  
Severity: critical → S2

    
    

    
  
The test case doesn't actually crash for me any more. It sits there and the memory keeps growing, but it is fairly slow. After a few minutes, it was a little over a gig of memory in the content process. In a debug process, the content process didn't exit when I exited the browser, and the memory kept growing until it was about 4GB until it hit some kind of crash.


Anyways, it looks like this test case is now a fairly run of the mill resource exhaustion issue. In the current world where we have e10s and Fission, a website going out of control like this will really only hurt itself: the UI and even other pages should still be okay. It is often requested that we should have some way to limit how many resources a website uses, but it can be hard to do so without interfering with something people are interested in. For instance, a user might be more willing for a game they love to use a lot of resources than some ad iframe on a news article they clicked on. Anyways, I don't think there's really much to do here now.


Status: REOPENED → RESOLVED
Closed: 6 years ago1 year ago
Resolution: --- → WONTFIX

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: