Bug 626631 (CVE-2011-0057)

WebWorker causes firefox to crash [@ js::PropertyTable::search(int, bool) ]




JavaScript Engine
7 years ago
3 years ago


(Reporter: Daniel Kozlowski, Assigned: luke)


(4 keywords)

crash, testcase, verified1.9.1, verified1.9.2
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(blocking2.0 betaN+, blocking1.9.2 .14+, status1.9.2 .14-fixed, blocking1.9.1 .17+, status1.9.1 .17-fixed)


(Whiteboard: [sg:critical?][hardblocker][fixed-in-tracemonkey], crash signature, URL)


(3 attachments)

2.21 KB, patch
Ben Turner (not reading bugmail, use the needinfo flag!)
: review+
: review+
Details | Diff | Splinter Review
2.10 KB, patch
: review+
: approval1.9.2.14+
: approval1.9.1.17+
Details | Diff | Splinter Review
699.93 KB, application/java-archive


7 years ago
User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:2.0b10pre) Gecko/20110116 Firefox/4.0b10pre
Build Identifier: Mozilla/5.0 (X11; Linux x86_64; rv:2.0b10pre) Gecko/20110116 Firefox/4.0b10pre

Simple WebWorker causes Firefox to crash. Run the listed page with at least one worker thread. Firefox will crash 

Reproducible: Always

Steps to Reproduce:
1. Visit Web Page 
2. Start up at least one Worker thread 
3. wait 
Actual Results:  
Firefox crashes

Expected Results:  
Backround thread run and posts data to the UI thread
confirming with SM trunk

0 	mozjs.dll 	js::PropertyTable::search 	js/src/jsscope.cpp:309
1 	mozjs.dll 	JSObject::nativeSearch 	js/src/jsscope.h:672
2 	mozjs.dll 	js_GetProperty 	js/src/jsobj.cpp:5354
3 	mozjs.dll 	js::mjit::ic::GetProp 	js/src/methodjit/PolyIC.cpp:1692
4 	mozjs.dll 	js::mjit::EnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:748
5 	mozjs.dll 	CheckStackAndEnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:774
6 	mozjs.dll 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:791
7 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:654
8 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:737
9 	mozjs.dll 	js::ExternalInvoke 	js/src/jsinterp.cpp:858
10 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5019
11 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1700
12 	xul.dll 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:588
13 	xul.dll 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114
14 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141
15 	xul.dll 	nsDOMWorkerMessageHandler::DispatchEvent 	dom/src/threads/nsDOMWorkerMessageHandler.cpp:329
16 	xul.dll 	nsDOMWorker::DispatchEvent 	dom/src/threads/nsDOMWorker.cpp:2613
17 	xul.dll 	nsDOMFireEventRunnable::Run 	dom/src/threads/nsDOMWorker.cpp:1312
18 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:633
19 	xul.dll 	MessageLoop::DoDelayedWork 	ipc/chromium/src/base/message_loop.cc:462
20 	xul.dll 	NS_ProcessNextEvent_P 	objdir/mozilla/xpcom/build/nsThreadUtils.cpp:250
21 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:134
22 	xul.dll 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:219
23 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:202
24 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:176
25 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:192
26 	xul.dll 	nsAppShell::Run 	widget/src/windows/nsAppShell.cpp:258
27 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:217
28 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3699
29 	seamonkey.exe 	NS_internal_main 	suite/app/nsSuiteApp.cpp:103
30 	seamonkey.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:128
31 	seamonkey.exe 	__tmainCRTStartup 	objdir/mozilla/memory/jemalloc/crtsrc/crtexe.c:591
Assignee: nobody → general
Severity: normal → critical
Component: General → JavaScript Engine
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → general
Summary: WebWorker causes firefox to crash → WebWorker causes firefox to crash [@ js::PropertyTable::search(int, bool) ]
Version: unspecified → Trunk
blocking2.0: --- → ?
Blocks: 595975
Whiteboard: hardblocker

Comment 2

7 years ago
Reproduced. This is a great test case thanks. The crash I saw looked kinda scary, so I will hide this until we know whats up here.
Group: core-security
blocking2.0: ? → betaN+

Comment 3

7 years ago
This crashes 3.6 as well, so bad and likely exploitable.


7 years ago
blocking1.9.2: --- → ?

Comment 4

7 years ago
same signature as 595975 and a few more bugs that are not marked security sensitive.  here is the full list.


its also ranked #18 in firefox 4.0b9 so we should hold on 2.0+BetaN hardblocker status.

Comment 5

7 years ago
Chris can you please hide any bugs with a test case that trigger a similar stack?

Comment 6

7 years ago
ok, hid the 3 bugs listed on comment 4.


7 years ago
Assignee: general → lw

Comment 7

7 years ago
I am able to repro a crash on TM tip with all jits disabled in js::Interpret:4192 with an object painted over with 0xdadadada.
Hm... Could it be something in the structured clone code then?

Comment 9

7 years ago
I just put printfs around the 'buffer.read' in nsDOMWorkerEvent::GetData and a printf in gc and the gc happens after the read finishes.  So it looks like somewhere in the XPConnect machinery.  Fortunately its a pretty tight window, so I can bisect further.


7 years ago
Whiteboard: hardblocker → [sg:critical?][hardblocker]
status1.9.2: --- → wanted

Comment 11

7 years ago
Oh wow, nsAutoJSValHolder is totally wrong and totally not rooting the jsval.

Comment 12

7 years ago
Created attachment 505570 [details] [diff] [review]
fix nsAutoJSValHolder

Runs for much longer with no crash.

(On the down side, although animation continues, once this sucker gets revved up, I can't navigate away, at least in my debug build...)
Attachment #505570 - Flags: review?(bent.mozilla)


7 years ago
Attachment #505570 - Flags: review+

Comment 13

7 years ago
Nice catch. We should provide better auto rooter classes for heap rooted jsvals from within the engine and remove the code XPConnect and dom defines.
Attachment #505570 - Flags: review?(bent.mozilla) → review+


7 years ago
blocking1.9.2: ? → .14+

Comment 14

7 years ago
Luke, if we can get a branch patch ready today we can make the next 3.6 update.

Comment 15

7 years ago
We're going to try to shoehorn this into (and if affected). We'd need this landed either today or tomorrow. Please ask for branch approval when a branch patch is ready. Thanks for the quick patch Luke!

Comment 16

7 years ago

(In reply to comment #13)
> We should provide better auto rooter classes for heap rooted jsvals
> from within the engine and remove the code XPConnect and dom defines.

Yeah, avoid a lot of code duplication.  Also it should only cost a doubly-linked list insertion/removal, none of this hash table business.
Whiteboard: [sg:critical?][hardblocker] → [sg:critical?][hardblocker][fixed-in-tracemonkey]


7 years ago
blocking1.9.1: --- → .17+
status1.9.1: --- → wanted

Comment 17

7 years ago
Created attachment 505601 [details] [diff] [review]
fix for 1.9.1 and 1.9.2

The issue exists on 1.9.1.  The same patch applies to both.

Re-asking for review since I had to change the patch to use the old scary type-unsafe rooting APIs.
Attachment #505601 - Flags: review?(gal)
Attachment #505601 - Flags: approval1.9.2.14?
Attachment #505601 - Flags: approval1.9.1.17?
Keywords: crash, testcase
Created attachment 505605 [details]
PoC (zipped)

Saving testcase for posterity/QA


7 years ago
Attachment #505601 - Flags: review?(gal) → review+


7 years ago
Attachment #505601 - Flags: approval1.9.2.14?
Attachment #505601 - Flags: approval1.9.2.14+
Attachment #505601 - Flags: approval1.9.1.17?
Attachment #505601 - Flags: approval1.9.1.17+

Comment 19

7 years ago
cdleary-bot mozilla-central merge info:
Last Resolved: 7 years ago
Resolution: --- → FIXED


7 years ago
status1.9.1: wanted → .17-fixed
status1.9.2: wanted → .14-fixed
Verified fixed in 1.9.2 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110121 Firefox/3.6.14 ( .NET CLR 3.5.30729) and webpage. Saw the crash in 

Verified fixed in 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110121 Firefox/3.5.17 ( .NET CLR 3.5.30729) and webpage. Saw the crash in
Keywords: verified1.9.1, verified1.9.2

Comment 22

7 years ago
I can also verify the fix is working. Great job on the fast response. 

Alias: CVE-2011-0057

Comment 23

7 years ago
dan, ping chofmann@mozilla.com if you are interested in a security bug bounty for your help on this bug.
Group: core-security
Crash Signature: [@ js::PropertyTable::search(int, bool) ]


5 years ago
No longer blocks: 595975


5 years ago
Blocks: 595975
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.