The default bug view has changed. See this FAQ.
Bug 626631 (CVE-2011-0057)

WebWorker causes firefox to crash [@ js::PropertyTable::search(int, bool) ]

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
3 years ago

People

(Reporter: Daniel Kozlowski, Assigned: luke)

Tracking

(4 keywords)

Trunk
crash, testcase, verified1.9.1, verified1.9.2
Points:
---
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(blocking2.0 betaN+, blocking1.9.2 .14+, status1.9.2 .14-fixed, blocking1.9.1 .17+, status1.9.1 .17-fixed)

Details

(Whiteboard: [sg:critical?][hardblocker][fixed-in-tracemonkey], crash signature, URL)

Attachments

(3 attachments)

2.21 KB, patch
Ben Turner (not reading bugmail, use the needinfo flag!)
: review+
gal
: review+
Details | Diff | Splinter Review
2.10 KB, patch
gal
: review+
christian
: approval1.9.2.14+
christian
: approval1.9.1.17+
Details | Diff | Splinter Review
699.93 KB, application/java-archive
Details
(Reporter)

Description

6 years ago
User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:2.0b10pre) Gecko/20110116 Firefox/4.0b10pre
Build Identifier: Mozilla/5.0 (X11; Linux x86_64; rv:2.0b10pre) Gecko/20110116 Firefox/4.0b10pre

Simple WebWorker causes Firefox to crash. Run the listed page with at least one worker thread. Firefox will crash 

Reproducible: Always

Steps to Reproduce:
1. Visit Web Page 
2. Start up at least one Worker thread 
3. wait 
Actual Results:  
Firefox crashes

Expected Results:  
Backround thread run and posts data to the UI thread
confirming with SM trunk
bp-476080c0-cb13-44f3-bc46-4f7482110118

0 	mozjs.dll 	js::PropertyTable::search 	js/src/jsscope.cpp:309
1 	mozjs.dll 	JSObject::nativeSearch 	js/src/jsscope.h:672
2 	mozjs.dll 	js_GetProperty 	js/src/jsobj.cpp:5354
3 	mozjs.dll 	js::mjit::ic::GetProp 	js/src/methodjit/PolyIC.cpp:1692
4 	mozjs.dll 	js::mjit::EnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:748
5 	mozjs.dll 	CheckStackAndEnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:774
6 	mozjs.dll 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:791
7 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:654
8 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:737
9 	mozjs.dll 	js::ExternalInvoke 	js/src/jsinterp.cpp:858
10 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5019
11 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1700
12 	xul.dll 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:588
13 	xul.dll 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114
14 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141
15 	xul.dll 	nsDOMWorkerMessageHandler::DispatchEvent 	dom/src/threads/nsDOMWorkerMessageHandler.cpp:329
16 	xul.dll 	nsDOMWorker::DispatchEvent 	dom/src/threads/nsDOMWorker.cpp:2613
17 	xul.dll 	nsDOMFireEventRunnable::Run 	dom/src/threads/nsDOMWorker.cpp:1312
18 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:633
19 	xul.dll 	MessageLoop::DoDelayedWork 	ipc/chromium/src/base/message_loop.cc:462
20 	xul.dll 	NS_ProcessNextEvent_P 	objdir/mozilla/xpcom/build/nsThreadUtils.cpp:250
21 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:134
22 	xul.dll 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:219
23 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:202
24 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:176
25 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:192
26 	xul.dll 	nsAppShell::Run 	widget/src/windows/nsAppShell.cpp:258
27 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:217
28 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3699
29 	seamonkey.exe 	NS_internal_main 	suite/app/nsSuiteApp.cpp:103
30 	seamonkey.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:128
31 	seamonkey.exe 	__tmainCRTStartup 	objdir/mozilla/memory/jemalloc/crtsrc/crtexe.c:591
Assignee: nobody → general
Severity: normal → critical
Status: UNCONFIRMED → NEW
Component: General → JavaScript Engine
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → general
Summary: WebWorker causes firefox to crash → WebWorker causes firefox to crash [@ js::PropertyTable::search(int, bool) ]
Version: unspecified → Trunk
blocking2.0: --- → ?
Blocks: 595975
Whiteboard: hardblocker

Comment 2

6 years ago
Reproduced. This is a great test case thanks. The crash I saw looked kinda scary, so I will hide this until we know whats up here.
Group: core-security
blocking2.0: ? → betaN+

Comment 3

6 years ago
This crashes 3.6 as well, so bad and likely exploitable.

Updated

6 years ago
blocking1.9.2: --- → ?

Comment 4

6 years ago
same signature as 595975 and a few more bugs that are not marked security sensitive.  here is the full list.

https://bugzilla.mozilla.org/buglist.cgi?quicksearch=595975,602223,615492

its also ranked #18 in firefox 4.0b9 so we should hold on 2.0+BetaN hardblocker status.

Comment 5

6 years ago
Chris can you please hide any bugs with a test case that trigger a similar stack?

Comment 6

6 years ago
ok, hid the 3 bugs listed on comment 4.
(Assignee)

Updated

6 years ago
Assignee: general → lw
(Assignee)

Comment 7

6 years ago
I am able to repro a crash on TM tip with all jits disabled in js::Interpret:4192 with an object painted over with 0xdadadada.
Hm... Could it be something in the structured clone code then?
(Assignee)

Comment 9

6 years ago
I just put printfs around the 'buffer.read' in nsDOMWorkerEvent::GetData and a printf in gc and the gc happens after the read finishes.  So it looks like somewhere in the XPConnect machinery.  Fortunately its a pretty tight window, so I can bisect further.

Updated

6 years ago
Whiteboard: hardblocker → [sg:critical?][hardblocker]
status1.9.2: --- → wanted
(Assignee)

Comment 11

6 years ago
Oh wow, nsAutoJSValHolder is totally wrong and totally not rooting the jsval.
(Assignee)

Comment 12

6 years ago
Created attachment 505570 [details] [diff] [review]
fix nsAutoJSValHolder

Runs for much longer with no crash.

(On the down side, although animation continues, once this sucker gets revved up, I can't navigate away, at least in my debug build...)
Attachment #505570 - Flags: review?(bent.mozilla)

Updated

6 years ago
Attachment #505570 - Flags: review+

Comment 13

6 years ago
Nice catch. We should provide better auto rooter classes for heap rooted jsvals from within the engine and remove the code XPConnect and dom defines.
Attachment #505570 - Flags: review?(bent.mozilla) → review+

Updated

6 years ago
blocking1.9.2: ? → .14+

Comment 14

6 years ago
Luke, if we can get a branch patch ready today we can make the next 3.6 update.

Comment 15

6 years ago
We're going to try to shoehorn this into 1.9.2.14 (and 1.9.1.17 if affected). We'd need this landed either today or tomorrow. Please ask for branch approval when a branch patch is ready. Thanks for the quick patch Luke!
(Assignee)

Comment 16

6 years ago
http://hg.mozilla.org/tracemonkey/rev/a80b4c08c189

(In reply to comment #13)
> We should provide better auto rooter classes for heap rooted jsvals
> from within the engine and remove the code XPConnect and dom defines.

Yeah, avoid a lot of code duplication.  Also it should only cost a doubly-linked list insertion/removal, none of this hash table business.
Whiteboard: [sg:critical?][hardblocker] → [sg:critical?][hardblocker][fixed-in-tracemonkey]

Updated

6 years ago
blocking1.9.1: --- → .17+
status1.9.1: --- → wanted
(Assignee)

Comment 17

6 years ago
Created attachment 505601 [details] [diff] [review]
fix for 1.9.1 and 1.9.2

The issue exists on 1.9.1.  The same patch applies to both.

Re-asking for review since I had to change the patch to use the old scary type-unsafe rooting APIs.
Attachment #505601 - Flags: review?(gal)
Attachment #505601 - Flags: approval1.9.2.14?
Attachment #505601 - Flags: approval1.9.1.17?
Keywords: crash, testcase
Created attachment 505605 [details]
PoC (zipped)

Saving testcase for posterity/QA

Updated

6 years ago
Attachment #505601 - Flags: review?(gal) → review+

Updated

6 years ago
Attachment #505601 - Flags: approval1.9.2.14?
Attachment #505601 - Flags: approval1.9.2.14+
Attachment #505601 - Flags: approval1.9.1.17?
Attachment #505601 - Flags: approval1.9.1.17+
(Assignee)

Comment 19

6 years ago
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/2c0131a3e7d7
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/3a93f9bf856b
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/a80b4c08c189
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED

Updated

6 years ago
status1.9.1: wanted → .17-fixed
status1.9.2: wanted → .14-fixed
Verified fixed in 1.9.2 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.14) Gecko/20110121 Firefox/3.6.14 ( .NET CLR 3.5.30729) and webpage. Saw the crash in 1.9.2.13. 

Verified fixed in 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.17) Gecko/20110121 Firefox/3.5.17 ( .NET CLR 3.5.30729) and webpage. Saw the crash in 1.9.1.16.
Keywords: verified1.9.1, verified1.9.2
(Reporter)

Comment 22

6 years ago
I can also verify the fix is working. Great job on the fast response. 

BZ
Alias: CVE-2011-0057

Comment 23

6 years ago
dan, ping chofmann@mozilla.com if you are interested in a security bug bounty for your help on this bug.
Group: core-security
Crash Signature: [@ js::PropertyTable::search(int, bool) ]

Updated

5 years ago
No longer blocks: 595975

Updated

5 years ago
Blocks: 595975
rforbes-bugspam-for-setting-that-bounty-flag-20130719
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.