Last Comment Bug 626631 - (CVE-2011-0057) WebWorker causes firefox to crash [@ js::PropertyTable::search(int, bool) ]
: WebWorker causes firefox to crash [@ js::PropertyTable::search(int, bool) ]
: crash, testcase, verified1.9.1, verified1.9.2
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: -- critical (vote)
: ---
Assigned To: Luke Wagner [:luke]
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: 595975
  Show dependency treegraph
Reported: 2011-01-18 06:46 PST by Daniel Kozlowski
Modified: 2014-07-22 13:05 PDT (History)
13 users (show)
rforbes: sec‑bounty+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

fix nsAutoJSValHolder (2.21 KB, patch)
2011-01-20 15:18 PST, Luke Wagner [:luke]
bent.mozilla: review+
gal: review+
Details | Diff | Splinter Review
fix for 1.9.1 and 1.9.2 (2.10 KB, patch)
2011-01-20 16:23 PST, Luke Wagner [:luke]
gal: review+
christian: approval1.9.2.14+
christian: approval1.9.1.17+
Details | Diff | Splinter Review
PoC (zipped) (699.93 KB, application/java-archive)
2011-01-20 16:37 PST, Daniel Veditz [:dveditz]
no flags Details

Description Daniel Kozlowski 2011-01-18 06:46:02 PST
User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:2.0b10pre) Gecko/20110116 Firefox/4.0b10pre
Build Identifier: Mozilla/5.0 (X11; Linux x86_64; rv:2.0b10pre) Gecko/20110116 Firefox/4.0b10pre

Simple WebWorker causes Firefox to crash. Run the listed page with at least one worker thread. Firefox will crash 

Reproducible: Always

Steps to Reproduce:
1. Visit Web Page 
2. Start up at least one Worker thread 
3. wait 
Actual Results:  
Firefox crashes

Expected Results:  
Backround thread run and posts data to the UI thread
Comment 1 Matthias Versen [:Matti] 2011-01-18 09:06:12 PST
confirming with SM trunk

0 	mozjs.dll 	js::PropertyTable::search 	js/src/jsscope.cpp:309
1 	mozjs.dll 	JSObject::nativeSearch 	js/src/jsscope.h:672
2 	mozjs.dll 	js_GetProperty 	js/src/jsobj.cpp:5354
3 	mozjs.dll 	js::mjit::ic::GetProp 	js/src/methodjit/PolyIC.cpp:1692
4 	mozjs.dll 	js::mjit::EnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:748
5 	mozjs.dll 	CheckStackAndEnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:774
6 	mozjs.dll 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:791
7 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:654
8 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:737
9 	mozjs.dll 	js::ExternalInvoke 	js/src/jsinterp.cpp:858
10 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5019
11 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1700
12 	xul.dll 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:588
13 	xul.dll 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114
14 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141
15 	xul.dll 	nsDOMWorkerMessageHandler::DispatchEvent 	dom/src/threads/nsDOMWorkerMessageHandler.cpp:329
16 	xul.dll 	nsDOMWorker::DispatchEvent 	dom/src/threads/nsDOMWorker.cpp:2613
17 	xul.dll 	nsDOMFireEventRunnable::Run 	dom/src/threads/nsDOMWorker.cpp:1312
18 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:633
19 	xul.dll 	MessageLoop::DoDelayedWork 	ipc/chromium/src/base/
20 	xul.dll 	NS_ProcessNextEvent_P 	objdir/mozilla/xpcom/build/nsThreadUtils.cpp:250
21 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:134
22 	xul.dll 	MessageLoop::RunInternal 	ipc/chromium/src/base/
23 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/
24 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/
25 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:192
26 	xul.dll 	nsAppShell::Run 	widget/src/windows/nsAppShell.cpp:258
27 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:217
28 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3699
29 	seamonkey.exe 	NS_internal_main 	suite/app/nsSuiteApp.cpp:103
30 	seamonkey.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:128
31 	seamonkey.exe 	__tmainCRTStartup 	objdir/mozilla/memory/jemalloc/crtsrc/crtexe.c:591
Comment 2 Andreas Gal :gal 2011-01-18 12:58:50 PST
Reproduced. This is a great test case thanks. The crash I saw looked kinda scary, so I will hide this until we know whats up here.
Comment 3 Andreas Gal :gal 2011-01-18 13:12:16 PST
This crashes 3.6 as well, so bad and likely exploitable.
Comment 4 chris hofmann 2011-01-18 15:38:58 PST
same signature as 595975 and a few more bugs that are not marked security sensitive.  here is the full list.,602223,615492

its also ranked #18 in firefox 4.0b9 so we should hold on 2.0+BetaN hardblocker status.
Comment 5 Andreas Gal :gal 2011-01-18 16:51:52 PST
Chris can you please hide any bugs with a test case that trigger a similar stack?
Comment 6 chris hofmann 2011-01-18 17:00:24 PST
ok, hid the 3 bugs listed on comment 4.
Comment 7 Luke Wagner [:luke] 2011-01-20 11:29:16 PST
I am able to repro a crash on TM tip with all jits disabled in js::Interpret:4192 with an object painted over with 0xdadadada.
Comment 8 Ben Turner (not reading bugmail, use the needinfo flag!) 2011-01-20 11:31:25 PST
Hm... Could it be something in the structured clone code then?
Comment 9 Luke Wagner [:luke] 2011-01-20 13:50:03 PST
I just put printfs around the '' in nsDOMWorkerEvent::GetData and a printf in gc and the gc happens after the read finishes.  So it looks like somewhere in the XPConnect machinery.  Fortunately its a pretty tight window, so I can bisect further.
Comment 11 Luke Wagner [:luke] 2011-01-20 14:58:29 PST
Oh wow, nsAutoJSValHolder is totally wrong and totally not rooting the jsval.
Comment 12 Luke Wagner [:luke] 2011-01-20 15:18:25 PST
Created attachment 505570 [details] [diff] [review]
fix nsAutoJSValHolder

Runs for much longer with no crash.

(On the down side, although animation continues, once this sucker gets revved up, I can't navigate away, at least in my debug build...)
Comment 13 Andreas Gal :gal 2011-01-20 15:21:35 PST
Nice catch. We should provide better auto rooter classes for heap rooted jsvals from within the engine and remove the code XPConnect and dom defines.
Comment 14 Andreas Gal :gal 2011-01-20 15:48:53 PST
Luke, if we can get a branch patch ready today we can make the next 3.6 update.
Comment 15 christian 2011-01-20 15:50:31 PST
We're going to try to shoehorn this into (and if affected). We'd need this landed either today or tomorrow. Please ask for branch approval when a branch patch is ready. Thanks for the quick patch Luke!
Comment 16 Luke Wagner [:luke] 2011-01-20 15:51:32 PST

(In reply to comment #13)
> We should provide better auto rooter classes for heap rooted jsvals
> from within the engine and remove the code XPConnect and dom defines.

Yeah, avoid a lot of code duplication.  Also it should only cost a doubly-linked list insertion/removal, none of this hash table business.
Comment 17 Luke Wagner [:luke] 2011-01-20 16:23:22 PST
Created attachment 505601 [details] [diff] [review]
fix for 1.9.1 and 1.9.2

The issue exists on 1.9.1.  The same patch applies to both.

Re-asking for review since I had to change the patch to use the old scary type-unsafe rooting APIs.
Comment 18 Daniel Veditz [:dveditz] 2011-01-20 16:37:43 PST
Created attachment 505605 [details]
PoC (zipped)

Saving testcase for posterity/QA
Comment 20 Chris Leary [:cdleary] (not checking bugmail) 2011-01-20 21:29:58 PST
cdleary-bot mozilla-central merge info:
Comment 21 Al Billings [:abillings] 2011-01-25 17:01:26 PST
Verified fixed in 1.9.2 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110121 Firefox/3.6.14 ( .NET CLR 3.5.30729) and webpage. Saw the crash in 

Verified fixed in 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110121 Firefox/3.5.17 ( .NET CLR 3.5.30729) and webpage. Saw the crash in
Comment 22 Daniel Kozlowski 2011-01-26 05:37:49 PST
I can also verify the fix is working. Great job on the fast response. 

Comment 23 chris hofmann 2011-02-18 13:52:16 PST
dan, ping if you are interested in a security bug bounty for your help on this bug.
Comment 24 Raymond Forbes[:rforbes] 2013-07-19 17:38:51 PDT

Note You need to log in before you can comment on or make changes to this bug.