Last Comment Bug 626631 - (CVE-2011-0057) WebWorker causes firefox to crash [@ js::PropertyTable::search(int, bool) ]
(CVE-2011-0057)
: WebWorker causes firefox to crash [@ js::PropertyTable::search(int, bool) ]
Status: RESOLVED FIXED
[sg:critical?][hardblocker][fixed-in-...
: crash, testcase, verified1.9.1, verified1.9.2
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
-- critical (vote)
: ---
Assigned To: Luke Wagner [:luke]
:
: Jason Orendorff [:jorendorff]
Mentors:
http://dkhenry.com/klien/random
Depends on:
Blocks: 595975
  Show dependency treegraph
 
Reported: 2011-01-18 06:46 PST by Daniel Kozlowski
Modified: 2014-07-22 13:05 PDT (History)
13 users (show)
rforbes: sec‑bounty+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
betaN+
.14+
.14-fixed
.17+
.17-fixed


Attachments
fix nsAutoJSValHolder (2.21 KB, patch)
2011-01-20 15:18 PST, Luke Wagner [:luke]
bent.mozilla: review+
gal: review+
Details | Diff | Splinter Review
fix for 1.9.1 and 1.9.2 (2.10 KB, patch)
2011-01-20 16:23 PST, Luke Wagner [:luke]
gal: review+
christian: approval1.9.2.14+
christian: approval1.9.1.17+
Details | Diff | Splinter Review
PoC (zipped) (699.93 KB, application/java-archive)
2011-01-20 16:37 PST, Daniel Veditz [:dveditz]
no flags Details

Description User image Daniel Kozlowski 2011-01-18 06:46:02 PST
User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:2.0b10pre) Gecko/20110116 Firefox/4.0b10pre
Build Identifier: Mozilla/5.0 (X11; Linux x86_64; rv:2.0b10pre) Gecko/20110116 Firefox/4.0b10pre

Simple WebWorker causes Firefox to crash. Run the listed page with at least one worker thread. Firefox will crash 

Reproducible: Always

Steps to Reproduce:
1. Visit Web Page 
2. Start up at least one Worker thread 
3. wait 
Actual Results:  
Firefox crashes

Expected Results:  
Backround thread run and posts data to the UI thread
Comment 1 User image Matthias Versen [:Matti] 2011-01-18 09:06:12 PST
confirming with SM trunk
bp-476080c0-cb13-44f3-bc46-4f7482110118

0 	mozjs.dll 	js::PropertyTable::search 	js/src/jsscope.cpp:309
1 	mozjs.dll 	JSObject::nativeSearch 	js/src/jsscope.h:672
2 	mozjs.dll 	js_GetProperty 	js/src/jsobj.cpp:5354
3 	mozjs.dll 	js::mjit::ic::GetProp 	js/src/methodjit/PolyIC.cpp:1692
4 	mozjs.dll 	js::mjit::EnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:748
5 	mozjs.dll 	CheckStackAndEnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:774
6 	mozjs.dll 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:791
7 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:654
8 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:737
9 	mozjs.dll 	js::ExternalInvoke 	js/src/jsinterp.cpp:858
10 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5019
11 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1700
12 	xul.dll 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:588
13 	xul.dll 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114
14 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141
15 	xul.dll 	nsDOMWorkerMessageHandler::DispatchEvent 	dom/src/threads/nsDOMWorkerMessageHandler.cpp:329
16 	xul.dll 	nsDOMWorker::DispatchEvent 	dom/src/threads/nsDOMWorker.cpp:2613
17 	xul.dll 	nsDOMFireEventRunnable::Run 	dom/src/threads/nsDOMWorker.cpp:1312
18 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:633
19 	xul.dll 	MessageLoop::DoDelayedWork 	ipc/chromium/src/base/message_loop.cc:462
20 	xul.dll 	NS_ProcessNextEvent_P 	objdir/mozilla/xpcom/build/nsThreadUtils.cpp:250
21 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:134
22 	xul.dll 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:219
23 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:202
24 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:176
25 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:192
26 	xul.dll 	nsAppShell::Run 	widget/src/windows/nsAppShell.cpp:258
27 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:217
28 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3699
29 	seamonkey.exe 	NS_internal_main 	suite/app/nsSuiteApp.cpp:103
30 	seamonkey.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:128
31 	seamonkey.exe 	__tmainCRTStartup 	objdir/mozilla/memory/jemalloc/crtsrc/crtexe.c:591
Comment 2 User image Andreas Gal :gal 2011-01-18 12:58:50 PST
Reproduced. This is a great test case thanks. The crash I saw looked kinda scary, so I will hide this until we know whats up here.
Comment 3 User image Andreas Gal :gal 2011-01-18 13:12:16 PST
This crashes 3.6 as well, so bad and likely exploitable.
Comment 4 User image chris hofmann 2011-01-18 15:38:58 PST
same signature as 595975 and a few more bugs that are not marked security sensitive.  here is the full list.

https://bugzilla.mozilla.org/buglist.cgi?quicksearch=595975,602223,615492

its also ranked #18 in firefox 4.0b9 so we should hold on 2.0+BetaN hardblocker status.
Comment 5 User image Andreas Gal :gal 2011-01-18 16:51:52 PST
Chris can you please hide any bugs with a test case that trigger a similar stack?
Comment 6 User image chris hofmann 2011-01-18 17:00:24 PST
ok, hid the 3 bugs listed on comment 4.
Comment 7 User image Luke Wagner [:luke] 2011-01-20 11:29:16 PST
I am able to repro a crash on TM tip with all jits disabled in js::Interpret:4192 with an object painted over with 0xdadadada.
Comment 8 User image Ben Turner (not reading bugmail, use the needinfo flag!) 2011-01-20 11:31:25 PST
Hm... Could it be something in the structured clone code then?
Comment 9 User image Luke Wagner [:luke] 2011-01-20 13:50:03 PST
I just put printfs around the 'buffer.read' in nsDOMWorkerEvent::GetData and a printf in gc and the gc happens after the read finishes.  So it looks like somewhere in the XPConnect machinery.  Fortunately its a pretty tight window, so I can bisect further.
Comment 11 User image Luke Wagner [:luke] 2011-01-20 14:58:29 PST
Oh wow, nsAutoJSValHolder is totally wrong and totally not rooting the jsval.
Comment 12 User image Luke Wagner [:luke] 2011-01-20 15:18:25 PST
Created attachment 505570 [details] [diff] [review]
fix nsAutoJSValHolder

Runs for much longer with no crash.

(On the down side, although animation continues, once this sucker gets revved up, I can't navigate away, at least in my debug build...)
Comment 13 User image Andreas Gal :gal 2011-01-20 15:21:35 PST
Nice catch. We should provide better auto rooter classes for heap rooted jsvals from within the engine and remove the code XPConnect and dom defines.
Comment 14 User image Andreas Gal :gal 2011-01-20 15:48:53 PST
Luke, if we can get a branch patch ready today we can make the next 3.6 update.
Comment 15 User image christian 2011-01-20 15:50:31 PST
We're going to try to shoehorn this into 1.9.2.14 (and 1.9.1.17 if affected). We'd need this landed either today or tomorrow. Please ask for branch approval when a branch patch is ready. Thanks for the quick patch Luke!
Comment 16 User image Luke Wagner [:luke] 2011-01-20 15:51:32 PST
http://hg.mozilla.org/tracemonkey/rev/a80b4c08c189

(In reply to comment #13)
> We should provide better auto rooter classes for heap rooted jsvals
> from within the engine and remove the code XPConnect and dom defines.

Yeah, avoid a lot of code duplication.  Also it should only cost a doubly-linked list insertion/removal, none of this hash table business.
Comment 17 User image Luke Wagner [:luke] 2011-01-20 16:23:22 PST
Created attachment 505601 [details] [diff] [review]
fix for 1.9.1 and 1.9.2

The issue exists on 1.9.1.  The same patch applies to both.

Re-asking for review since I had to change the patch to use the old scary type-unsafe rooting APIs.
Comment 18 User image Daniel Veditz [:dveditz] 2011-01-20 16:37:43 PST
Created attachment 505605 [details]
PoC (zipped)

Saving testcase for posterity/QA
Comment 20 User image Chris Leary [:cdleary] (not checking bugmail) 2011-01-20 21:29:58 PST
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/a80b4c08c189
Comment 21 User image Al Billings [:abillings] 2011-01-25 17:01:26 PST
Verified fixed in 1.9.2 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.14) Gecko/20110121 Firefox/3.6.14 ( .NET CLR 3.5.30729) and webpage. Saw the crash in 1.9.2.13. 

Verified fixed in 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.17) Gecko/20110121 Firefox/3.5.17 ( .NET CLR 3.5.30729) and webpage. Saw the crash in 1.9.1.16.
Comment 22 User image Daniel Kozlowski 2011-01-26 05:37:49 PST
I can also verify the fix is working. Great job on the fast response. 

BZ
Comment 23 User image chris hofmann 2011-02-18 13:52:16 PST
dan, ping chofmann@mozilla.com if you are interested in a security bug bounty for your help on this bug.
Comment 24 User image Raymond Forbes[:rforbes] 2013-07-19 17:38:51 PDT
rforbes-bugspam-for-setting-that-bounty-flag-20130719

Note You need to log in before you can comment on or make changes to this bug.