Closed
Bug 626631
(CVE-2011-0057)
Opened 13 years ago
Closed 13 years ago
WebWorker causes firefox to crash [@ js::PropertyTable::search(int, bool) ]
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
People
(Reporter: dan.kozlowski, Assigned: luke)
References
()
Details
(4 keywords, Whiteboard: [sg:critical?][hardblocker][fixed-in-tracemonkey])
Crash Data
Attachments
(3 files)
2.21 KB,
patch
|
bent.mozilla
:
review+
gal
:
review+
|
Details | Diff | Splinter Review |
2.10 KB,
patch
|
gal
:
review+
christian
:
approval1.9.2.14+
christian
:
approval1.9.1.17+
|
Details | Diff | Splinter Review |
699.93 KB,
application/java-archive
|
Details |
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0b10pre) Gecko/20110116 Firefox/4.0b10pre Build Identifier: Mozilla/5.0 (X11; Linux x86_64; rv:2.0b10pre) Gecko/20110116 Firefox/4.0b10pre Simple WebWorker causes Firefox to crash. Run the listed page with at least one worker thread. Firefox will crash Reproducible: Always Steps to Reproduce: 1. Visit Web Page 2. Start up at least one Worker thread 3. wait Actual Results: Firefox crashes Expected Results: Backround thread run and posts data to the UI thread
Comment 1•13 years ago
|
||
confirming with SM trunk bp-476080c0-cb13-44f3-bc46-4f7482110118 0 mozjs.dll js::PropertyTable::search js/src/jsscope.cpp:309 1 mozjs.dll JSObject::nativeSearch js/src/jsscope.h:672 2 mozjs.dll js_GetProperty js/src/jsobj.cpp:5354 3 mozjs.dll js::mjit::ic::GetProp js/src/methodjit/PolyIC.cpp:1692 4 mozjs.dll js::mjit::EnterMethodJIT js/src/methodjit/MethodJIT.cpp:748 5 mozjs.dll CheckStackAndEnterMethodJIT js/src/methodjit/MethodJIT.cpp:774 6 mozjs.dll js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:791 7 mozjs.dll js::RunScript js/src/jsinterp.cpp:654 8 mozjs.dll js::Invoke js/src/jsinterp.cpp:737 9 mozjs.dll js::ExternalInvoke js/src/jsinterp.cpp:858 10 mozjs.dll JS_CallFunctionValue js/src/jsapi.cpp:5019 11 xul.dll nsXPCWrappedJSClass::CallMethod js/src/xpconnect/src/xpcwrappedjsclass.cpp:1700 12 xul.dll nsXPCWrappedJS::CallMethod js/src/xpconnect/src/xpcwrappedjs.cpp:588 13 xul.dll PrepareAndDispatch xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114 14 xul.dll SharedStub xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141 15 xul.dll nsDOMWorkerMessageHandler::DispatchEvent dom/src/threads/nsDOMWorkerMessageHandler.cpp:329 16 xul.dll nsDOMWorker::DispatchEvent dom/src/threads/nsDOMWorker.cpp:2613 17 xul.dll nsDOMFireEventRunnable::Run dom/src/threads/nsDOMWorker.cpp:1312 18 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:633 19 xul.dll MessageLoop::DoDelayedWork ipc/chromium/src/base/message_loop.cc:462 20 xul.dll NS_ProcessNextEvent_P objdir/mozilla/xpcom/build/nsThreadUtils.cpp:250 21 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:134 22 xul.dll MessageLoop::RunInternal ipc/chromium/src/base/message_loop.cc:219 23 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:202 24 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:176 25 xul.dll nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:192 26 xul.dll nsAppShell::Run widget/src/windows/nsAppShell.cpp:258 27 xul.dll nsAppStartup::Run toolkit/components/startup/src/nsAppStartup.cpp:217 28 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp:3699 29 seamonkey.exe NS_internal_main suite/app/nsSuiteApp.cpp:103 30 seamonkey.exe wmain toolkit/xre/nsWindowsWMain.cpp:128 31 seamonkey.exe __tmainCRTStartup objdir/mozilla/memory/jemalloc/crtsrc/crtexe.c:591
Assignee: nobody → general
Severity: normal → critical
Status: UNCONFIRMED → NEW
Component: General → JavaScript Engine
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → general
Summary: WebWorker causes firefox to crash → WebWorker causes firefox to crash [@ js::PropertyTable::search(int, bool) ]
Version: unspecified → Trunk
Updated•13 years ago
|
blocking2.0: --- → ?
Comment 2•13 years ago
|
||
Reproduced. This is a great test case thanks. The crash I saw looked kinda scary, so I will hide this until we know whats up here.
Group: core-security
blocking2.0: ? → betaN+
Comment 3•13 years ago
|
||
This crashes 3.6 as well, so bad and likely exploitable.
Updated•13 years ago
|
blocking1.9.2: --- → ?
Comment 4•13 years ago
|
||
same signature as 595975 and a few more bugs that are not marked security sensitive. here is the full list. https://bugzilla.mozilla.org/buglist.cgi?quicksearch=595975,602223,615492 its also ranked #18 in firefox 4.0b9 so we should hold on 2.0+BetaN hardblocker status.
Comment 5•13 years ago
|
||
Chris can you please hide any bugs with a test case that trigger a similar stack?
Assignee | ||
Updated•13 years ago
|
Assignee: general → lw
Assignee | ||
Comment 7•13 years ago
|
||
I am able to repro a crash on TM tip with all jits disabled in js::Interpret:4192 with an object painted over with 0xdadadada.
Hm... Could it be something in the structured clone code then?
Assignee | ||
Comment 9•13 years ago
|
||
I just put printfs around the 'buffer.read' in nsDOMWorkerEvent::GetData and a printf in gc and the gc happens after the read finishes. So it looks like somewhere in the XPConnect machinery. Fortunately its a pretty tight window, so I can bisect further.
Updated•13 years ago
|
Whiteboard: hardblocker → [sg:critical?][hardblocker]
Updated•13 years ago
|
status1.9.2:
--- → wanted
Assignee | ||
Comment 11•13 years ago
|
||
Oh wow, nsAutoJSValHolder is totally wrong and totally not rooting the jsval.
Assignee | ||
Comment 12•13 years ago
|
||
Runs for much longer with no crash. (On the down side, although animation continues, once this sucker gets revved up, I can't navigate away, at least in my debug build...)
Attachment #505570 -
Flags: review?(bent.mozilla)
Updated•13 years ago
|
Attachment #505570 -
Flags: review+
Comment 13•13 years ago
|
||
Nice catch. We should provide better auto rooter classes for heap rooted jsvals from within the engine and remove the code XPConnect and dom defines.
Updated•13 years ago
|
Attachment #505570 -
Flags: review?(bent.mozilla) → review+
Comment 14•13 years ago
|
||
Luke, if we can get a branch patch ready today we can make the next 3.6 update.
Comment 15•13 years ago
|
||
We're going to try to shoehorn this into 1.9.2.14 (and 1.9.1.17 if affected). We'd need this landed either today or tomorrow. Please ask for branch approval when a branch patch is ready. Thanks for the quick patch Luke!
Assignee | ||
Comment 16•13 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/a80b4c08c189 (In reply to comment #13) > We should provide better auto rooter classes for heap rooted jsvals > from within the engine and remove the code XPConnect and dom defines. Yeah, avoid a lot of code duplication. Also it should only cost a doubly-linked list insertion/removal, none of this hash table business.
Whiteboard: [sg:critical?][hardblocker] → [sg:critical?][hardblocker][fixed-in-tracemonkey]
blocking1.9.1: --- → .17+
status1.9.1:
--- → wanted
Assignee | ||
Comment 17•13 years ago
|
||
The issue exists on 1.9.1. The same patch applies to both. Re-asking for review since I had to change the patch to use the old scary type-unsafe rooting APIs.
Attachment #505601 -
Flags: review?(gal)
Attachment #505601 -
Flags: approval1.9.2.14?
Attachment #505601 -
Flags: approval1.9.1.17?
Updated•13 years ago
|
Comment 18•13 years ago
|
||
Saving testcase for posterity/QA
Updated•13 years ago
|
Attachment #505601 -
Flags: review?(gal) → review+
Attachment #505601 -
Flags: approval1.9.2.14?
Attachment #505601 -
Flags: approval1.9.2.14+
Attachment #505601 -
Flags: approval1.9.1.17?
Attachment #505601 -
Flags: approval1.9.1.17+
Assignee | ||
Comment 19•13 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/2c0131a3e7d7 http://hg.mozilla.org/releases/mozilla-1.9.2/rev/3a93f9bf856b
Comment 20•13 years ago
|
||
cdleary-bot mozilla-central merge info: http://hg.mozilla.org/mozilla-central/rev/a80b4c08c189
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment 21•13 years ago
|
||
Verified fixed in 1.9.2 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.14) Gecko/20110121 Firefox/3.6.14 ( .NET CLR 3.5.30729) and webpage. Saw the crash in 1.9.2.13. Verified fixed in 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.17) Gecko/20110121 Firefox/3.5.17 ( .NET CLR 3.5.30729) and webpage. Saw the crash in 1.9.1.16.
Keywords: verified1.9.1,
verified1.9.2
Reporter | ||
Comment 22•13 years ago
|
||
I can also verify the fix is working. Great job on the fast response. BZ
Updated•13 years ago
|
Alias: CVE-2011-0057
Comment 23•13 years ago
|
||
dan, ping chofmann@mozilla.com if you are interested in a security bug bounty for your help on this bug.
Updated•13 years ago
|
Group: core-security
Updated•13 years ago
|
Crash Signature: [@ js::PropertyTable::search(int, bool) ]
You need to log in
before you can comment on or make changes to this bug.
Description
•