Closed Bug 651221 Opened 14 years ago Closed 14 years ago

Investigate crash [@ ExecuteTree ]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
1.9.2 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED DUPLICATE of bug 650874

People

(Reporter: bsterne, Unassigned)

Details

(Whiteboard: [sg:dupe 650874])

Attachments

(1 file)

testcase (crashes 1.9.2)
212 bytes, text/html
Details
Donato Ferrante reported this to security@m.o today. The testcase crashed Firefox 3.6.16 for me on OS X, but not trunk: bp-3694baee-d78b-49e3-9d0a-961f62110419 The rest of Donato's email follows: ----- Hi, I have just found a vulnerability in Firefox while it handles a specially crafted javascript. ----------------- Affected Software ----------------- + Firefox 3.6.x ( tested on 3.6.16 and 3.6.17 ) - Firefox 4, seems to be non vulnerable to this issue ---------------- Proof Of Concept ---------------- This is the minimal PoC to reproduce the issue: <html> <script> var Fun=eval("eval"); // required for(u=0; u <3; u++){ Fun(); } // required - it MUST be >= 3 alert("Not bug :("); // extra - can be removed </script> </html> (9a4.49c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=053ac880 ebx=03dd5800 ecx=00000007 edx=004dc778 esi=00000000 edi=004dc4f0 02d9fee0 esp=004dc4b0 ebp=004dc4e8 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 02d9fee0 8b0504000000 mov eax,dword ptr ds:[4] ds:0023:00000004=???????? 0:000> k ChildEBP RetAddr WARNING: Frame IP not in any known module. Following frames may be wrong. 004dc4e8 69d8ab51 0x2d9fee0 004de8b8 69d8b2d4 js3250!ExecuteTree+0x3c1 [e:\builds\moz2_slave\rel-192-w32-bld\build\js\src\jstracer.cpp @ 6283] 004de930 69d99a5f js3250!js_MonitorLoopEdge+0x3e4 [e:\builds\moz2_slave\rel-192-w32-bld\build\js\src\jstracer.cpp @ 6749] 004deb4c 69db48e5 js3250!js_Interpret+0x88f [e:\builds\moz2_slave\rel-192-w32-bld\build\js\src\jsops.cpp @ 912] 004debd0 69dc7011 js3250!js_Execute+0x1a5 [e:\builds\moz2_slave\rel-192-w32-bld\build\js\src\jsinterp.cpp @ 1601] 004debf8 5c8be432 js3250!JS_EvaluateUCScriptForPrincipals+0x61 [e:\builds\moz2_slave\rel-192-w32-bld\build\js\src\jsapi.cpp @ 5058] 004dec78 5c8c2c8d xul!gfxTextRun::GlyphRunIterator::NextRun+0x7282 004ded30 5c93579c xul!gfxTextRun::GlyphRunIterator::NextRun+0xbadd 004ded74 5c8c8374 xul!gfxSkipCharsIterator::gfxSkipCharsIterator+0x107d 004ded8c 5c838cbc xul!gfxWindowsFontGroup::MakeTextRun+0xe3 004deda8 6ba490c9 xul!NS_CycleCollectorSuspect2_P+0xebc 004dedc0 6ba49a1d MOZCRT19!expand+0x13c9 004dedcc 5c836503 MOZCRT19!malloc+0x3d 00000000 00000000 xul!gfxWindowsFontGroup::InitTextRunUniscribe+0x232
The stack I got does look pretty bad: bp-3694baee-d78b-49e3-9d0a-961f62110419 Appears we may be calling random memory there. We have a couple of closed bugs that have this same signature, but one doesn't have a testcase and the other's testcase looks quite different.
Is this the same as bug 650874?
(In reply to comment #1) > The stack I got does look pretty bad: > bp-3694baee-d78b-49e3-9d0a-961f62110419 > > Appears we may be calling random memory there. No, ExecuteTree calls JITted code so the unknown address is expected there. It looks like a null deref to me, except with the caveat that I don't know if you can mislead the JIT into using some other non-null value there. (In reply to comment #2) > Is this the same as bug 650874? Looks like it to me. The essential features of this and the minimized testcase there are the same.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:critical?] → [sg:dupe 650874]
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: