Segmentation fault at js_EmitTree in jsemit.cpp

RESOLVED WORKSFORME

Status

()

--
critical
RESOLVED WORKSFORME
7 years ago
4 years ago

People

(Reporter: attekett, Unassigned)

Tracking

7 Branch
x86_64
Linux
Points:
---
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
Created attachment 555995 [details]
repro file

Tested on Firefox 7.0~b1 on Ubuntu x86_64: 
Opening attached file causes segmentation fault at jsemit.cpp(from gdb). You need to have sun-java6-plugin installed to reproduce the crash.(Valgrind shows invalid writes from Java Plugin) Removing few of the "= a" pairs will prevent the crash.

Valgrind:

==25050== Process terminating with default action of signal 11 (SIGSEGV)
==25050==  Access not within mapped region at address 0x7FEF02A40
==25050==    at 0x8B2F549: js_EmitTree (jsemit.cpp:7062)

GDB:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff47f7549 in js_EmitTree (cx=0x7fffd8138800, cg=0x7fffffffa0b0, pn=0x7fffd169dbf0)
    at /build/buildd/firefox-7.0~b1+build1+nobinonly/build-tree/mozilla/js/src/jsemit.cpp:7062

Updated

7 years ago
Attachment #555995 - Attachment mime type: text/plain → text/html
ugh, shouldn't have missed this, sounds like it could have been a sec-critical bug. May not happen anymore though, the JS engine has gone through a lot of changes since then.
Group: core-security
Component: General → General
Product: Firefox → Core
Sounds plugin-related.

It looks like js_EmitTree is now EmitTree in js/src/frontend/BytecodeEmitter.cpp
sun-java6-plugin is long gone from Ubuntu.
No repro with Oracles Java 7 and Fx19/trunk on Ubuntu.
Virgil, could you possibly test through a few more (Oracle) Java 6/7 versions to see if this still reproduces?
Testing on Fx19 would probably be sufficient.
Flags: needinfo?(virgil.dicu)
Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0

Verified with Firefox 19.
Disabled blocklisting to avoid CTP. No crash while loading the repro file with following java versions:
java 7u5
java 7u10
java 6u39

Firefox hanged when I activated the plugin via CTP with the Java 6 version, however. Nothing special apart that.
Flags: needinfo?(virgil.dicu)
Thanks Virgil.

dveditz, given that this is not reproducible in current versions - does this need any further action?
Group: core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.