Closed
Bug 684815
(CVE-2011-2998)
Opened 13 years ago
Closed 13 years ago
Crash in the SpiderMonkey v.1.9.2 (FF 3.6.21) during regular expression evaluation
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox6 | --- | unaffected |
| firefox7 | --- | unaffected |
| firefox8 | --- | unaffected |
| firefox9 | --- | unaffected |
| firefox10 | --- | unaffected |
| blocking1.9.2 | --- | .23+ |
| status1.9.2 | --- | .23-fixed |
People
(Reporter: mark.kaplan, Assigned: cdleary)
Details
(Keywords: crash, testcase, Whiteboard: [sg:critical] wanted-standalone-js)
Attachments
(2 files)
|
81.42 KB,
text/plain
|
Details | |
|
3.40 KB,
patch
|
dmandelin
:
review+
christian
:
approval1.9.2.23+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.854.0 Safari/535.2 Steps to reproduce: Originally I browsed to attached regx.htm file using FireFox 3.6.21 on Windows 7 x64 Actual results: Browser crashed with a crash stack like mozcrt19.dll!memcpy(unsigned char * dst, unsigned char * src, unsigned long count) Line 188 Asm js3250.dll!PushBackTrackState(REGlobalData * gData, REOp op, unsigned char * target, REMatchState * x, const unsigned short * cp, unsigned int parenIndex, unsigned int parenCount) Line 3477 + 0x17 bytes C++ js3250.dll!js_ExecuteRegExp(JSContext * cx, JSRegExp * re, JSString * str, unsigned int * indexp, int test, int * rval) Line 4897 + 0x8e bytes C++ js3250.dll!regexp_exec_sub(JSContext * cx, JSObject * obj, unsigned int argc, int * argv, int test, int * rval) Line 5716 + 0x3e bytes C++ js3250.dll!regexp_test(JSContext * cx, unsigned int argc, int * vp) Line 5741 + 0x71 bytes C++ js3250.dll!js_Interpret(JSContext * cx) Line 2208 + 0x1d bytes C++ mozcrt19.dll!arena_malloc_small(arena_s * arena, unsigned int size, int zero) Line 3737 C mozcrt19.dll!malloc(unsigned int size) Line 5790 + 0x2f bytes C js3250.dll!js_NewObjectWithGivenProto(JSContext * cx, JSClass * clasp, JSObject * proto, JSObject * parent, unsigned int objectSize) Line 2090 + 0x2d bytes C++ xul.dll!WrappedNative2WrapperMap::Add(WrappedNative2WrapperMap * head, JSObject * wrappedObject, JSObject * wrapper) Line 726 + 0x8 bytes C++ xul.dll!nsXPConnect::GetWrapperForObject(JSContext * aJSContext, JSObject * aObject, JSObject * aScope, nsIPrincipal * aPrincipal, unsigned int aFilenameFlags, int * _retval) Line 2478 + 0x96 bytes C++ xul.dll!XPC_WN_JSOp_ThisObject(JSContext * cx, JSObject * obj) Line 1471 C++ The same crash happened on Ubuntu Linux and on Debian Linux 5.0. The I took sources from http://hg.mozilla.org/releases/mozilla-1.9.2/, built SpiderMonkey 1.9.2 and its shell demonstrate the same crash when run on extracted from HTML file JavaScript: #0 0x00529caf in memcpy () from /lib/libc.so.6 #1 0x08119f01 in PushBackTrackState (gData=0xbf88a32c, op=REOP_EOL, target=0xb6d6451b ".\035\0030", x=0x9d28d50, cp=0x9d24310, parenIndex=0, parenCount=0) at ../jsregexp.cpp:3477 #2 0x0811a4a1 in ExecuteREBytecode (gData=0xbf88a32c, x=0x9d28d50) at ../jsregexp.cpp:4261 #3 0x0811fcdc in MatchRegExp (gData=0xbf88a32c, x=0x9d28d50) at ../jsregexp.cpp:4754 #4 0x0811fef7 in js_ExecuteRegExp (cx=0x9cfce18, re=0xb6d4d008, str=0x9d1a690, indexp=0xbf88a440, test=1, rval=0x9d244a8) at ../jsregexp.cpp:4883 #5 0x0812098e in regexp_exec_sub (cx=0x9cfce18, obj=0x9d1d0e0, argc=1, argv=0x9d244b0, test=1, rval=0x9d244a8) at ../jsregexp.cpp:5696 #6 0x08120a6e in regexp_test (cx=0x9cfce18, argc=1, vp=0x9d244a8) at ../jsregexp.cpp:5721 #7 0x081e39eb in js_Interpret (cx=0x9cfce18) at ../jsops.cpp:2208 #8 0x080c2cf6 in js_Execute (cx=0x9cfce18, chain=0x9d1d000, script=0x9d243b0, down=0x0, flags=0, result=0x0) at ../jsinterp.cpp:1601 #9 0x0805b1b3 in JS_ExecuteScript (cx=0x9cfce18, obj=0x9d1d000, script=0x9d243b0, rval=0x0) at ../jsapi.cpp:4964 #10 0x080530dc in Process (cx=0x9cfce18, obj=0x9d1d000, filename=0xbf88c7a1 "regexe.js", forceTTY=0) at ../../shell/js.cpp:442 #11 0x08053c7f in ProcessArgs (cx=0x9cfce18, obj=0x9d1d000, argv=0xbf88add8, argc=1) at ../../shell/js.cpp:849 #12 0x0805405f in main (argc=1, argv=0xbf88add8, envp=0xbf88ade0) at ../../shell/js.cpp:4853 (gdb) f 1 #1 0x08119f01 in PushBackTrackState (gData=0xbf88a32c, op=REOP_EOL, target=0xb6d6451b ".\035\0030", x=0x9d28d50, cp=0x9d24310, parenIndex=0, parenCount=0) at ../jsregexp.cpp:3477 3477 sizeof(REProgState) * result->saveStateStackTop); gdb) p/x result->saveStateStackTop $4 = 0xfffffcea (gdb) p sizeof(REProgState) $5 = 24 For the best of my understanding this crash is exploitable, because memcpy function overrides both stack and heap - it tries to copy ~24*4GB of memory due to the integer underflow of result->saveStateStackTop and data to be copied is under control of web page author - both regular expression and string to search in. Before this crash happens valgrind reports about number of related invalid write(s) and read(s). Expected results: No crash
|
Reporter | |
Comment 1•13 years ago
|
||
|
||
Updated•13 years ago
|
Assignee: general → cdleary
Whiteboard: [sg:critical]
|
|
||
Updated•13 years ago
|
blocking1.9.2: --- → ?
status1.9.2:
--- → wanted
status-firefox6:
--- → unaffected
status-firefox7:
--- → unaffected
status-firefox8:
--- → unaffected
status-firefox9:
--- → unaffected
Attachment #558437 -
Flags: review?(cdleary)
|
||
Updated•13 years ago
|
Attachment #558437 -
Flags: review?(cdleary) → review+
Comment on attachment 558437 [details] [diff] [review] Proposed patch file Approved for mozilla-1.9.2, please land asap.
Attachment #558437 -
Flags: approval1.9.2.23+
Landed: http://hg.mozilla.org/releases/mozilla-1.9.2/rev/c7190956f970
Status: UNCONFIRMED → RESOLVED
blocking1.9.2: ? → .23+
Closed: 13 years ago
Resolution: --- → FIXED
|
||
Updated•13 years ago
|
Whiteboard: [sg:critical] → [sg:critical] wanted-standalone-js
|
|
||
Updated•13 years ago
|
|
||
Updated•13 years ago
|
status-firefox10:
--- → unaffected
|
|
||
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•