Last Comment Bug 684815 - (CVE-2011-2998) Crash in the SpiderMonkey v.1.9.2 (FF 3.6.21) during regular expression evaluation
(CVE-2011-2998)
: Crash in the SpiderMonkey v.1.9.2 (FF 3.6.21) during regular expression evalu...
Status: RESOLVED FIXED
[sg:critical] wanted-standalone-js
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: 1.9.2 Branch
: x86_64 Windows 7
: -- normal (vote)
: ---
Assigned To: Chris Leary [:cdleary] (not checking bugmail)
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-09-06 03:35 PDT by Mark Kaplan
Modified: 2014-06-26 13:05 PDT (History)
8 users (show)
rforbes: sec‑bounty+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
unaffected
unaffected
unaffected
unaffected
unaffected
.23+
.23-fixed


Attachments
regx.htm (81.42 KB, text/plain)
2011-09-06 03:35 PDT, Mark Kaplan
no flags Details
Proposed patch file (3.40 KB, patch)
2011-09-06 03:38 PDT, Mark Kaplan
dmandelin: review+
christian: approval1.9.2.23+
Details | Diff | Review

Description Mark Kaplan 2011-09-06 03:35:29 PDT
Created attachment 558436 [details]
regx.htm

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.854.0 Safari/535.2

Steps to reproduce:

Originally I browsed to attached regx.htm file using FireFox 3.6.21 on Windows 7 x64


Actual results:

Browser crashed with a crash stack like

 	mozcrt19.dll!memcpy(unsigned char * dst, unsigned char * src, unsigned long count)  Line 188	Asm
	js3250.dll!PushBackTrackState(REGlobalData * gData, REOp op, unsigned char * target, REMatchState * x, const unsigned short * cp, unsigned int parenIndex, unsigned int parenCount)  Line 3477 + 0x17 bytes	C++
 	js3250.dll!js_ExecuteRegExp(JSContext * cx, JSRegExp * re, JSString * str, unsigned int * indexp, int test, int * rval)  Line 4897 + 0x8e bytes	C++
 	js3250.dll!regexp_exec_sub(JSContext * cx, JSObject * obj, unsigned int argc, int * argv, int test, int * rval)  Line 5716 + 0x3e bytes	C++
 	js3250.dll!regexp_test(JSContext * cx, unsigned int argc, int * vp)  Line 5741 + 0x71 bytes	C++
 	js3250.dll!js_Interpret(JSContext * cx)  Line 2208 + 0x1d bytes	C++
 	mozcrt19.dll!arena_malloc_small(arena_s * arena, unsigned int size, int zero)  Line 3737	C
 	mozcrt19.dll!malloc(unsigned int size)  Line 5790 + 0x2f bytes	C
 	js3250.dll!js_NewObjectWithGivenProto(JSContext * cx, JSClass * clasp, JSObject * proto, JSObject * parent, unsigned int objectSize)  Line 2090 + 0x2d bytes	C++
 	xul.dll!WrappedNative2WrapperMap::Add(WrappedNative2WrapperMap * head, JSObject * wrappedObject, JSObject * wrapper)  Line 726 + 0x8 bytes	C++
 	xul.dll!nsXPConnect::GetWrapperForObject(JSContext * aJSContext, JSObject * aObject, JSObject * aScope, nsIPrincipal * aPrincipal, unsigned int aFilenameFlags, int * _retval)  Line 2478 + 0x96 bytes	C++
 	xul.dll!XPC_WN_JSOp_ThisObject(JSContext * cx, JSObject * obj)  Line 1471	C++

The same crash happened on Ubuntu Linux and on Debian Linux 5.0. The I took sources from http://hg.mozilla.org/releases/mozilla-1.9.2/, built SpiderMonkey 1.9.2 and its shell demonstrate the same crash when run on extracted from HTML file JavaScript:

#0  0x00529caf in memcpy () from /lib/libc.so.6
#1  0x08119f01 in PushBackTrackState (gData=0xbf88a32c, op=REOP_EOL, target=0xb6d6451b ".\035\0030", 
    x=0x9d28d50, cp=0x9d24310, parenIndex=0, parenCount=0) at ../jsregexp.cpp:3477
#2  0x0811a4a1 in ExecuteREBytecode (gData=0xbf88a32c, x=0x9d28d50) at ../jsregexp.cpp:4261
#3  0x0811fcdc in MatchRegExp (gData=0xbf88a32c, x=0x9d28d50) at ../jsregexp.cpp:4754
#4  0x0811fef7 in js_ExecuteRegExp (cx=0x9cfce18, re=0xb6d4d008, str=0x9d1a690, indexp=0xbf88a440, test=1, 
    rval=0x9d244a8) at ../jsregexp.cpp:4883
#5  0x0812098e in regexp_exec_sub (cx=0x9cfce18, obj=0x9d1d0e0, argc=1, argv=0x9d244b0, test=1, rval=0x9d244a8)
    at ../jsregexp.cpp:5696
#6  0x08120a6e in regexp_test (cx=0x9cfce18, argc=1, vp=0x9d244a8) at ../jsregexp.cpp:5721
#7  0x081e39eb in js_Interpret (cx=0x9cfce18) at ../jsops.cpp:2208
#8  0x080c2cf6 in js_Execute (cx=0x9cfce18, chain=0x9d1d000, script=0x9d243b0, down=0x0, flags=0, result=0x0)
    at ../jsinterp.cpp:1601
#9  0x0805b1b3 in JS_ExecuteScript (cx=0x9cfce18, obj=0x9d1d000, script=0x9d243b0, rval=0x0) at ../jsapi.cpp:4964
#10 0x080530dc in Process (cx=0x9cfce18, obj=0x9d1d000, filename=0xbf88c7a1 "regexe.js", forceTTY=0)
    at ../../shell/js.cpp:442
#11 0x08053c7f in ProcessArgs (cx=0x9cfce18, obj=0x9d1d000, argv=0xbf88add8, argc=1) at ../../shell/js.cpp:849
#12 0x0805405f in main (argc=1, argv=0xbf88add8, envp=0xbf88ade0) at ../../shell/js.cpp:4853


(gdb) f 1
#1  0x08119f01 in PushBackTrackState (gData=0xbf88a32c, op=REOP_EOL, target=0xb6d6451b ".\035\0030", 
    x=0x9d28d50, cp=0x9d24310, parenIndex=0, parenCount=0) at ../jsregexp.cpp:3477
3477               sizeof(REProgState) * result->saveStateStackTop);
gdb) p/x result->saveStateStackTop
$4 = 0xfffffcea
(gdb) p sizeof(REProgState)
$5 = 24

For the best of my understanding this crash is exploitable, because memcpy function overrides both stack and heap - it tries to copy ~24*4GB of memory due to the integer underflow of result->saveStateStackTop and data to be copied is under control of web page author - both regular expression and string to search in. Before this crash happens valgrind reports about number of related invalid write(s) and read(s).



Expected results:

No crash
Comment 1 Mark Kaplan 2011-09-06 03:38:55 PDT
Created attachment 558437 [details] [diff] [review]
Proposed patch file
Comment 2 christian 2011-09-14 16:51:43 PDT
Comment on attachment 558437 [details] [diff] [review]
Proposed patch file

Approved for mozilla-1.9.2, please land asap.
Comment 5 Raymond Forbes[:rforbes] 2013-07-19 18:22:23 PDT
rforbes-bugspam-for-setting-that-bounty-flag-20130719

Note You need to log in before you can comment on or make changes to this bug.