Closed Bug 691299 (CVE-2011-3661) Opened 13 years ago Closed 13 years ago

Crash at js::RegExp::executeInternal

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
7 Branch
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla11
Tracking Flags:
Tracking Status
firefox8 - wontfix
firefox9 + fixed
firefox10 + fixed
firefox11 + fixed
status1.9.2 --- unaffected

People

(Reporter: aki.helin, Assigned: cdleary)

References

(
URL
)

Details

(5 keywords, Whiteboard: [sg:critical?][qa!])

Attachments

(2 files, 1 obsolete file)

regex.html
157 bytes, text/html
Details
Error check regexp quantifier in parser and alternative offset in emitter.
8.06 KB, patch
dmandelin
: review+
akeybl
: approval-mozilla-aurora+
akeybl
: approval-mozilla-beta+
Details | Diff | Splinter Review
Attached file regex.html
User Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20100101 Firefox/8.0 Build ID: 20110928060149 Steps to reproduce: I stumbled into another regexp issue similar to https://bugzilla.mozilla.org/show_bug.cgi?id=653672. That one was fixed in Firefox 7.0, but this one remains in it and 8.0 beta. Filing as a security bug based on the high crash address and probability of there being a similar integer error. Actual results: Firefox 7.0 / Linux (64-bit Debian 6.0.2) -> https://crash-stats.mozilla.com/report/index/2b6d78d1-df97-4497-bbcc-b3fae2111003 Firefox 8.0 beta / ditto-> https://crash-stats.mozilla.com/report/index/bp-82827ac7-07c6-4f97-a697-5f1202111003 Expected results: Firefox shouldn't have crashed and I should have caught this earlier.
Open the attached file to reproduce. Firefox usually appears to get stuck for a few seconds and then crashes. Some pages exhibiting this crash instantly. I tried to make a small repro that crashes most of the time on different versions. Firefox 8.0 on 32-bit Debian crashed with a slightly different signature [@ JSC::Yarr::execute ] -> https://crash-stats.mozilla.com/report/index/bp-180837cb-6a6f-440f-a900-b859c2111003
Using Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:10.0a1) Gecko/20111003 Firefox/10.0a1 I don't crash, but Nightly stops responding and I have to force quit.
Firefox 7.0.1 / Windows 7 -> https://crash-stats.mozilla.com/report/index/bbba3892-7e36-40d5-963e-93b422111004
OS: Linux → All
Haven't tested nightly yet, but have we updated YARR since Fx8?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:critical?]
Assignee: nobody → cdleary
Status: NEW → ASSIGNED
Attachment #565697 - Flags: review?(dmandelin)
Assignee: cdleary → general
Component: General → JavaScript Engine
Product: Firefox → Core
QA Contact: general → general
Can you report this to WebKit and attach that patch to see if they want to upstream it?
(In reply to David Mandelin from comment #7) > Can you report this to WebKit and attach that patch to see if they want to > upstream it? Will do. I actually missed one shell test failure as well. Will post the link when I fix that and submit to their tracker.
Assignee: general → cdleary
Can we get the webkit bug link added to this bug?
Keywords: crash, testcase
Comment on attachment 565697 [details] [diff] [review] Error check regexp quantifier in parser and alternative offset in emitter. Review of attachment 565697 [details] [diff] [review]: ----------------------------------------------------------------- Chris says the patch has a problem and needs refreshing.
Attachment #565697 - Flags: review?(dmandelin)
Fixes the problem. Will post to webkit bug tracker now.
Attachment #565697 - Attachment is obsolete: true
Too late for 8 given the complexity of this patch.
status-firefox8: affectedwontfix
tracking-firefox8: +-
Do we want this for 9?
Yes please.
Chris, what's left here?
Comment on attachment 568767 [details] [diff] [review] Error check regexp quantifier in parser and alternative offset in emitter. No feedback from WebKit. Requesting approval for aurora / beta landing ASAP.
Attachment #568767 - Flags: review?(dmandelin)
Attachment #568767 - Flags: approval-mozilla-beta?
Attachment #568767 - Flags: approval-mozilla-aurora?
Attachment #568767 - Flags: review?(dmandelin) → review+
Comment on attachment 568767 [details] [diff] [review] Error check regexp quantifier in parser and alternative offset in emitter. [Triage Comment] Please re-nominate for approval once this has landed on m-c.
Attachment #568767 - Flags: approval-mozilla-beta?
Attachment #568767 - Flags: approval-mozilla-beta-
Attachment #568767 - Flags: approval-mozilla-aurora?
Attachment #568767 - Flags: approval-mozilla-aurora-
Attachment #568767 - Flags: approval-mozilla-beta?
Attachment #568767 - Flags: approval-mozilla-beta-
Attachment #568767 - Flags: approval-mozilla-aurora?
Attachment #568767 - Flags: approval-mozilla-aurora-
Marking FIXED since this landed on m-c.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical?] → [sg:critical?][qa+]
Comment on attachment 568767 [details] [diff] [review] Error check regexp quantifier in parser and alternative offset in emitter. [Triage Comment] Let's take this on both aurora and beta - this is critical and we expect to find any regressions quickly (if there are any).
Attachment #568767 - Flags: approval-mozilla-beta?
Attachment #568767 - Flags: approval-mozilla-beta+
Attachment #568767 - Flags: approval-mozilla-aurora?
Attachment #568767 - Flags: approval-mozilla-aurora+
Attachment #564162 - Attachment mime type: text/plain → text/html
Crash no longer reproducible with 2011-12-08 Nightly and Aurora, and Firefox 9.0b5.
Status: RESOLVED → VERIFIED
Keywords: verified-aurora, verified-beta
Whiteboard: [sg:critical?][qa+] → [sg:critical?][qa!]
Alias: CVE-2011-3661
Group: core-security
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug691299-regexp.js.
Flags: in-testsuite+
rforbes-bugspam-for-setting-that-bounty-flag-20130719
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: