Bug 691299 (CVE-2011-3661)

Crash at js::RegExp::executeInternal

VERIFIED FIXED in Firefox 9

Status

()

Core
JavaScript Engine
VERIFIED FIXED
6 years ago
3 years ago

People

(Reporter: Aki Helin, Assigned: cdleary)

Tracking

(4 keywords)

7 Branch
mozilla11
x86
All
crash, testcase, verified-aurora, verified-beta
Points:
---
Bug Flags:
sec-bounty +
in-testsuite +

Firefox Tracking Flags

(firefox8- wontfix, firefox9+ fixed, firefox10+ fixed, firefox11+ fixed, status1.9.2 unaffected)

Details

(Whiteboard: [sg:critical?][qa!], URL)

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

6 years ago
Created attachment 564162 [details]
regex.html

User Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20100101 Firefox/8.0
Build ID: 20110928060149

Steps to reproduce:

I stumbled into another regexp issue similar to https://bugzilla.mozilla.org/show_bug.cgi?id=653672. That one was fixed in Firefox 7.0, but this one remains in it and 8.0 beta. Filing as a security bug based on the high crash address and probability of there being a similar integer error.


Actual results:

Firefox 7.0 / Linux (64-bit Debian 6.0.2) -> https://crash-stats.mozilla.com/report/index/2b6d78d1-df97-4497-bbcc-b3fae2111003

Firefox 8.0 beta / ditto-> https://crash-stats.mozilla.com/report/index/bp-82827ac7-07c6-4f97-a697-5f1202111003


Expected results:

Firefox shouldn't have crashed and I should have caught this earlier.
(Reporter)

Comment 1

6 years ago
Open the attached file to reproduce. Firefox usually appears to get stuck for a few seconds and then crashes. Some pages exhibiting this crash instantly. I tried to make a small repro that crashes most of the time on different versions.

Firefox 8.0 on 32-bit Debian crashed with a slightly different signature [@ JSC::Yarr::execute ] -> https://crash-stats.mozilla.com/report/index/bp-180837cb-6a6f-440f-a900-b859c2111003
Using Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:10.0a1) Gecko/20111003 Firefox/10.0a1 I don't crash, but Nightly stops responding and I have to force quit.
(Reporter)

Comment 3

6 years ago
Firefox 7.0.1 / Windows 7 -> https://crash-stats.mozilla.com/report/index/bbba3892-7e36-40d5-963e-93b422111004
OS: Linux → All
Haven't tested nightly yet, but have we updated YARR since Fx8?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:critical?]
status-firefox10: --- → affected
status-firefox8: --- → affected
status-firefox9: --- → affected
tracking-firefox10: --- → +
tracking-firefox8: --- → +
tracking-firefox9: --- → +
Created attachment 565697 [details] [diff] [review]
Error check regexp quantifier in parser and alternative offset in emitter.
Assignee: nobody → cdleary
Status: NEW → ASSIGNED
Attachment #565697 - Flags: review?(dmandelin)
Assignee: cdleary → general
Component: General → JavaScript Engine
Product: Firefox → Core
QA Contact: general → general
Can you report this to WebKit and attach that patch to see if they want to upstream it?
(In reply to David Mandelin from comment #7)
> Can you report this to WebKit and attach that patch to see if they want to
> upstream it?

Will do. I actually missed one shell test failure as well. Will post the link when I fix that and submit to their tracker.

Updated

6 years ago
Assignee: general → cdleary
Can we get the webkit bug link added to this bug?
Keywords: crash, testcase
Comment on attachment 565697 [details] [diff] [review]
Error check regexp quantifier in parser and alternative offset in emitter.

Review of attachment 565697 [details] [diff] [review]:
-----------------------------------------------------------------

Chris says the patch has a problem and needs refreshing.
Attachment #565697 - Flags: review?(dmandelin)
Created attachment 568767 [details] [diff] [review]
Error check regexp quantifier in parser and alternative offset in emitter.

Fixes the problem. Will post to webkit bug tracker now.
Attachment #565697 - Attachment is obsolete: true
Too late for 8 given the complexity of this patch.
status-firefox8: affected → wontfix
tracking-firefox8: + → -
Do we want this for 9?
Yes please.
Chris, what's left here?
Comment on attachment 568767 [details] [diff] [review]
Error check regexp quantifier in parser and alternative offset in emitter.

No feedback from WebKit. Requesting approval for aurora / beta landing ASAP.
Attachment #568767 - Flags: review?(dmandelin)
Attachment #568767 - Flags: approval-mozilla-beta?
Attachment #568767 - Flags: approval-mozilla-aurora?
Attachment #568767 - Flags: review?(dmandelin) → review+
Comment on attachment 568767 [details] [diff] [review]
Error check regexp quantifier in parser and alternative offset in emitter.

[Triage Comment]
Please re-nominate for approval once this has landed on m-c.
Attachment #568767 - Flags: approval-mozilla-beta?
Attachment #568767 - Flags: approval-mozilla-beta-
Attachment #568767 - Flags: approval-mozilla-aurora?
Attachment #568767 - Flags: approval-mozilla-aurora-
https://hg.mozilla.org/integration/mozilla-inbound/rev/bbda472dc34b
Target Milestone: --- → mozilla11
https://hg.mozilla.org/mozilla-central/rev/bbda472dc34b

Re-nom coming per comment 17.
Attachment #568767 - Flags: approval-mozilla-beta?
Attachment #568767 - Flags: approval-mozilla-beta-
Attachment #568767 - Flags: approval-mozilla-aurora?
Attachment #568767 - Flags: approval-mozilla-aurora-
Marking FIXED since this landed on m-c.
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical?] → [sg:critical?][qa+]
Comment on attachment 568767 [details] [diff] [review]
Error check regexp quantifier in parser and alternative offset in emitter.

[Triage Comment]
Let's take this on both aurora and beta - this is critical and we expect to find any regressions quickly (if there are any).
Attachment #568767 - Flags: approval-mozilla-beta?
Attachment #568767 - Flags: approval-mozilla-beta+
Attachment #568767 - Flags: approval-mozilla-aurora?
Attachment #568767 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/f2fb79b0d7d2
https://hg.mozilla.org/releases/mozilla-beta/rev/7709a40b7919
Attachment #564162 - Attachment mime type: text/plain → text/html
status1.9.2: --- → unaffected

Updated

6 years ago
status-firefox10: affected → fixed
status-firefox11: --- → fixed
status-firefox9: affected → fixed
tracking-firefox11: --- → +
Crash no longer reproducible with 2011-12-08 Nightly and Aurora, and Firefox 9.0b5.
Status: RESOLVED → VERIFIED
Keywords: verified-aurora, verified-beta
Whiteboard: [sg:critical?][qa+] → [sg:critical?][qa!]
Alias: CVE-2011-3661
Group: core-security
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug691299-regexp.js.
Flags: in-testsuite+
rforbes-bugspam-for-setting-that-bounty-flag-20130719
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.