Last Comment Bug 691299 - (CVE-2011-3661) Crash at js::RegExp::executeInternal
(CVE-2011-3661)
: Crash at js::RegExp::executeInternal
Status: VERIFIED FIXED
[sg:critical?][qa!]
: crash, testcase, verified-aurora, verified-beta
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: 7 Branch
: x86 All
: -- normal (vote)
: mozilla11
Assigned To: Chris Leary [:cdleary] (not checking bugmail)
:
Mentors:
https://bugs.webkit.org/show_bug.cgi?...
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-10-03 05:30 PDT by Aki Helin
Modified: 2014-06-26 13:39 PDT (History)
8 users (show)
rforbes: sec‑bounty+
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
-
wontfix
+
fixed
+
fixed
+
fixed
unaffected


Attachments
regex.html (157 bytes, text/html)
2011-10-03 05:30 PDT, Aki Helin
no flags Details
Error check regexp quantifier in parser and alternative offset in emitter. (8.04 KB, patch)
2011-10-07 17:53 PDT, Chris Leary [:cdleary] (not checking bugmail)
no flags Details | Diff | Review
Error check regexp quantifier in parser and alternative offset in emitter. (8.06 KB, patch)
2011-10-21 14:03 PDT, Chris Leary [:cdleary] (not checking bugmail)
dmandelin: review+
akeybl: approval‑mozilla‑aurora+
akeybl: approval‑mozilla‑beta+
Details | Diff | Review

Description Aki Helin 2011-10-03 05:30:12 PDT
Created attachment 564162 [details]
regex.html

User Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20100101 Firefox/8.0
Build ID: 20110928060149

Steps to reproduce:

I stumbled into another regexp issue similar to https://bugzilla.mozilla.org/show_bug.cgi?id=653672. That one was fixed in Firefox 7.0, but this one remains in it and 8.0 beta. Filing as a security bug based on the high crash address and probability of there being a similar integer error.


Actual results:

Firefox 7.0 / Linux (64-bit Debian 6.0.2) -> https://crash-stats.mozilla.com/report/index/2b6d78d1-df97-4497-bbcc-b3fae2111003

Firefox 8.0 beta / ditto-> https://crash-stats.mozilla.com/report/index/bp-82827ac7-07c6-4f97-a697-5f1202111003


Expected results:

Firefox shouldn't have crashed and I should have caught this earlier.
Comment 1 Aki Helin 2011-10-03 05:36:18 PDT
Open the attached file to reproduce. Firefox usually appears to get stuck for a few seconds and then crashes. Some pages exhibiting this crash instantly. I tried to make a small repro that crashes most of the time on different versions.

Firefox 8.0 on 32-bit Debian crashed with a slightly different signature [@ JSC::Yarr::execute ] -> https://crash-stats.mozilla.com/report/index/bp-180837cb-6a6f-440f-a900-b859c2111003
Comment 2 Marcia Knous [:marcia - use ni] 2011-10-03 12:52:31 PDT
Using Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:10.0a1) Gecko/20111003 Firefox/10.0a1 I don't crash, but Nightly stops responding and I have to force quit.
Comment 3 Aki Helin 2011-10-04 07:46:05 PDT
Firefox 7.0.1 / Windows 7 -> https://crash-stats.mozilla.com/report/index/bbba3892-7e36-40d5-963e-93b422111004
Comment 5 Daniel Veditz [:dveditz] 2011-10-05 16:42:46 PDT
Haven't tested nightly yet, but have we updated YARR since Fx8?
Comment 6 Chris Leary [:cdleary] (not checking bugmail) 2011-10-07 17:53:50 PDT
Created attachment 565697 [details] [diff] [review]
Error check regexp quantifier in parser and alternative offset in emitter.
Comment 7 David Mandelin [:dmandelin] 2011-10-07 18:07:55 PDT
Can you report this to WebKit and attach that patch to see if they want to upstream it?
Comment 8 Chris Leary [:cdleary] (not checking bugmail) 2011-10-07 18:40:49 PDT
(In reply to David Mandelin from comment #7)
> Can you report this to WebKit and attach that patch to see if they want to
> upstream it?

Will do. I actually missed one shell test failure as well. Will post the link when I fix that and submit to their tracker.
Comment 9 Daniel Veditz [:dveditz] 2011-10-20 13:49:00 PDT
Can we get the webkit bug link added to this bug?
Comment 10 David Mandelin [:dmandelin] 2011-10-20 17:19:10 PDT
Comment on attachment 565697 [details] [diff] [review]
Error check regexp quantifier in parser and alternative offset in emitter.

Review of attachment 565697 [details] [diff] [review]:
-----------------------------------------------------------------

Chris says the patch has a problem and needs refreshing.
Comment 11 Chris Leary [:cdleary] (not checking bugmail) 2011-10-21 14:03:59 PDT
Created attachment 568767 [details] [diff] [review]
Error check regexp quantifier in parser and alternative offset in emitter.

Fixes the problem. Will post to webkit bug tracker now.
Comment 12 Johnny Stenback (:jst, jst@mozilla.com) 2011-10-27 13:23:29 PDT
Too late for 8 given the complexity of this patch.
Comment 13 David Mandelin [:dmandelin] 2011-11-01 17:39:45 PDT
Do we want this for 9?
Comment 14 Johnny Stenback (:jst, jst@mozilla.com) 2011-11-03 13:18:29 PDT
Yes please.
Comment 15 Johnny Stenback (:jst, jst@mozilla.com) 2011-11-17 13:27:37 PST
Chris, what's left here?
Comment 16 Chris Leary [:cdleary] (not checking bugmail) 2011-11-28 14:11:53 PST
Comment on attachment 568767 [details] [diff] [review]
Error check regexp quantifier in parser and alternative offset in emitter.

No feedback from WebKit. Requesting approval for aurora / beta landing ASAP.
Comment 17 Alex Keybl [:akeybl] 2011-11-29 14:30:01 PST
Comment on attachment 568767 [details] [diff] [review]
Error check regexp quantifier in parser and alternative offset in emitter.

[Triage Comment]
Please re-nominate for approval once this has landed on m-c.
Comment 18 Chris Leary [:cdleary] (not checking bugmail) 2011-11-29 15:43:26 PST
https://hg.mozilla.org/integration/mozilla-inbound/rev/bbda472dc34b
Comment 19 Chris Leary [:cdleary] (not checking bugmail) 2011-11-30 11:33:25 PST
https://hg.mozilla.org/mozilla-central/rev/bbda472dc34b

Re-nom coming per comment 17.
Comment 20 David Mandelin [:dmandelin] 2011-11-30 17:08:06 PST
Marking FIXED since this landed on m-c.
Comment 21 Alex Keybl [:akeybl] 2011-12-01 14:20:27 PST
Comment on attachment 568767 [details] [diff] [review]
Error check regexp quantifier in parser and alternative offset in emitter.

[Triage Comment]
Let's take this on both aurora and beta - this is critical and we expect to find any regressions quickly (if there are any).
Comment 23 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2011-12-08 15:11:00 PST
Crash no longer reproducible with 2011-12-08 Nightly and Aurora, and Firefox 9.0b5.
Comment 24 Christian Holler (:decoder) 2013-01-14 08:24:33 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug691299-regexp.js.
Comment 25 Raymond Forbes[:rforbes] 2013-07-19 18:26:27 PDT
rforbes-bugspam-for-setting-that-bounty-flag-20130719

Note You need to log in before you can comment on or make changes to this bug.