Closed Bug 718311 Opened 8 years ago Closed 8 years ago
instanceof for worker properties segfaults, crash [@ Worker
Global Scope::Get On Error Listener ]
8.44 KB, text/plain
469 bytes, application/java-archive
659 bytes, patch
|Details | Diff | Splinter Review|
I flagged this as a security issue, because you can make Firefox segfault via JS with this. So beware, going to the page might just make the whole browser crash. Go to http://bugs.avd.io/firefox/worker-segfault.html I'm running Arch Linux, Aurora 11.02a, although this is reproducible on every instance of Firefox, on my laptop at least. What it does is invoke a worker, source available here: http://bugs.avd.io/firefox/worker-segfault.js
Confirmed on nightly on Mac: https://crash-stats.mozilla.com/report/index/bp-a25632ac-a02d-4563-aef6-1a23e2120115
Summary: instanceof for worker properties segfaults → instanceof for worker properties segfaults, crash [@ WorkerGlobalScope::GetOnErrorListener ]
I got a similar crash bp-402e7b35-e7cc-4f47-95cc-611062120116 Both crashes are on null or null+offset so it might not be exploitable, but can't entirely tell without more investigation (e.g. running in Valgrind/ASan, or finding the bug itself). I happened to be testing 9.0.1 so this goes back a ways.
Crash Signature: [@ WorkerGlobalScope::GetOnErrorListener ] [@ js_GetReservedSlot ]
Version: 11 Branch → unspecified
Hm, dumb bug. I doubt this is exploitable because it's just sending a null pointer into the JS engine, but the fix is simple.
Assignee: nobody → bent.mozilla
Status: NEW → ASSIGNED
Attachment #589032 - Flags: review?(jonas)
That was the wrong patch, sorry.
Ugh, third time is the charm.
Attachment #589036 - Flags: review?(jonas) → review+
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla12
Comment on attachment 589036 [details] [diff] [review] Patch, v1 [Approval Request Comment] Regression caused by (bug #): Bug 649537 User impact if declined: Crash Testing completed (on m-c, etc.): m-c Risk to taking this patch (and alternatives if risky): None. This simply returns null instead of crashing.
8 years ago
8 years ago
Comment on attachment 589036 [details] [diff] [review] Patch, v1 [Triage Comment] Given the low risk evaluation of this fix, and the security team's recommendation, let's take this on aurora/beta.
Verified fixed in 12 with Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0a1) Gecko/20120123 Firefox/12.0a1 after crashing in 9.0.1 on same machine with testcase. Verified fixed in 11 with Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0a2) Gecko/20120120 Firefox/11.0a2.
You need to log in before you can comment on or make changes to this bug.