instanceof for worker properties segfaults, crash [@ WorkerGlobalScope::GetOnErrorListener ]

VERIFIED FIXED in Firefox 10

Status

()

Core
DOM
--
critical
VERIFIED FIXED
6 years ago
5 years ago

People

(Reporter: Jussi Kalliokoski, Assigned: Ben Turner (not reading bugmail, use the needinfo flag!))

Tracking

({crash, regression, testcase})

unspecified
mozilla12
crash, regression, testcase
Points:
---

Firefox Tracking Flags

(firefox9 affected, firefox10 fixed, firefox11 verified, firefox12 verified, status1.9.2 unaffected)

Details

(Whiteboard: [sg:dos], crash signature, URL)

Attachments

(3 attachments, 2 obsolete attachments)

(Reporter)

Description

6 years ago
Created attachment 588752 [details]
gdb stacktrace (not very helpful)

I flagged this as a security issue, because you can make Firefox segfault via JS with this.

So beware, going to the page might just make the whole browser crash.

Go to http://bugs.avd.io/firefox/worker-segfault.html

I'm running Arch Linux, Aurora 11.02a, although this is reproducible on every instance of Firefox, on my laptop at least.

What it does is invoke a worker, source available here: http://bugs.avd.io/firefox/worker-segfault.js
(Reporter)

Updated

6 years ago
Component: General → DOM
Product: Firefox → Core
Confirmed on nightly on Mac:

https://crash-stats.mozilla.com/report/index/bp-a25632ac-a02d-4563-aef6-1a23e2120115
Keywords: crash
OS: Linux → All
Hardware: x86_64 → All
Summary: instanceof for worker properties segfaults → instanceof for worker properties segfaults, crash [@ WorkerGlobalScope::GetOnErrorListener ]
Status: UNCONFIRMED → NEW
Ever confirmed: true
I got a similar crash bp-402e7b35-e7cc-4f47-95cc-611062120116
Both crashes are on null or null+offset so it might not be exploitable, but can't entirely tell without more investigation (e.g. running in Valgrind/ASan, or finding the bug itself).

I happened to be testing 9.0.1 so this goes back a ways.
Crash Signature: [@ WorkerGlobalScope::GetOnErrorListener ] [@ js_GetReservedSlot ]
Keywords: testcase
Version: 11 Branch → unspecified
Created attachment 588928 [details]
preserving Jussi's testcase
Created attachment 589032 [details] [diff] [review]
Patch, v1

Hm, dumb bug. I doubt this is exploitable because it's just sending a null pointer into the JS engine, but the fix is simple.
Assignee: nobody → bent.mozilla
Status: NEW → ASSIGNED
Attachment #589032 - Flags: review?(jonas)
Created attachment 589033 [details] [diff] [review]
Patch, v1

That was the wrong patch, sorry.
Attachment #589032 - Attachment is obsolete: true
Attachment #589032 - Flags: review?(jonas)
Attachment #589033 - Flags: review?(jonas)
Created attachment 589036 [details] [diff] [review]
Patch, v1

Ugh, third time is the charm.
Attachment #589033 - Attachment is obsolete: true
Attachment #589033 - Flags: review?(jonas)
Attachment #589036 - Flags: review?(jonas)

Updated

6 years ago
Attachment #589036 - Flags: review?(jonas) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/04890cad686c

Comment 8

6 years ago
https://hg.mozilla.org/mozilla-central/rev/04890cad686c
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla12
Comment on attachment 589036 [details] [diff] [review]
Patch, v1

[Approval Request Comment]
Regression caused by (bug #): Bug 649537
User impact if declined: Crash
Testing completed (on m-c, etc.): m-c
Risk to taking this patch (and alternatives if risky): None. This simply returns null instead of crashing.
Attachment #589036 - Flags: approval-mozilla-beta?
Attachment #589036 - Flags: approval-mozilla-aurora?
status-firefox10: --- → affected
status-firefox11: --- → affected
status-firefox12: --- → fixed
status-firefox9: --- → affected
tracking-firefox10: --- → ?
tracking-firefox11: --- → ?
Comment on attachment 589036 [details] [diff] [review]
Patch, v1

[Triage Comment]
Given the low risk evaluation of this fix, and the security team's recommendation, let's take this on aurora/beta.
Attachment #589036 - Flags: approval-mozilla-beta?
Attachment #589036 - Flags: approval-mozilla-beta+
Attachment #589036 - Flags: approval-mozilla-aurora?
Attachment #589036 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/922795c904e8
https://hg.mozilla.org/releases/mozilla-beta/rev/a02b2c63e8d9
status-firefox10: affected → fixed
status-firefox11: affected → fixed
tracking-firefox10: ? → ---
tracking-firefox11: ? → ---
Blocks: 649537
status1.9.2: --- → unaffected
Keywords: regression
Whiteboard: [sg:dos]
Verified fixed in 12 with Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0a1) Gecko/20120123 Firefox/12.0a1 after crashing in 9.0.1 on same machine with testcase.

Verified fixed in 11 with Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0a2) Gecko/20120120 Firefox/11.0a2.
status-firefox11: fixed → verified
status-firefox12: fixed → verified
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.