Last Comment Bug 718311 - instanceof for worker properties segfaults, crash [@ WorkerGlobalScope::GetOnErrorListener ]
: instanceof for worker properties segfaults, crash [@ WorkerGlobalScope::GetOn...
Status: VERIFIED FIXED
[sg:dos]
: crash, regression, testcase
Product: Core
Classification: Components
Component: DOM (show other bugs)
: unspecified
: All All
: -- critical (vote)
: mozilla12
Assigned To: Ben Turner (not reading bugmail, use the needinfo flag!)
:
: Andrew Overholt [:overholt]
Mentors:
http://bugs.avd.io/firefox/worker-seg...
Depends on:
Blocks: new-web-workers
  Show dependency treegraph
 
Reported: 2012-01-15 10:31 PST by Jussi Kalliokoski
Modified: 2012-03-23 13:31 PDT (History)
6 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
affected
fixed
verified
verified
unaffected


Attachments
gdb stacktrace (not very helpful) (8.44 KB, text/plain)
2012-01-15 10:31 PST, Jussi Kalliokoski
no flags Details
preserving Jussi's testcase (469 bytes, application/java-archive)
2012-01-16 10:26 PST, Daniel Veditz [:dveditz]
no flags Details
Patch, v1 (7.62 KB, patch)
2012-01-16 14:55 PST, Ben Turner (not reading bugmail, use the needinfo flag!)
no flags Details | Diff | Splinter Review
Patch, v1 (7.62 KB, patch)
2012-01-16 14:56 PST, Ben Turner (not reading bugmail, use the needinfo flag!)
no flags Details | Diff | Splinter Review
Patch, v1 (659 bytes, patch)
2012-01-16 15:00 PST, Ben Turner (not reading bugmail, use the needinfo flag!)
mrbkap: review+
akeybl: approval‑mozilla‑aurora+
akeybl: approval‑mozilla‑beta+
Details | Diff | Splinter Review

Description Jussi Kalliokoski 2012-01-15 10:31:58 PST
Created attachment 588752 [details]
gdb stacktrace (not very helpful)

I flagged this as a security issue, because you can make Firefox segfault via JS with this.

So beware, going to the page might just make the whole browser crash.

Go to http://bugs.avd.io/firefox/worker-segfault.html

I'm running Arch Linux, Aurora 11.02a, although this is reproducible on every instance of Firefox, on my laptop at least.

What it does is invoke a worker, source available here: http://bugs.avd.io/firefox/worker-segfault.js
Comment 1 David Humphrey (:humph) 2012-01-15 11:59:03 PST
Confirmed on nightly on Mac:

https://crash-stats.mozilla.com/report/index/bp-a25632ac-a02d-4563-aef6-1a23e2120115
Comment 2 Daniel Veditz [:dveditz] 2012-01-16 10:24:29 PST
I got a similar crash bp-402e7b35-e7cc-4f47-95cc-611062120116
Both crashes are on null or null+offset so it might not be exploitable, but can't entirely tell without more investigation (e.g. running in Valgrind/ASan, or finding the bug itself).

I happened to be testing 9.0.1 so this goes back a ways.
Comment 3 Daniel Veditz [:dveditz] 2012-01-16 10:26:08 PST
Created attachment 588928 [details]
preserving Jussi's testcase
Comment 4 Ben Turner (not reading bugmail, use the needinfo flag!) 2012-01-16 14:55:10 PST
Created attachment 589032 [details] [diff] [review]
Patch, v1

Hm, dumb bug. I doubt this is exploitable because it's just sending a null pointer into the JS engine, but the fix is simple.
Comment 5 Ben Turner (not reading bugmail, use the needinfo flag!) 2012-01-16 14:56:34 PST
Created attachment 589033 [details] [diff] [review]
Patch, v1

That was the wrong patch, sorry.
Comment 6 Ben Turner (not reading bugmail, use the needinfo flag!) 2012-01-16 15:00:43 PST
Created attachment 589036 [details] [diff] [review]
Patch, v1

Ugh, third time is the charm.
Comment 7 Ben Turner (not reading bugmail, use the needinfo flag!) 2012-01-17 19:31:31 PST
https://hg.mozilla.org/integration/mozilla-inbound/rev/04890cad686c
Comment 8 Ed Morley [:emorley] 2012-01-18 03:08:10 PST
https://hg.mozilla.org/mozilla-central/rev/04890cad686c
Comment 9 Ben Turner (not reading bugmail, use the needinfo flag!) 2012-01-18 10:13:58 PST
Comment on attachment 589036 [details] [diff] [review]
Patch, v1

[Approval Request Comment]
Regression caused by (bug #): Bug 649537
User impact if declined: Crash
Testing completed (on m-c, etc.): m-c
Risk to taking this patch (and alternatives if risky): None. This simply returns null instead of crashing.
Comment 10 Alex Keybl [:akeybl] 2012-01-19 16:07:04 PST
Comment on attachment 589036 [details] [diff] [review]
Patch, v1

[Triage Comment]
Given the low risk evaluation of this fix, and the security team's recommendation, let's take this on aurora/beta.
Comment 12 Al Billings [:abillings] 2012-01-23 15:45:26 PST
Verified fixed in 12 with Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0a1) Gecko/20120123 Firefox/12.0a1 after crashing in 9.0.1 on same machine with testcase.

Verified fixed in 11 with Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0a2) Gecko/20120120 Firefox/11.0a2.

Note You need to log in before you can comment on or make changes to this bug.