Closed Bug 718311 Opened 8 years ago Closed 8 years ago

instanceof for worker properties segfaults, crash [@ WorkerGlobalScope::GetOnErrorListener ]

Categories

(Core :: DOM: Core & HTML, defect, critical)

defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla12
Tracking Status
firefox9 --- affected
firefox10 --- fixed
firefox11 --- verified
firefox12 --- verified
status1.9.2 --- unaffected

People

(Reporter: jussi.kalliokoski, Assigned: bent.mozilla)

References

()

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:dos])

Crash Data

Attachments

(3 files, 2 obsolete files)

I flagged this as a security issue, because you can make Firefox segfault via JS with this.

So beware, going to the page might just make the whole browser crash.

Go to http://bugs.avd.io/firefox/worker-segfault.html

I'm running Arch Linux, Aurora 11.02a, although this is reproducible on every instance of Firefox, on my laptop at least.

What it does is invoke a worker, source available here: http://bugs.avd.io/firefox/worker-segfault.js
Component: General → DOM
Product: Firefox → Core
Summary: instanceof for worker properties segfaults → instanceof for worker properties segfaults, crash [@ WorkerGlobalScope::GetOnErrorListener ]
Status: UNCONFIRMED → NEW
Ever confirmed: true
I got a similar crash bp-402e7b35-e7cc-4f47-95cc-611062120116
Both crashes are on null or null+offset so it might not be exploitable, but can't entirely tell without more investigation (e.g. running in Valgrind/ASan, or finding the bug itself).

I happened to be testing 9.0.1 so this goes back a ways.
Crash Signature: [@ WorkerGlobalScope::GetOnErrorListener ] [@ js_GetReservedSlot ]
Keywords: testcase
Version: 11 Branch → unspecified
Attached patch Patch, v1 (obsolete) — Splinter Review
Hm, dumb bug. I doubt this is exploitable because it's just sending a null pointer into the JS engine, but the fix is simple.
Assignee: nobody → bent.mozilla
Status: NEW → ASSIGNED
Attachment #589032 - Flags: review?(jonas)
Attached patch Patch, v1 (obsolete) — Splinter Review
That was the wrong patch, sorry.
Attachment #589032 - Attachment is obsolete: true
Attachment #589032 - Flags: review?(jonas)
Attachment #589033 - Flags: review?(jonas)
Attached patch Patch, v1Splinter Review
Ugh, third time is the charm.
Attachment #589033 - Attachment is obsolete: true
Attachment #589033 - Flags: review?(jonas)
Attachment #589036 - Flags: review?(jonas)
Attachment #589036 - Flags: review?(jonas) → review+
https://hg.mozilla.org/mozilla-central/rev/04890cad686c
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla12
Comment on attachment 589036 [details] [diff] [review]
Patch, v1

[Approval Request Comment]
Regression caused by (bug #): Bug 649537
User impact if declined: Crash
Testing completed (on m-c, etc.): m-c
Risk to taking this patch (and alternatives if risky): None. This simply returns null instead of crashing.
Attachment #589036 - Flags: approval-mozilla-beta?
Attachment #589036 - Flags: approval-mozilla-aurora?
Comment on attachment 589036 [details] [diff] [review]
Patch, v1

[Triage Comment]
Given the low risk evaluation of this fix, and the security team's recommendation, let's take this on aurora/beta.
Attachment #589036 - Flags: approval-mozilla-beta?
Attachment #589036 - Flags: approval-mozilla-beta+
Attachment #589036 - Flags: approval-mozilla-aurora?
Attachment #589036 - Flags: approval-mozilla-aurora+
Keywords: regression
Whiteboard: [sg:dos]
Verified fixed in 12 with Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0a1) Gecko/20120123 Firefox/12.0a1 after crashing in 9.0.1 on same machine with testcase.

Verified fixed in 11 with Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0a2) Gecko/20120120 Firefox/11.0a2.
Status: RESOLVED → VERIFIED
Group: core-security
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.