Closed
Bug 749620
Opened 12 years ago
Closed 12 years ago
Invalid stack memory access in CompareLexicographicInt32
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla15
People
(Reporter: decoder, Assigned: evilpie)
Details
(Keywords: testcase, Whiteboard: [asan] js-triage-needed)
Attachments
(1 file)
2.54 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
The following test causes an invalid stack memory access on mozilla-central revision 83ef3c9a64b5 (run with no options): var v = [ 0, 0x7fffffff ]; for (var i = 0; i < 10 ; ++i) for (var j = 0; j < v.length; ++j) [v[i], v[j]].sort() The test is minimized from a jit-test failure I encountered during make check of asan builds. Here's the backtrace: $ /srv/repos/browser/mozilla-central/objdir-ff-asan64dbg/js/src/js test.js 2>&1 | asan_symbolize.py | c++filt ================================================================= ==30819== ERROR: AddressSanitizer global-buffer-overflow on address 0x0000029b87e8 at pc 0x85aa3c bp 0x7fff849554f0 sp 0x7fff849554e8 READ of size 4 at 0x0000029b87e8 thread T0 #0 0x85aa3c in CompareLexicographicInt32 /srv/repos/browser/mozilla-central/js/src/jsarray.cpp:2112 #1 0x85800e in (anonymous namespace)::SortComparatorLexicographicInt32::operator()(JS::Value const&, JS::Value const&, bool*) /srv/repos/browser/mozilla-central/js/src/jsarray.cpp:2153 #2 0x7efc1e in MergeSort /srv/repos/browser/mozilla-central/js/src/ds/Sort.h:133 #3 0x7e7a84 in js::array_sort(JSContext*, unsigned int, JS::Value*) /srv/repos/browser/mozilla-central/js/src/jsarray.cpp:2335 #4 0xeaae3d in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), js::CallArgs const&) /srv/repos/browser/mozilla-central/js/src/jscntxtinlines.h:314 #5 0xea7e03 in js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) /srv/repos/browser/mozilla-central/js/src/jsinterp.cpp:519 #6 0xe54586 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) /srv/repos/browser/mozilla-central/js/src/jsinterp.cpp:2757 #7 0xe22792 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) /srv/repos/browser/mozilla-central/js/src/jsinterp.cpp:475 #8 0xeb2ff6 in js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) /srv/repos/browser/mozilla-central/js/src/jsinterp.cpp:674 #9 0xeb4fdd in js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) /srv/repos/browser/mozilla-central/js/src/jsinterp.cpp:715 #10 0x6f67bc in JS_ExecuteScript /srv/repos/browser/mozilla-central/js/src/jsapi.cpp:5255 #11 0x47ec48 in Process /srv/repos/browser/mozilla-central/js/src/shell/js.cpp:478 #12 0x46ee63 in ProcessArgs /srv/repos/browser/mozilla-central/js/src/shell/js.cpp:4696 #13 0x46c3df in Shell(JSContext*, js::cli::OptionParser*, char**) /srv/repos/browser/mozilla-central/js/src/shell/js.cpp:4779 #14 0x4711df in main /srv/repos/browser/mozilla-central/js/src/shell/js.cpp:4988 #15 0x7fafa28e930d in __libc_start_main /build/buildd/eglibc-2.13/csu/libc-start.c:258 0x0000029b87e8 is located 0 bytes to the right of global variable '(anonymous namespace)::powersOf10 (/srv/repos/browser/mozilla-central/js/src/jsarray.cpp)' (0x29b87c0) of size 40 Shadow byte and word: 0x1000005370fd: f9 0x1000005370f8: 00 00 00 00 00 f9 f9 f9 Marking s-s until triaged and confirmed to be not exploitable in some way.
Assignee | ||
Comment 1•12 years ago
|
||
So somebody just forgot to handle the biggest difference, which is 0 to 0x7fffffff. v8 doesn't need to do this for example, because they only handle SMIs with 31 bit. I doubt this is s-s, because in the worst case we sort some arrays in the wrong way. But I rather have somebody else check that.
Comment 2•12 years ago
|
||
Comment on attachment 619337 [details] [diff] [review] Add some required power of 10 Phew, thanks!
Attachment #619337 -
Flags: review?(luke) → review+
Assignee | ||
Comment 3•12 years ago
|
||
Can somebody unhide this now? http://hg.mozilla.org/integration/mozilla-inbound/rev/d3cf8d638b05
Reporter | ||
Updated•12 years ago
|
Group: core-security
Comment 4•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/d3cf8d638b05
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla15
You need to log in
before you can comment on or make changes to this bug.
Description
•