Last Comment Bug 749620 - Invalid stack memory access in CompareLexicographicInt32
: Invalid stack memory access in CompareLexicographicInt32
[asan] js-triage-needed
: testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
-- critical (vote)
: mozilla15
Assigned To: Tom Schuster [:evilpie]
: Jason Orendorff [:jorendorff]
Depends on:
  Show dependency treegraph
Reported: 2012-04-27 07:42 PDT by Christian Holler (:decoder)
Modified: 2012-05-04 13:39 PDT (History)
6 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Add some required power of 10 (2.54 KB, patch)
2012-04-28 13:35 PDT, Tom Schuster [:evilpie]
luke: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2012-04-27 07:42:09 PDT
The following test causes an invalid stack memory access on mozilla-central revision 83ef3c9a64b5 (run with no options):

var v = [ 0, 0x7fffffff ];
for (var i = 0; i < 10 ; ++i) 
  for (var j = 0; j < v.length; ++j) 
    [v[i], v[j]].sort()

The test is minimized from a jit-test failure I encountered during make check of asan builds. Here's the backtrace:

$ /srv/repos/browser/mozilla-central/objdir-ff-asan64dbg/js/src/js test.js 2>&1 | | c++filt 
==30819== ERROR: AddressSanitizer global-buffer-overflow on address 0x0000029b87e8 at pc 0x85aa3c bp 0x7fff849554f0 sp 0x7fff849554e8
READ of size 4 at 0x0000029b87e8 thread T0
    #0 0x85aa3c in CompareLexicographicInt32 /srv/repos/browser/mozilla-central/js/src/jsarray.cpp:2112
    #1 0x85800e in (anonymous namespace)::SortComparatorLexicographicInt32::operator()(JS::Value const&, JS::Value const&, bool*) /srv/repos/browser/mozilla-central/js/src/jsarray.cpp:2153
    #2 0x7efc1e in MergeSort /srv/repos/browser/mozilla-central/js/src/ds/Sort.h:133
    #3 0x7e7a84 in js::array_sort(JSContext*, unsigned int, JS::Value*) /srv/repos/browser/mozilla-central/js/src/jsarray.cpp:2335
    #4 0xeaae3d in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), js::CallArgs const&) /srv/repos/browser/mozilla-central/js/src/jscntxtinlines.h:314
    #5 0xea7e03 in js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) /srv/repos/browser/mozilla-central/js/src/jsinterp.cpp:519
    #6 0xe54586 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) /srv/repos/browser/mozilla-central/js/src/jsinterp.cpp:2757
    #7 0xe22792 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) /srv/repos/browser/mozilla-central/js/src/jsinterp.cpp:475
    #8 0xeb2ff6 in js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) /srv/repos/browser/mozilla-central/js/src/jsinterp.cpp:674
    #9 0xeb4fdd in js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) /srv/repos/browser/mozilla-central/js/src/jsinterp.cpp:715
    #10 0x6f67bc in JS_ExecuteScript /srv/repos/browser/mozilla-central/js/src/jsapi.cpp:5255
    #11 0x47ec48 in Process /srv/repos/browser/mozilla-central/js/src/shell/js.cpp:478
    #12 0x46ee63 in ProcessArgs /srv/repos/browser/mozilla-central/js/src/shell/js.cpp:4696
    #13 0x46c3df in Shell(JSContext*, js::cli::OptionParser*, char**) /srv/repos/browser/mozilla-central/js/src/shell/js.cpp:4779
    #14 0x4711df in main /srv/repos/browser/mozilla-central/js/src/shell/js.cpp:4988
    #15 0x7fafa28e930d in __libc_start_main /build/buildd/eglibc-2.13/csu/libc-start.c:258
0x0000029b87e8 is located 0 bytes to the right of global variable '(anonymous namespace)::powersOf10 (/srv/repos/browser/mozilla-central/js/src/jsarray.cpp)' (0x29b87c0) of size 40

Shadow byte and word:
  0x1000005370fd: f9
  0x1000005370f8: 00 00 00 00 00 f9 f9 f9

Marking s-s until triaged and confirmed to be not exploitable in some way.
Comment 1 User image Tom Schuster [:evilpie] 2012-04-28 13:35:49 PDT
Created attachment 619337 [details] [diff] [review]
Add some required power of 10

So somebody just forgot to handle the biggest difference, which is 0 to 0x7fffffff. v8 doesn't need to do this for example, because they only handle SMIs with 31 bit.

I doubt this is s-s, because in the worst case we sort some arrays in the wrong way. But I rather have somebody else check that.
Comment 2 User image Luke Wagner [:luke] 2012-04-28 16:00:11 PDT
Comment on attachment 619337 [details] [diff] [review]
Add some required power of 10

Phew, thanks!
Comment 3 User image Tom Schuster [:evilpie] 2012-05-04 07:11:11 PDT
Can somebody unhide this now?

Note You need to log in before you can comment on or make changes to this bug.