Crash [@ malloc_consolidate] or Glibc abort with memory corruption, related to invalid access in JSScript::JITScriptHandle::setValid

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
5 years ago
4 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 1 bug, 5 keywords)

Trunk
x86_64
Linux
crash, csectype-uaf, regression, sec-critical, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox14+ unaffected, firefox15+ fixed, firefox16+ fixed, firefox-esr10- unaffected)

Details

(Whiteboard: js-triage-needed [advisory-tracking-], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
Created attachment 628313 [details]
Test case for shell (run with -n -m)

The attached test crashes on mozilla-central revision e8a025a7101b (options -m -n).


Valgrind on debug shows:

==17477== Invalid write of size 8
==17477==    at 0x707920: JSScript::JITScriptHandle::setValid(js::mjit::JITScript*) (jsscript.h:376)
==17477==    by 0x71D614: js::mjit::CanMethodJIT(JSContext*, JSScript*, unsigned char*, bool, js::mjit::CompileRequest) (Compiler.cpp:948)
==17477==    by 0x50E14C: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:1555)
==17477==    by 0x508E18: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:266)
==17477==    by 0x509A89: js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:466)
==17477==    by 0x509D08: js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) (jsinterp.cpp:508)
==17477==    by 0x448CB9: JS_ExecuteScript (jsapi.cpp:5335)
==17477==    by 0x4084CB: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:445)
==17477==    by 0x41376E: ProcessArgs(JSContext*, JSObject*, js::cli::OptionParser*) (js.cpp:4754)
==17477==    by 0x4139D1: Shell(JSContext*, js::cli::OptionParser*, char**) (js.cpp:4837)
==17477==    by 0x414112: main (js.cpp:5041)
==17477==  Address 0x5f0b7f0 is 0 bytes inside a block of size 32 free'd
==17477==    at 0x4C282ED: free (vg_replace_malloc.c:366)
==17477==    by 0x403BBE: js_free (Utility.h:169)
==17477==    by 0x403BF8: js::Foreground::free_(void*) (Utility.h:588)
==17477==    by 0x419945: JSRuntime::free_(void*) (jscntxt.h:834)
==17477==    by 0x426410: js::FreeOp::free_(void*) (jscntxt.h:1004)
==17477==    by 0x48DCDD: void js::FreeOp::delete_<JSScript::JITScriptSet>(JSScript::JITScriptSet*) (in /srv/repos/mozilla-central/js/src/debug64/shell/js)
==17477==    by 0x48A80E: JSScript::destroyJITInfo(js::FreeOp*) (jsscriptinlines.h:229)
==17477==    by 0x48A217: js::mjit::ReleaseScriptCode(js::FreeOp*, JSScript*) (MethodJIT.h:886)
==17477==    by 0x48C8BE: JSCompartment::discardJitCode(js::FreeOp*) (jscompartment.cpp:437)
==17477==    by 0x48CA60: JSCompartment::sweep(js::FreeOp*, bool) (jscompartment.cpp:470)
==17477==    by 0x4C5E19: SweepPhase(JSRuntime*, js::JSGCInvocationKind, bool*) (jsgc.cpp:3260)
==17477==    by 0x4C75DE: GCCycle(JSRuntime*, bool, long, js::JSGCInvocationKind) (jsgc.cpp:3706)

While GDB shows:

Program received signal SIGSEGV, Segmentation fault.
malloc_consolidate (av=0x7ffff72141c0) at malloc.c:5161
5161    malloc.c: No such file or directory.
        in malloc.c
(gdb) bt
#0  malloc_consolidate (av=0x7ffff72141c0) at malloc.c:5161
#1  0x00007ffff6efe472 in _int_malloc (av=0x7ffff72141c0, bytes=28784) at malloc.c:4373
#2  0x00007ffff6f027b4 in __libc_calloc (n=<value optimized out>, elem_size=<value optimized out>) at malloc.c:4065
#3  0x0000000000482634 in js_calloc (bytes=28784) at ./dist/include/js/Utility.h:158
#4  0x00000000004826c4 in js::OffTheBooks::calloc_ (bytes=28784) at ./dist/include/js/Utility.h:572
#5  0x000000000075a4a0 in js::mjit::FrameState::pushActiveFrame (this=0x7fffffff8b70, script=0x7ffff6107790, argc=0) at /srv/repos/mozilla-central/js/src/methodjit/FrameState.cpp:65
#6  0x000000000071b03c in js::mjit::Compiler::pushActiveFrame (this=0x7fffffff8440, script=0x7ffff6107790, argc=0) at /srv/repos/mozilla-central/js/src/methodjit/Compiler.cpp:423
#7  0x000000000071b4f6 in js::mjit::Compiler::performCompilation (this=0x7fffffff8440) at /srv/repos/mozilla-central/js/src/methodjit/Compiler.cpp:506
#8  0x000000000071a1e4 in js::mjit::Compiler::compile (this=0x7fffffff8440) at /srv/repos/mozilla-central/js/src/methodjit/Compiler.cpp:112
#9  0x000000000071d760 in js::mjit::CanMethodJIT (cx=0xc08c20, script=0x7ffff6107790, pc=0xc1e32d "m", <incomplete sequence \326>, construct=false, request=js::mjit::CompileRequest_Interpreter)
    at /srv/repos/mozilla-central/js/src/methodjit/Compiler.cpp:975


In opt-builds I've seen glibc aborts which are likely due to the same issue. Assuming s-s and sec-critical due to memory corruption.
(Assignee)

Comment 1

5 years ago
Created attachment 629551 [details] [diff] [review]
patch

The array of JITScripts now attached to scripts could be freed by a GC under MakeJITScript.  We were already watching for the GC, just not at an early enough point.  Regression from bug 758613 so only Fx 15 is affected.
Assignee: general → bhackett1024
Attachment #629551 - Flags: review?(dvander)
(Reporter)

Comment 2

5 years ago
Saw this in the fuzzer also crashing [@ js::ShapeTable::search], linking for crashstats.
Crash Signature: [@ malloc_consolidate] → [@ malloc_consolidate] [@ js::ShapeTable::search]
status-firefox15: --- → affected
Attachment #629551 - Flags: review?(dvander) → review+
Duplicate of this bug: 761396

Comment 4

5 years ago
https://hg.mozilla.org/mozilla-central/rev/0a4ce45a4d40
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Reporter)

Comment 5

5 years ago
JSBugMon: This bug has been automatically verified fixed.
(Reporter)

Updated

5 years ago
Status: RESOLVED → VERIFIED
Crash Signature: [@ malloc_consolidate] [@ js::ShapeTable::search] → [@ malloc_consolidate] [@ js::ShapeTable::search]
Crash Signature: [@ malloc_consolidate] [@ js::ShapeTable::search] → [@ malloc_consolidate] [@ js::ShapeTable::search]
status-firefox-esr10: --- → affected
status-firefox14: --- → affected
status-firefox16: --- → fixed
tracking-firefox-esr10: --- → 14+
tracking-firefox14: --- → +
tracking-firefox15: --- → +
tracking-firefox16: --- → +
(Assignee)

Updated

5 years ago
status-firefox-esr10: affected → unaffected
status-firefox14: affected → unaffected
(Assignee)

Comment 6

5 years ago
Comment on attachment 629551 [details] [diff] [review]
patch

This just missed the last cutoff it looks like, needs Aurora uplift but doesn't affect Beta.
Attachment #629551 - Flags: approval-mozilla-aurora?

Updated

5 years ago
tracking-firefox-esr10: 14+ → -

Updated

5 years ago
Attachment #629551 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(Assignee)

Comment 7

5 years ago
https://hg.mozilla.org/releases/mozilla-aurora/rev/90c5403757a7

Updated

5 years ago
status-firefox15: affected → fixed
Whiteboard: js-triage-needed → js-triage-needed [advisory-tracking-]
Group: core-security
Blocks: 758613
Keywords: csec-uaf, regression
(Reporter)

Comment 8

4 years ago
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.