IonMonkey: Crash on heap, trying to execute invalid address from [@ js::gc::Arena::finalize]

VERIFIED FIXED

Status

()

Product:
Core
Component:
JavaScript Engine
--
major
VERIFIED FIXED
Reported:
5 years ago
Modified:
4 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {crash, sec-critical, testcase})

Version:
Other Branch
x86
Linux
Keywords:
crash, sec-critical, testcase
Points:
---
Dependency tree / graph
Duplicates:
762907, 762923, 762984, 763112, 763121, 763440
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(1 attachment)

fix
872 bytes, patch
dvander
: review+
Details | Diff | Splinter Review
(Reporter)

Description

5 years ago 
The following testcase crashes on ionmonkey revision 5cfb73435e06 (run with --ion -n -m --ion-eager):


gcPreserveCode()
options("allow_xml");
function TestCase(n, d, e, a) {}
function reportCompare(expected, actual, description) {
    new TestCase
}
var actual = '';
var expect = '';
for (var i = 0; i < 2; ++i)
  reportCompare(expect, actual, ': 2');
gczeal(2);
var summary = 'brian loves eval(s, o)';
isXMLName  = 'locallocal';
eval("", {});
reportCompare(expect, actual, summary);
(Reporter)

Comment 1

5 years ago 
Crash info:

==11650== Jump to the invalid address stated on the next line
==11650==    at 0xFFF: ???
==11650==    by 0x811B088: bool js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned int) (jsgc.cpp:303)
==11650==    by 0x8116DD1: void js::gc::FinalizeTypedArenas<JSObject>(js::FreeOp*, js::gc::ArenaLists::ArenaList*, js::gc::AllocKind) (jsgc.cpp:350)
==11650==    by 0x810B1CC: js::gc::FinalizeArenas(js::FreeOp*, js::gc::ArenaLists::ArenaList*, js::gc::AllocKind) (jsgc.cpp:390)
==11650==    by 0x810DE34: js::gc::ArenaLists::finalizeNow(js::FreeOp*, js::gc::AllocKind) (jsgc.cpp:1495)
==11650==    by 0x810DF6D: js::gc::ArenaLists::finalizeObjects(js::FreeOp*) (jsgc.cpp:1598)
==11650==    by 0x8112A70: SweepPhase(JSRuntime*, js::JSGCInvocationKind, bool*) (jsgc.cpp:3333)
==11650==    by 0x8114277: GCCycle(JSRuntime*, bool, long long, js::JSGCInvocationKind) (jsgc.cpp:3770)
==11650==    by 0x81146C6: Collect(JSRuntime*, bool, long long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:3866)
==11650==    by 0x811485B: js::GC(JSRuntime*, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:3890)
==11650==    by 0x80D0979: js::DestroyContext(JSContext*, js::DestroyContextMode) (jscntxt.cpp:319)
==11650==    by 0x8087AB0: JS_DestroyContext (jsapi.cpp:1182)
==11650==  Address 0xfff is not stack'd, malloc'd or (recently) free'd


The address I saw varied, it wasn't fixed to 0xfff, therefore s-s.
(Reporter)

Comment 2

5 years ago 
In fact, I just got another test where it jumps to 0xdadadada. That sounds very easy to exploit :(
Keywords: sec-critical

Comment 3

5 years ago 
Created attachment 632086 [details] [diff] [review]
fix

After hours of debugging, I'm far too sober for this patch.
Attachment #632086 - Flags: review?(dvander)
Attachment #632086 - Flags: review?(dvander) → review+

Comment 4

5 years ago 
http://hg.mozilla.org/projects/ionmonkey/rev/3dc37e74fdf0
Group: core-security
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED

Updated

5 years ago
Duplicate of this bug: 763440

Updated

5 years ago
Duplicate of this bug: 762984

Updated

5 years ago
Duplicate of this bug: 762907

Updated

5 years ago
Duplicate of this bug: 762923
 (Reporter)

Comment 9

5 years ago 
JSBugMon: This bug has been automatically verified fixed.
 (Reporter)

Updated

5 years ago
Status: RESOLVED → VERIFIED

Updated

5 years ago
Duplicate of this bug: 763112
Duplicate of this bug: 763121
 (Reporter)

Comment 12

4 years ago 
E4X has been removed, so we won't add the test.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.