Closed
Bug 762936
Opened 12 years ago
Closed 12 years ago
IonMonkey: Crash on heap, trying to execute invalid address from [@ js::gc::Arena::finalize]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, sec-critical, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
872 bytes,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on ionmonkey revision 5cfb73435e06 (run with --ion -n -m --ion-eager): gcPreserveCode() options("allow_xml"); function TestCase(n, d, e, a) {} function reportCompare(expected, actual, description) { new TestCase } var actual = ''; var expect = ''; for (var i = 0; i < 2; ++i) reportCompare(expect, actual, ': 2'); gczeal(2); var summary = 'brian loves eval(s, o)'; isXMLName = 'locallocal'; eval("", {}); reportCompare(expect, actual, summary);
Reporter | ||
Comment 1•12 years ago
|
||
Crash info: ==11650== Jump to the invalid address stated on the next line ==11650== at 0xFFF: ??? ==11650== by 0x811B088: bool js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned int) (jsgc.cpp:303) ==11650== by 0x8116DD1: void js::gc::FinalizeTypedArenas<JSObject>(js::FreeOp*, js::gc::ArenaLists::ArenaList*, js::gc::AllocKind) (jsgc.cpp:350) ==11650== by 0x810B1CC: js::gc::FinalizeArenas(js::FreeOp*, js::gc::ArenaLists::ArenaList*, js::gc::AllocKind) (jsgc.cpp:390) ==11650== by 0x810DE34: js::gc::ArenaLists::finalizeNow(js::FreeOp*, js::gc::AllocKind) (jsgc.cpp:1495) ==11650== by 0x810DF6D: js::gc::ArenaLists::finalizeObjects(js::FreeOp*) (jsgc.cpp:1598) ==11650== by 0x8112A70: SweepPhase(JSRuntime*, js::JSGCInvocationKind, bool*) (jsgc.cpp:3333) ==11650== by 0x8114277: GCCycle(JSRuntime*, bool, long long, js::JSGCInvocationKind) (jsgc.cpp:3770) ==11650== by 0x81146C6: Collect(JSRuntime*, bool, long long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:3866) ==11650== by 0x811485B: js::GC(JSRuntime*, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:3890) ==11650== by 0x80D0979: js::DestroyContext(JSContext*, js::DestroyContextMode) (jscntxt.cpp:319) ==11650== by 0x8087AB0: JS_DestroyContext (jsapi.cpp:1182) ==11650== Address 0xfff is not stack'd, malloc'd or (recently) free'd The address I saw varied, it wasn't fixed to 0xfff, therefore s-s.
Reporter | ||
Comment 2•12 years ago
|
||
In fact, I just got another test where it jumps to 0xdadadada. That sounds very easy to exploit :(
Updated•12 years ago
|
Keywords: sec-critical
Comment 3•12 years ago
|
||
After hours of debugging, I'm far too sober for this patch.
Attachment #632086 -
Flags: review?(dvander)
Updated•12 years ago
|
Attachment #632086 -
Flags: review?(dvander) → review+
Comment 4•12 years ago
|
||
http://hg.mozilla.org/projects/ionmonkey/rev/3dc37e74fdf0
Group: core-security
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 9•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Reporter | ||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 12•11 years ago
|
||
E4X has been removed, so we won't add the test.
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•