IonMonkey: Crash [@ JSScript::hasAnalysis] with use-after-free

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
major
RESOLVED FIXED
5 years ago
3 months ago

People

(Reporter: decoder, Assigned: jandem)

Tracking

(Blocks: 2 bugs, {crash, csectype-uaf, testcase})

Other Branch
x86
Linux
crash, csectype-uaf, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update][fuzzblocker], crash signature)

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

5 years ago
The following testcase crashes on ionmonkey revision 80a4e5dfeaaf (run with --ion -n -m --ion-eager):


new ({});
(Reporter)

Comment 1

5 years ago
Crash trace:


==12410== Invalid read of size 4
==12410==    at 0x8122466: JSScript::hasAnalysis() (jsinferinlines.h:1470)
==12410==    by 0x849EA30: js::ion::ShouldMonitorReturnType(JSFunction*) (VMFunctions.cpp:60)
==12410==    by 0x849EB22: js::ion::InvokeConstructorFunction(JSContext*, JSFunction*, unsigned int, JS::Value*, JS::Value*) (VMFunctions.cpp:93)
==12410==    by 0x78B534C: ???
==12410==    by 0x840C2CA: EnterIon(JSContext*, js::StackFrame*, void*) (Ion.cpp:1112)
==12410==    by 0x840C53C: js::ion::Cannon(JSContext*, js::StackFrame*) (Ion.cpp:1143)
==12410==    by 0x814C794: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:263)
==12410==    by 0x814D3CC: js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:474)
==12410==    by 0x814D60A: js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) (jsinterp.cpp:512)
==12410==    by 0x808F4F1: JS_ExecuteScript (jsapi.cpp:5370)
==12410==    by 0x804FB01: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:440)
==12410==    by 0x805AB43: ProcessArgs(JSContext*, JSObject*, js::cli::OptionParser*) (js.cpp:4832)
==12410==  Address 0xdadadb02 is not stack'd, malloc'd or (recently) free'd


Jandem says this was caused by bug 766011.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][fuzzblocker]
(Assignee)

Comment 2

5 years ago
Created attachment 636693 [details] [diff] [review]
Patch

Taking this fuzz blocker, we need to check if the callee is a function.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #636693 - Flags: review?(dvander)
(Assignee)

Comment 3

5 years ago
Created attachment 636706 [details] [diff] [review]
Patch
Attachment #636693 - Attachment is obsolete: true
Attachment #636693 - Flags: review?(dvander)
Attachment #636706 - Flags: review?(dvander)
Comment on attachment 636706 [details] [diff] [review]
Patch

Review of attachment 636706 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks for the quick fix - could we add a test case for this?
Attachment #636706 - Flags: review?(dvander) → review+
(Assignee)

Comment 5

5 years ago
https://hg.mozilla.org/projects/ionmonkey/rev/bd0eba3ea397

(In reply to David Anderson [:dvander] from comment #4)
>
> Thanks for the quick fix - could we add a test case for this?

Hrm I forgot to qref it, pushed with that fixed.
Group: core-security
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Reporter)

Comment 6

5 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug768436.js.
Flags: in-testsuite+
Keywords: csectype-uaf
You need to log in before you can comment on or make changes to this bug.