IonMonkey: Crash [@ js::EncapsulatedPtr] with use-after-free

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
major
VERIFIED FIXED
5 years ago
a year ago

People

(Reporter: decoder, Assigned: dvander)

Tracking

(Blocks: 2 bugs, 4 keywords)

Other Branch
x86_64
Linux
crash, csectype-uaf, sec-critical, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox17 unaffected, firefox-esr10 unaffected)

Details

(Whiteboard: [jsbugmon:update][ion:p1:fx18], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following testcase crashes on ionmonkey revision 2169bca0c9a5 (run with --ion -n -m --ion-eager -a):


gczeal(2,1);
(function () {
  var m = {}
  return { stringify: stringify };
})();
(Reporter)

Comment 1

5 years ago
Crash info:

==9467== Invalid read of size 8
==9467==    at 0x4150E0: js::EncapsulatedPtr<JSObject, unsigned long>::operator JSObject*() const (Barrier.h:172)
==9467==    by 0x426C71: js::ObjectImpl::hasSingletonType() const (ObjectImpl.h:1129)
==9467==    by 0x94F0EF: js::ion::CodeGenerator::visitNewObject(js::ion::LNewObject*) (CodeGenerator.cpp:1306)
==9467==    by 0x8941DA: js::ion::LNewObject::accept(js::ion::LInstructionVisitor*) (LIR-Common.h:250)
==9467==    by 0x94E78D: js::ion::CodeGenerator::generateBody() (CodeGenerator.cpp:1137)
==9467==    by 0x9562C7: js::ion::CodeGenerator::generate() (CodeGenerator.cpp:2638)
==9467==    by 0x823414: js::ion::GenerateCode(js::ion::IonBuilder&, js::ion::MIRGraph&) (Ion.cpp:827)
==9467==    by 0x8234AE: js::ion::TestCompiler(js::ion::IonBuilder&, js::ion::MIRGraph&) (Ion.cpp:842)
==9467==    by 0x82A4FB: bool js::ion::IonCompile<&(js::ion::TestCompiler(js::ion::IonBuilder&, js::ion::MIRGraph&))>(JSContext*, JSScript*, JSFunction*, unsigned char*, bool) (Ion.cpp:876)
==9467==    by 0x827877: js::ion::MethodStatus js::ion::Compile<&(js::ion::TestCompiler(js::ion::IonBuilder&, js::ion::MIRGraph&))>(JSContext*, JSScript*, JSFunction*, unsigned char*, bool) (Ion.cpp:992)
==9467==    by 0x823B38: js::ion::CanEnter(JSContext*, JSScript*, js::StackFrame*, bool) (Ion.cpp:1082)
==9467==    by 0x52B446: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2495)
==9467==  Address 0xdadadadadadadae2 is not stack'd, malloc'd or (recently) free'd
(Assignee)

Updated

5 years ago
Whiteboard: [jsbugmon:update] → [jsbugmon:update][ion:p1:fx18]
(Assignee)

Comment 2

5 years ago
MIR.h is using HeapPtr<> instead of CompilerRoot<>
Assignee: general → dvander
Status: NEW → ASSIGNED
(Assignee)

Comment 3

5 years ago
Created attachment 648474 [details] [diff] [review]
fix
Attachment #648474 - Flags: review?(sstangl)

Updated

5 years ago
Attachment #648474 - Flags: review?(sstangl) → review+
(Assignee)

Comment 4

5 years ago
https://hg.mozilla.org/projects/ionmonkey/rev/9f3dc298e25b
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Reporter)

Updated

5 years ago
Status: RESOLVED → VERIFIED
(Reporter)

Comment 5

5 years ago
JSBugMon: This bug has been automatically verified fixed.
status-firefox-esr10: --- → unaffected
status-firefox17: --- → unaffected
Keywords: sec-critical
Depends on: 781022
Group: core-security
Keywords: csectype-uaf
You need to log in before you can comment on or make changes to this bug.