Closed
Bug 830943
Opened 12 years ago
Closed 12 years ago
Incorrect behavior on emscripten "bullet" test
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla21
People
(Reporter: azakai, Assigned: jandem)
Details
(Keywords: sec-critical, Whiteboard: [adv-main19+])
Attachments
(4 files, 1 obsolete file)
|
3.03 MB,
application/javascript
|
Details | |
|
1.25 KB,
patch
|
dvander
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
|
14.18 KB,
patch
|
dvander
:
review+
decoder
:
feedback+
gkw
:
feedback+
|
Details | Diff | Splinter Review |
|
375.40 KB,
text/plain
|
Details |
Another failure on the emscripten test suite on x86_64. Works with --no-ion or in v8, fails with ion.
|
Assignee | |
Updated•12 years ago
|
Assignee: general → jdemooij
Group: core-security
|
|
Assignee | |
Comment 1•12 years ago
|
||
Tricky IonMonkey bug.
Lowering allocates argument slots for calls (allocateArguments and freeArguments). This only works if MPrepareCall and MCall are property "nested" though, and due to the way tableswitch blocks are ordered it's possible to break this invariant (with inlining + nested calls).
The attached patch fixes the tableswitch block ordering and makes sure the argument allocation code works properly. The next patch will add asserts to catch similar bugs.
Attachment #702786 -
Flags: review?(dvander)
|
|
Assignee | |
Comment 2•12 years ago
|
||
This patch adds a (debug-only) stack of MPrepareCall instructions to Lowering, so that we can ensure allocateArguments and freeArguments properly match. The testcase asserts without the previous patch.
Attachment #702788 -
Flags: review?(dvander)
|
|
Assignee | |
Comment 3•12 years ago
|
||
Pretty sure this bug has been here since Ion landed on m-c.
status-firefox18:
--- → affected
status-firefox19:
--- → affected
status-firefox20:
--- → affected
status-firefox21:
--- → affected
tracking-firefox19:
--- → ?
tracking-firefox20:
--- → ?
tracking-firefox21:
--- → ?
|
|
Assignee | |
Updated•12 years ago
|
Status: NEW → ASSIGNED
Keywords: sec-critical
|
|
Assignee | |
Comment 4•12 years ago
|
||
Attachment #702788 -
Attachment is obsolete: true
Attachment #702788 -
Flags: review?(dvander)
Attachment #702794 -
Flags: review?(dvander)
Comment on attachment 702786 [details] [diff] [review]
Part 1: Fix
Good catch.
Attachment #702786 -
Flags: review?(dvander) → review+
|
||
Updated•12 years ago
|
Attachment #702794 -
Flags: review?(dvander) → review+
|
|
Assignee | |
Comment 6•12 years ago
|
||
Comment on attachment 702786 [details] [diff] [review]
Part 1: Fix
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Extremely hard.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No.
Which older supported branches are affected by this flaw?
Firefox 18, 19, 20
If not all supported branches, which bug introduced the flaw?
IonMonkey.
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Backporting is easy, patch moves 2 lines of code.
How likely is this patch to cause regressions; how much testing does it need?
Regressions are unlikely, usual nightly testing + fuzzing should be enough.
Attachment #702786 -
Flags: sec-approval?
|
||
Updated•12 years ago
|
|
Reporter | |
Comment 7•12 years ago
|
||
I found another failing testcase, same symptoms as before (fails with ion, works without it), and this patch fixes it as well. So I guess the testcase is not needed, but attaching anyhow if it's useful in some way.
|
||
Updated•12 years ago
|
Attachment #702786 -
Flags: sec-approval? → sec-approval+
|
|
Assignee | |
Comment 8•12 years ago
|
||
|
|
Assignee | |
Comment 9•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 10•12 years ago
|
||
Comment on attachment 702786 [details] [diff] [review]
Part 1: Fix
[Approval Request Comment]
Bug caused by (feature/regressing bug #): IonMonkey
User impact if declined: security bugs, crashes, correctness issues
Testing completed (on m-c, etc.): on m-c
Risk to taking this patch (and alternatives if risky): Very low risk
String or UUID changes made by this patch: None
Attachment #702786 -
Flags: approval-mozilla-beta?
Attachment #702786 -
Flags: approval-mozilla-aurora?
|
|
Assignee | |
Comment 11•12 years ago
|
||
Comment on attachment 702794 [details] [diff] [review]
Part 2: Add asserts, test case
decoder, gary: can you guys give this patch (part 2) some fuzzing? It should be applied to m-c or m-i tip. I will land it when part 1 has made its way to mozilla-release, but it would be good to give this patch some fuzzing to find similar bugs before that happens.
Attachment #702794 -
Flags: feedback?(gary)
Attachment #702794 -
Flags: feedback?(choller)
|
||
Comment 12•12 years ago
|
||
Fuzzing on langfuzz1 now :)
|
|
||
Comment 13•12 years ago
|
||
Comment on attachment 702794 [details] [diff] [review]
Part 2: Add asserts, test case
(In reply to Jan de Mooij [:jandem] from comment #11)
> Comment on attachment 702794 [details] [diff] [review]
> Part 2: Add asserts, test case
I didn't hit anything particularly bad after some overnight fuzzing -> feedback+
Attachment #702794 -
Flags: feedback?(gary) → feedback+
|
|
||
Comment 14•12 years ago
|
||
Comment on attachment 702794 [details] [diff] [review]
Part 2: Add asserts, test case
feedback+, no issues found till now :)
Attachment #702794 -
Flags: feedback?(choller) → feedback+
|
|
Assignee | |
Comment 15•12 years ago
|
||
(In reply to Gary Kwong [:gkw] from comment #13)
> I didn't hit anything particularly bad after some overnight fuzzing ->
> feedback+
(In reply to Christian Holler (:decoder) from comment #14)
> feedback+, no issues found till now :)
Thanks! Then I will just push this patch next month :)
|
||
Comment 16•12 years ago
|
||
Comment on attachment 702786 [details] [diff] [review]
Part 1: Fix
Very low risk fix for a tracked sg:crit issue. Let's land on branches.
Attachment #702786 -
Flags: approval-mozilla-beta?
Attachment #702786 -
Flags: approval-mozilla-beta+
Attachment #702786 -
Flags: approval-mozilla-aurora?
Attachment #702786 -
Flags: approval-mozilla-aurora+
|
|
||
Updated•12 years ago
|
status-b2g18:
--- → unaffected
status-firefox-esr17:
--- → unaffected
|
|
||
Updated•12 years ago
|
status-b2g18:
unaffected → ---
|
|
Assignee | |
Comment 17•12 years ago
|
||
|
||
Updated•12 years ago
|
status-b2g18:
--- → disabled
|
|
||
Updated•12 years ago
|
Whiteboard: [adv-main19+]
|
|
Assignee | |
Comment 18•12 years ago
|
||
Pushed part 2:
https://hg.mozilla.org/integration/mozilla-inbound/rev/64bdaa6a86cd
(Linux Try run looks good: https://tbpl.mozilla.org/?tree=Try&rev=bdd7c595daf2)
|
||
Comment 19•12 years ago
|
||
Flags: in-testsuite+
Target Milestone: --- → mozilla21
|
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•