Crash [@ defaultValue] with ParallelArray and use-after-free

RESOLVED DUPLICATE of bug 875957

Status

()

--
critical
RESOLVED DUPLICATE of bug 875957
6 years ago
4 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86
Linux
crash, csectype-uaf, sec-critical, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
The following testcase crashes on mozilla-central revision e58336e81395 (run with --ion-eager):


function mk() {}
var p = new ParallelArray([0,0,0,0], mk);
p.get(mk, "")
(Reporter)

Comment 1

6 years ago
Created attachment 755428 [details]
[crash-signature] Machine-readable crash signature
(Reporter)

Comment 2

6 years ago
Crash trace:


Program received signal SIGSEGV, Segmentation fault.
0x00000000009056cb in defaultValue (vp=..., obj=..., cx=0x185c720, hint=JSTYPE_NUMBER) at ../jsobjinlines.h:64
64          JSConvertOp op = obj->getClass()->convert;
#0  0x00000000009056cb in defaultValue (vp=..., obj=..., cx=0x185c720, hint=JSTYPE_NUMBER) at ../jsobjinlines.h:64
#1  ToPrimitive (vp=$jsval((JSObject *) 0x7ffff5f23960 Cannot access memory at address 0x8), cx=0x185c720, preferredType=<optimized out>) at ../jsobjinlines.h:1458
#2  GreaterThanOrEqualOperation (res=<synthetic pointer>, rhs=$jsval(0), lhs=$jsval((JSObject *) 0x7ffff5f23960 Cannot access memory at address 0x8), cx=0x185c720) at ../jsinterpinlines.h:1017
#3  js::ion::GreaterThanOrEqual (cx=0x185c720, lhs=$jsval((JSObject *) 0x7ffff5f23960 Cannot access memory at address 0x8), rhs=$jsval(0), res=0x7fffffffc8cc) at js/src/ion/VMFunctions.cpp:205
#4  0x00007ffff7f94eb4 in ?? ()
#5  0x00007ffff5f3de80 in ?? ()
#6  0x00007fffffffc8cc in ?? ()
#7  0x0000000000000302 in ?? ()
rax     0xdada0000      -2676586395008892928
=> 0x9056cb <js::ion::GreaterThanOrEqual(JSContext*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>, int*)+523>:    mov    0x40(%rax),%rax


Shows use-after-free (0xdada pattern), marking sec-critical.
Keywords: csec-uaf, sec-critical
Whiteboard: [jsbugmon:update,bisect]
(Reporter)

Updated

6 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
(Reporter)

Comment 3

6 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   132612:b2216a10f95b
user:        Shu-yu Guo
date:        Tue May 21 23:52:45 2013 -0700
summary:     Bug 867471 - Part 2: Compile rest parameter in Ion for sequential execution. (r=djvj)

This iteration took 0.962 seconds to run.
(Reporter)

Comment 4

6 years ago
Needinfo from shu based on comment 3 :)
Flags: needinfo?(shu)

Comment 5

6 years ago
Okay, this is caused by me not passing correct type info for the rest args array. This is fixed in 875957.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Flags: needinfo?(shu)
Resolution: --- → DUPLICATE
Duplicate of bug: 875957
Group: core-security
You need to log in before you can comment on or make changes to this bug.