Closed
Bug 878041
Opened 11 years ago
Closed 11 years ago
Use-after-poison [@ js::RegExpShared::pairCount] or invalid write on heap near [@ js::RegExpShared::execute]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 878293
People
(Reporter: decoder, Unassigned)
Details
(4 keywords)
Attachments
(1 file)
441 bytes,
text/plain
|
Details |
The following testcase shows use-after-poison on mozilla-central revision 3c6f2394995d (no options required): a="['b']"; 'a'.replace(/a/g, eval);
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Comment 2•11 years ago
|
||
Detected by ASan, trace: ================================================================= ==13922== ERROR: AddressSanitizer: use-after-poison on address 0xf6f01310 at pc 0x8277736 bp 0xfff65ec8 sp 0xfff65ec0 WRITE of size 4 at 0xf6f01310 thread T0 #0 0x8277735 in js::RegExpShared::pairCount() const js/src/vm/RegExpObject.cpp:129 #1 0x86bea86 in DoMatchForReplaceGlobal(JSContext*, js::RegExpStatics*, JS::Handle<JSLinearString*>, js::RegExpShared&, ReplaceData&) js/src/jsstr.cpp:1940 #2 0x852a542 in JSFunction::native() const js/src/opt32asan/../jscntxtinlines.h:346 #3 0x85188ab in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode, bool) js/src/jsinterp.cpp:2219 #4 0x850250e in js::RunScript(JSContext*, js::StackFrame*) js/src/jsinterp.cpp:352 #5 0x852caba in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) js/src/jsinterp.cpp:537 #6 0x852d176 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) js/src/jsinterp.cpp:576 #7 0x838db97 in JS_ExecuteScript(JSContext*, JSObject*, JSScript*, JS::Value*) js/src/jsapi.cpp:5644 #8 0x80f033e in Process(JSContext*, JSObject*, char const*, bool) js/src/shell/js.cpp:466 #9 0x80ed33e in ProcessArgs(JSContext*, JSObject*, js::cli::OptionParser*) js/src/shell/js.cpp:5146 #10 0x80eebb6 in main js/src/shell/js.cpp:5416 #11 0xf74794d2 in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226 #12 0x80ebd8c in _start ??:0 0xf6f01310 is located 16 bytes inside of 4096-byte region [0xf6f01300,0xf6f02300) allocated by thread T0 here: #0 0x80df0c4 in malloc ??:0 #1 0x93a8f5c in js_malloc(unsigned int) js/src/opt32asan/./dist/include/js/Utility.h:152 Valgrind also shows this, just a little different (debug build this time): ==2193== Invalid write of size 4 ==2193== at 0x4F3148: js::RegExpShared::execute(JSContext*, unsigned short const*, unsigned long, unsigned long*, js::MatchPairs&) (RegExpObject.cpp:129) ==2193== by 0x6E750F: js::str_replace(JSContext*, unsigned int, JS::Value*) (jsstr.cpp:1940) ==2193== by 0x63B189: _ZN2js12CallJSNativeEP9JSContextPFiS1_jPN2JS5ValueEERKNS2_8CallArgsE.constprop.556 (jscntxtinlines.h:346) ==2193== by 0x64F677: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (jsinterp.cpp:395) ==2193== by 0x646B5F: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode, bool) (jsinterp.cpp:2219) ==2193== by 0x64F107: js::RunScript(JSContext*, js::StackFrame*) (jsinterp.cpp:352) ==2193== by 0x651226: js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (jsinterp.cpp:537) ==2193== by 0x57816B: JS_ExecuteScript(JSContext*, JSObject*, JSScript*, JS::Value*) (jsapi.cpp:5644) ==2193== by 0x41B40F: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:466) ==2193== by 0x4253FD: Shell(JSContext*, js::cli::OptionParser*, char**) (js.cpp:5146) ==2193== by 0x40D083: main (js.cpp:5416) ==2193== Address 0x60f0870 is 32 bytes inside a block of size 4,096 alloc'd ==2193== at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==2193== by 0xA250FF: js::detail::BumpChunk::new_(unsigned long) (Utility.h:152) ==2193== by 0xA25599: js::LifoAlloc::getOrCreateChunk(unsigned long) (LifoAlloc.cpp:100) ==2193== by 0x4BB614: js::frontend::ParseNodeAllocator::allocNode() (LifoAlloc.h:257) ==2193== by 0x4BB832: js::frontend::ParseNode::create(js::frontend::ParseNodeKind, js::frontend::ParseNodeArity, js::frontend::FullParseHandler*) (FullParseHandler.h:33) ==2193== by 0x4DD09E: js::frontend::Parser<js::frontend::FullParseHandler>::variables(js::frontend::ParseNodeKind, bool*, js::StaticBlockObject*, js::frontend::VarContext) (ParseNode.h:914) ==2193== by 0x4DE43E: js::frontend::Parser<js::frontend::FullParseHandler>::statement() (Parser.cpp:4745) ==2193== by 0xA19513: js::frontend::CompileScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::CompileOptions const&, unsigned short const*, unsigned long, JSString*, unsigned int, js::SourceCompressionToken*) (BytecodeCompiler.cpp:218) ==2193== by 0x5783A6: JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) (jsapi.cpp:5681) ==2193== by 0x5789CC: JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, char const*, unsigned long, JS::Value*) (jsapi.cpp:5717) ==2193== by 0x51332F: JSRuntime::initSelfHosting(JSContext*) (SelfHosting.cpp:554) ==2193== by 0x5BA2EA: js::NewContext(JSRuntime*, unsigned long) (jscntxt.cpp:313)
Comment 3•11 years ago
|
||
The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/d71234d65e90 user: Brian Hackett date: Thu May 30 06:29:56 2013 -0600 summary: Bug 678037 - Add (disabled) ability to parse script bytecode lazily, r=luke. There's a patch for a similar issue in bug 878293. This might be a dup.
Comment 4•11 years ago
|
||
This bug makes it impossible for me to use ASAN for anything, since Firefox just dies at startup. It would be really great if we can back out the offending changeset as soon as possible...
Flags: needinfo?(luke)
Flags: needinfo?(bhackett1024)
Comment 5•11 years ago
|
||
Does the patch in bug 878293 fix this issue for anybody?
Comment 6•11 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #5) > Does the patch in bug 878293 fix this issue for anybody? It does for me...
Comment 8•11 years ago
|
||
Decoder or somebody should confirm the original test case is okay now.
Flags: needinfo?(choller)
Updated•11 years ago
|
Flags: needinfo?(bhackett1024)
Reporter | ||
Comment 9•11 years ago
|
||
Confirmed duplicate.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(choller)
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•