Closed Bug 878041 Opened 11 years ago Closed 11 years ago

Use-after-poison [@ js::RegExpShared::pairCount] or invalid write on heap near [@ js::RegExpShared::execute]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 878293

People

(Reporter: decoder, Unassigned)

Details

(4 keywords)

Attachments

(1 file)

[crash-signature] Machine-readable crash signature
441 bytes, text/plain
Details 
The following testcase shows use-after-poison on mozilla-central revision 3c6f2394995d (no options required):


a="['b']";
'a'.replace(/a/g, eval);
Detected by ASan, trace:

=================================================================
==13922== ERROR: AddressSanitizer: use-after-poison on address 0xf6f01310 at pc 0x8277736 bp 0xfff65ec8 sp 0xfff65ec0
WRITE of size 4 at 0xf6f01310 thread T0
    #0 0x8277735 in js::RegExpShared::pairCount() const js/src/vm/RegExpObject.cpp:129
    #1 0x86bea86 in DoMatchForReplaceGlobal(JSContext*, js::RegExpStatics*, JS::Handle<JSLinearString*>, js::RegExpShared&, ReplaceData&) js/src/jsstr.cpp:1940
    #2 0x852a542 in JSFunction::native() const js/src/opt32asan/../jscntxtinlines.h:346
    #3 0x85188ab in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode, bool) js/src/jsinterp.cpp:2219
    #4 0x850250e in js::RunScript(JSContext*, js::StackFrame*) js/src/jsinterp.cpp:352
    #5 0x852caba in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) js/src/jsinterp.cpp:537
    #6 0x852d176 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) js/src/jsinterp.cpp:576
    #7 0x838db97 in JS_ExecuteScript(JSContext*, JSObject*, JSScript*, JS::Value*) js/src/jsapi.cpp:5644
    #8 0x80f033e in Process(JSContext*, JSObject*, char const*, bool) js/src/shell/js.cpp:466
    #9 0x80ed33e in ProcessArgs(JSContext*, JSObject*, js::cli::OptionParser*) js/src/shell/js.cpp:5146
    #10 0x80eebb6 in main js/src/shell/js.cpp:5416
    #11 0xf74794d2 in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226
    #12 0x80ebd8c in _start ??:0
0xf6f01310 is located 16 bytes inside of 4096-byte region [0xf6f01300,0xf6f02300)
allocated by thread T0 here:
    #0 0x80df0c4 in malloc ??:0
    #1 0x93a8f5c in js_malloc(unsigned int) js/src/opt32asan/./dist/include/js/Utility.h:152


Valgrind also shows this, just a little different (debug build this time):


==2193== Invalid write of size 4
==2193==    at 0x4F3148: js::RegExpShared::execute(JSContext*, unsigned short const*, unsigned long, unsigned long*, js::MatchPairs&) (RegExpObject.cpp:129)
==2193==    by 0x6E750F: js::str_replace(JSContext*, unsigned int, JS::Value*) (jsstr.cpp:1940)
==2193==    by 0x63B189: _ZN2js12CallJSNativeEP9JSContextPFiS1_jPN2JS5ValueEERKNS2_8CallArgsE.constprop.556 (jscntxtinlines.h:346)
==2193==    by 0x64F677: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (jsinterp.cpp:395)
==2193==    by 0x646B5F: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode, bool) (jsinterp.cpp:2219)
==2193==    by 0x64F107: js::RunScript(JSContext*, js::StackFrame*) (jsinterp.cpp:352)
==2193==    by 0x651226: js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (jsinterp.cpp:537)
==2193==    by 0x57816B: JS_ExecuteScript(JSContext*, JSObject*, JSScript*, JS::Value*) (jsapi.cpp:5644)
==2193==    by 0x41B40F: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:466)
==2193==    by 0x4253FD: Shell(JSContext*, js::cli::OptionParser*, char**) (js.cpp:5146)
==2193==    by 0x40D083: main (js.cpp:5416)
==2193==  Address 0x60f0870 is 32 bytes inside a block of size 4,096 alloc'd
==2193==    at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2193==    by 0xA250FF: js::detail::BumpChunk::new_(unsigned long) (Utility.h:152)
==2193==    by 0xA25599: js::LifoAlloc::getOrCreateChunk(unsigned long) (LifoAlloc.cpp:100)
==2193==    by 0x4BB614: js::frontend::ParseNodeAllocator::allocNode() (LifoAlloc.h:257)
==2193==    by 0x4BB832: js::frontend::ParseNode::create(js::frontend::ParseNodeKind, js::frontend::ParseNodeArity, js::frontend::FullParseHandler*) (FullParseHandler.h:33)
==2193==    by 0x4DD09E: js::frontend::Parser<js::frontend::FullParseHandler>::variables(js::frontend::ParseNodeKind, bool*, js::StaticBlockObject*, js::frontend::VarContext) (ParseNode.h:914)
==2193==    by 0x4DE43E: js::frontend::Parser<js::frontend::FullParseHandler>::statement() (Parser.cpp:4745)
==2193==    by 0xA19513: js::frontend::CompileScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::CompileOptions const&, unsigned short const*, unsigned long, JSString*, unsigned int, js::SourceCompressionToken*) (BytecodeCompiler.cpp:218)
==2193==    by 0x5783A6: JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) (jsapi.cpp:5681)
==2193==    by 0x5789CC: JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, char const*, unsigned long, JS::Value*) (jsapi.cpp:5717)
==2193==    by 0x51332F: JSRuntime::initSelfHosting(JSContext*) (SelfHosting.cpp:554)
==2193==    by 0x5BA2EA: js::NewContext(JSRuntime*, unsigned long) (jscntxt.cpp:313)
Keywords: csec-uaf, sec-critical, valgrind
The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/d71234d65e90
user:        Brian Hackett
date:        Thu May 30 06:29:56 2013 -0600
summary:     Bug 678037 - Add (disabled) ability to parse script bytecode lazily, r=luke.

There's a patch for a similar issue in bug 878293.  This might be a dup.
This bug makes it impossible for me to use ASAN for anything, since Firefox just dies at startup.  It would be really great if we can back out the offending changeset as soon as possible...
Flags: needinfo?(luke)
Flags: needinfo?(bhackett1024)
Does the patch in bug 878293 fix this issue for anybody?
(In reply to Andrew McCreight [:mccr8] from comment #5)
> Does the patch in bug 878293 fix this issue for anybody?

It does for me...
Can this be resolved WFM then?
Flags: needinfo?(luke)
Decoder or somebody should confirm the original test case is okay now.
Flags: needinfo?(choller)
Flags: needinfo?(bhackett1024)
Confirmed duplicate.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(choller)
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: