Closed
Bug 879747
Opened 11 years ago
Closed 11 years ago
Use-after-poison [@ NodeBuilder::newNodeLoc]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 878293
Tracking | Status | |
---|---|---|
firefox23 | --- | unaffected |
firefox24 | + | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: csectype-uaf, sec-critical, testcase, Whiteboard: [jsbugmon:update,ignore])
Attachments
(1 file)
896 bytes,
text/plain
|
Details |
The following testcase shows use-after-poison on mozilla-central revision 8f9ba85eb61c (run with --ion-eager): Object.defineProperty(Object.prototype, (1), { set: function(a) { eval(""); } }); var fun = new Function('x', 'return let (y = x) (y++, "" + y);'); var got = fun.toSource(); Reflect.parse(got);
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Comment 2•11 years ago
|
||
ASan trace: ==958== ERROR: AddressSanitizer: use-after-poison on address 0xf6f0156c at pc 0x86657af bp 0xffa46d58 sp 0xffa46d50 READ of size 4 at 0xf6f0156c thread T0 #0 0x86657ae in NodeBuilder::newNodeLoc(js::frontend::TokenPos*, JS::MutableHandle<JS::Value>) js/src/jsreflect.cpp:683 #1 0x866403b in NodeBuilder::setNodeLoc(JS::Handle<JSObject*>, js::frontend::TokenPos*) js/src/jsreflect.cpp:726 #2 0x8663c6c in NodeBuilder::newNode(js::ASTType, js::frontend::TokenPos*, JS::MutableHandle<JSObject*>) js/src/jsreflect.cpp:625 #3 0x8665ec2 in NodeBuilder::newNode(js::ASTType, js::frontend::TokenPos*, char const*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) js/src/jsreflect.cpp:338 #4 0x867d0ea in NodeBuilder::sequenceExpression(JS::AutoValueVector&, js::frontend::TokenPos*, JS::MutableHandle<JS::Value>) js/src/jsreflect.cpp:1095 #5 0x8686e24 in ASTSerializer::let(js::frontend::ParseNode*, bool, JS::MutableHandle<JS::Value>) js/src/jsreflect.cpp:1871 #6 0x867ec3d in ASTSerializer::expression(js::frontend::ParseNode*, JS::MutableHandle<JS::Value>) js/src/jsreflect.cpp:2607 #7 0x868250c in ASTSerializer::optExpression(js::frontend::ParseNode*, JS::MutableHandle<JS::Value>) js/src/jsreflect.cpp:1529 #8 0x868ebd8 in ASTSerializer::sourceElement(js::frontend::ParseNode*, JS::MutableHandle<JS::Value>) js/src/jsreflect.cpp:1756 #9 0x868f37f in ASTSerializer::functionArgsAndBody(js::frontend::ParseNode*, JS::AutoValueVector&, JS::AutoValueVector&, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) js/src/jsreflect.cpp:2888 #10 0x8684e90 in ASTSerializer::function(js::frontend::ParseNode*, js::ASTType, JS::MutableHandle<JS::Value>) js/src/jsreflect.cpp:2831 #11 0x867e256 in ASTSerializer::expression(js::frontend::ParseNode*, JS::MutableHandle<JS::Value>) js/src/jsreflect.cpp:2328 #12 0x8681504 in ASTSerializer::statement(js::frontend::ParseNode*, JS::MutableHandle<JS::Value>) js/src/jsreflect.cpp:2035 #13 0x8680758 in ASTSerializer::sourceElement(js::frontend::ParseNode*, JS::MutableHandle<JS::Value>) js/src/jsreflect.cpp:1756 #14 0x8691450 in reflect_parse(JSContext*, unsigned int, JS::Value*) js/src/jsreflect.cpp:3085 #15 0x81b6da2 in JSFunction::native() const js/src/opt32asan/../jscntxtinlines.h:349 #16 0x81b7ca5 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) js/src/vm/Interpreter.cpp:441 #17 0x88b8792 in js::ion::DoCallFallback(JSContext*, js::ion::BaselineFrame*, js::ion::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) js/src/ion/BaselineIC.cpp:6981 #18 0xf741043b in 0xf6f0156c is located 620 bytes inside of 4096-byte region [0xf6f01300,0xf6f02300) Use-after-poison means a use-after-free in our internal allocator, marking as sec-critical. Ccing some people that might know what's going on.
Keywords: csec-uaf,
sec-critical
Whiteboard: [jsbugmon:update,bisect]
Comment 3•11 years ago
|
||
How far back does this go?
status-firefox24:
--- → affected
tracking-firefox24:
--- → +
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,ignore]
Reporter | ||
Comment 4•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 9ca690835a5e). JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/d71234d65e90 user: Brian Hackett date: Thu May 30 06:29:56 2013 -0600 summary: Bug 678037 - Add (disabled) ability to parse script bytecode lazily, r=luke. This iteration took 331.147 seconds to run.
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,bisectfix]
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisectfix] → [jsbugmon:update,ignore]
Reporter | ||
Comment 5•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 9ca690835a5e). JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/b925d7cdd09a parent: 134064:c6c656a65a81 parent: 133968:8f9ba85eb61c user: Ed Morley date: Wed Jun 05 11:39:27 2013 +0100 summary: Merge latest green inbound changeset and mozilla-central Not all ancestors of this changeset have been checked. Use bisect --extend to continue the bisection from the common ancestor, 22cb668fd727. This iteration took 329.778 seconds to run. Oops! We didn't test rev c6c656a65a81, a parent of the blamed revision! Let's do that now. We did not test rev c6c656a65a81 because it is not a descendant of either 8f9ba85eb61c or 9ca690835a5e. Rev c6c656a65a81: Updating... Compiling... Testing... [Uninteresting] It didn't crash. (0.069 seconds) good (not interesting) As expected, the parent's label is the opposite of the blamed rev's label. Bisect lied to us! Parent rev c6c656a65a81 was also good! Bisect blamed the merge because our initial range did not include one of the parents. The common ancestor of c6c656a65a81 and 8f9ba85eb61c is 22cb668fd727. Rev 22cb668fd727: Updating... Compiling... Testing... Exit status: CRASHED signal 11 (SIGSEGV) (0.056 seconds) bad (interesting) Consider re-running autoBisect with -s 22cb668fd727 -e b925d7cdd09a in a configuration where earliestWorking is before the common ancestor.
Reporter | ||
Comment 6•11 years ago
|
||
Indeed this doesn't reproduce anymore. Maybe Brian can tell what bug fixed this.
Flags: needinfo?(bhackett1024)
Updated•11 years ago
|
status-firefox23:
--- → unaffected
status-firefox-esr17:
--- → unaffected
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Updated•11 years ago
|
Updated•10 years ago
|
Group: core-security
status-b2g18:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•