Crash [@ JSObject::setLastProperty] with use-after-free

RESOLVED WORKSFORME

Status

()

Core
JavaScript Engine
--
critical
RESOLVED WORKSFORME
5 years ago
24 days ago

People

(Reporter: decoder, Assigned: jandem)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86
Linux
crash, csectype-uaf, sec-critical, testcase
Points:
---

Firefox Tracking Flags

(firefox23 unaffected, firefox24 ?, firefox25 ?, firefox-esr17 unaffected, b2g18 unaffected)

Details

(Whiteboard: [jsbugmon:update,bisectfix], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following testcase crashes on mozilla-central revision cea75ce9a559 (no options required):


gczeal(8, 1)
evaluate("\
  var o = new MyObject();\
  function MyObject( y = this, ... x) this.value = 2;\
");
(Reporter)

Comment 1

5 years ago
Crash trace:


Program received signal SIGSEGV, Segmentation fault.
JSObject::setLastProperty (cx=0x188a1e0, obj=(JSObject * const) 0x7ffff625c580 Cannot access memory at address 0xdadadadadadadada, shape=0x7ffff624c088) at js/src/jsobj.cpp:2415
2415        JS_ASSERT(!obj->inDictionaryMode());
#0  JSObject::setLastProperty (cx=0x188a1e0, obj=(JSObject * const) 0x7ffff625c580 Cannot access memory at address 0xdadadadadadadada, shape=0x7ffff624c088) at js/src/jsobj.cpp:2415
#1  0x000000000053b2bf in JSObject::getChildProperty (cx=0x188a1e0, obj=(JSObject * const) 0x7ffff625c580 Cannot access memory at address 0xdadadadadadadada, parent=..., child=...) at js/src/vm/Shape.cpp:354
#2  0x0000000000540e51 in JSObject::addPropertyInternal (cx=0x188a1e0, obj=(JSObject * const) 0x7ffff625c580 Cannot access memory at address 0xdadadadadadadada, id=$jsid("value"), getter=0, setter=0, slot=16777215, attrs=1, flags=0, shortid=0, spp=0x0, allowDictionary=true) at js/src/vm/Shape.cpp:536
#3  0x0000000000541d19 in JSObject::putProperty (cx=0x188a1e0, obj=(JSObject * const) 0x7ffff625c580 Cannot access memory at address 0xdadadadadadadada, id=$jsid("value"), getter=0, setter=0, slot=16777215, attrs=1, flags=0, shortid=0) at js/src/vm/Shape.cpp:617
#4  0x0000000000684915 in DefinePropertyOrElement (cx=0x188a1e0, obj=(JSObject * const) 0x7ffff625c580 Cannot access memory at address 0xdadadadadadadada, id=$jsid("value"), getter=0x58c340 <JS_PropertyStub(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>)>, setter=0x58c350 <JS_StrictPropertyStub(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, int, JS::MutableHandle<JS::Value>)>, attrs=1, flags=0, shortid=0, value=$jsval(2), callSetterAfterwards=true, setterIsStrict=false) at js/src/jsobj.cpp:3365
#5  0x00000000006866ab in js::baseops::SetPropertyHelper (cx=0x188a1e0, obj=(JSObject * const) 0x7ffff625c580 Cannot access memory at address 0xdadadadadadadada, receiver=(JSObject * const) 0x7ffff625c580 Cannot access memory at address 0xdadadadadadadada, id=$jsid("value"), defineHow=<optimized out>, vp=$jsval(2), strict=0) at js/src/jsobj.cpp:4426
#6  0x00000000004874d6 in SetPropertyOperation (cx=0x188a1e0, script=0x7ffff62512b8, pc=<optimized out>, lval=..., rval=$jsval(2)) at js/src/vm/Interpreter.cpp:354
#7  0x000000000048cd31 in Interpret (cx=0x188a1e0, state=...) at js/src/vm/Interpreter.cpp:2178
rax     0xdadadada      -2676586395008836902
=> 0x69042d <JSObject::setLastProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::Shape*>)+45>:  testb  $0x2,0x15(%rax)


Marking s-s and sec-critical due to use-after-free. Please downgrade if this really cannot be exploited :)
Keywords: csec-uaf, sec-critical
Whiteboard: [jsbugmon:update,bisect]
(Reporter)

Comment 2

5 years ago
Created attachment 766334 [details]
[crash-signature] Machine-readable crash signature
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
(Reporter)

Comment 3

5 years ago
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
(Assignee)

Comment 4

5 years ago
I can't reproduce this, but it looks like this is a regression from bug 881902. The follow-up patch I landed on inbound should fix this - unfortunately it didn't end up in the same m-c merge but it should be in the next one.
(Assignee)

Updated

5 years ago
Whiteboard: [jsbugmon:] → [jsbugmon:update,bisectfix]
Assignee: general → jdemooij
(Assignee)

Comment 5

5 years ago
Christian, is this crash gone now? Pretty sure bug 881902's follow-up patch fixed this (see comment 4).
(Assignee)

Updated

5 years ago
Flags: needinfo?(choller)
status-b2g18: --- → unaffected
status-firefox23: --- → unaffected
status-firefox24: --- → ?
status-firefox25: --- → ?
status-firefox-esr17: --- → unaffected
(Reporter)

Comment 6

5 years ago
Doesn't seem to crash for me anymore on a more recent shell and I haven't seen it occurring in the fuzzer either. Marking as WFM.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: needinfo?(choller)
Resolution: --- → WORKSFORME

Updated

2 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.