Closed Bug 889808 Opened 11 years ago Closed 11 years ago

Crash on heap with ParallelArray and jump to invalid memory

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 888470

People

(Reporter: decoder, Unassigned)

Details

(4 keywords) 

The following testcase crashes on mozilla-central revision 4ffb23062b3b (threadsafe build, run with --fuzzing-safe --ion-eager):


gczeal(2);
(function(m) {
  return new ParallelArray([256], function(i) {
    return { valueOf: function() {}, y: i + ('captures: ') };
  }, m);
})("seq");
Crash trace:


Program received signal SIGSEGV, Segmentation fault.
0xf729c014 in ?? ()
(gdb) bt
#0  0xf729c014 in ?? ()
#1  0xf65304e0 in ?? ()
#2  0x00000004 in ?? ()
#3  0x07ffffff in ?? ()
#4  0x00000040 in ?? ()
#5  0x00000000 in ?? ()
(gdb) x /i $pc
=> 0xf729c014:  jmp    *0x4(%edi)
(gdb) info reg edi
edi            0x320033 3276851


From the pointer I assume that that this could be a controllable jump, leading to code execution. Marking sec-critical.
Keywords: csec-wildptr, sec-critical
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.