Closed Bug 893739 Opened 11 years ago Closed 11 years ago

OdinMonkey: Use-after-free [@ strlen] through [@ js::ScriptSource::setFilename]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 893684

People

(Reporter: decoder, Unassigned)

Details

(Keywords: csectype-uaf, sec-critical, testcase, Whiteboard: [asan])

Attachments

(1 file)

[crash-signature] Machine-readable crash signature
671 bytes, text/plain
Details 
The following testcase shows use-after-free on mozilla-central revision 18467a85acf6 (run with --fuzzing-safe):


evaluate("function f() { 'use asm'; return {} }", { fileName : "x" });
evaluate("f(); f();", { fileName : "x" });
Short ASan trace:

==22894== ERROR: AddressSanitizer: heap-use-after-free on address 0xf7208ae8 at pc 0x80dd776 bp 0xffd998c8 sp 0xffd998b8
READ of size 1 at 0xf7208ae8 thread T0
    #0 0x80dd775 in strlen ??:0
    #1 0x876c1ee in js::ScriptSource::setFilename(JSContext*, char const*) js/src/jsscript.cpp:1462
    #2 0x93d8b9f in js::frontend::CompileFunctionBody(JSContext*, JS::MutableHandle<JSFunction*>, JS::CompileOptions, js::AutoNameVector const&, unsigned short const*, unsigned int, bool) js/src/frontend/BytecodeCompiler.cpp:412
    #3 0x884fb34 in HandleDynamicLinkFailure(JSContext*, JS::CallArgs, js::AsmJSModule&, JS::Handle<js::PropertyName*>) js/src/ion/AsmJSLink.cpp:406
    #4 0x81b7aff in JSFunction::native() const js/src/jscntxtinlines.h:225
    #5 0x81a0a74 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:2503
    #6 0x818b68a in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:435
    #7 0x81ba6fe in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) js/src/vm/Interpreter.cpp:619
    #8 0x81bac76 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) js/src/vm/Interpreter.cpp:655
    #9 0x84998c7 in JS_ExecuteScript(JSContext*, JSObject*, JSScript*, JS::Value*) js/src/jsapi.cpp:5515
    #10 0x80f9721 in Evaluate(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:1069
[...]
0xf7208ae8 is located 0 bytes inside of 2-byte region [0xf7208ae8,0xf7208aea)
freed by thread T0 here:
    #0 0x80df404 in free ??:0
    #1 0x80f9849 in js_free(void*) js/src/dist/include/js/Utility.h:169
    #2 0x81b7aff in JSFunction::native() const js/src/jscntxtinlines.h:225
    #3 0x81a0a74 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:2503
[...]


Marking s-s due to use-after-free. If this cannot be triggered without evaluate+fileName, feel free to remove the security rating :)
Keywords: csec-uaf, sec-critical
Whiteboard: [asan]
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: