Closed
Bug 897202
Opened 11 years ago
Closed 11 years ago
Crash [@ ToPrimitive] or [@ js::ToNumberSlow] or Assertion failure: v.isObject(), at jsnum.cpp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla25
| Tracking | Status | |
|---|---|---|
| firefox22 | --- | unaffected |
| firefox23 | + | fixed |
| firefox24 | + | fixed |
| firefox25 | + | fixed |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: gkw, Assigned: bhackett1024)
References
Details
(5 keywords, Whiteboard: [adv-main23-] [jsbugmon:update,ignore])
Crash Data
Attachments
(2 files)
|
3.61 KB,
text/plain
|
Details | |
|
974 bytes,
patch
|
luke
:
review+
abillings
:
approval-mozilla-aurora+
abillings
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
x = ArrayBuffer(16)
y = Float32Array(x)
Int32Array(x)[0] = -3
x.valueOf = (function() {
y[0] / x
});
+ x
asserts js (deterministic threadsafe 32-bit) debug shell on m-c changeset 7b2c82ae98db with --ion-eager at Assertion failure: v.isObject(), at jsnum.cpp and crashes js opt shell at ToPrimitive with js::ToNumberSlow on the stack.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/0670cdaf7e9c
user: Brian Hackett
date: Thu Jul 11 15:08:26 2013 -0600
summary: Bug 891400 - Improve pattern matching on static typed array accesses, r=jandem.
Setting s-s because weird memory address 0xa0000000 seems to be being accessed.
Flags: needinfo?(bhackett1024)
|
Reporter | |
Comment 1•11 years ago
|
||
I could reproduce on a Mac 32-bit threadsafe deterministic js shell on m-c tip rev b717a7945dfb.
OS: Linux → All
|
Assignee | |
Comment 2•11 years ago
|
||
This is actually a regression from bug 864214. When reading from static float/double typed arrays no double canonicalization was occurring --- asm.js canonicalizes doubles when passing into or out of asm.js code, but normal js always needs to do this canonicalization.
Assignee: general → bhackett1024
Attachment #781872 -
Flags: review?(luke)
Flags: needinfo?(bhackett1024)
|
|
Assignee | |
Comment 3•11 years ago
|
||
Comment on attachment 781872 [details] [diff] [review]
patch
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
With some difficulty, though this would be possible given knowledge of the need for double canonicalization in the js engine.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No.
Which older supported branches are affected by this flaw?
aurora/beta
If not all supported branches, which bug introduced the flaw?
bug 864214
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
trivial
How likely is this patch to cause regressions; how much testing does it need?
none
Attachment #781872 -
Flags: sec-approval?
|
|
Assignee | |
Comment 4•11 years ago
|
||
Comment on attachment 781872 [details] [diff] [review]
patch
[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 864214
User impact if declined: security hole
Testing completed (on m-c, etc.): not on branches yet
Risk to taking this patch (and alternatives if risky): none
Attachment #781872 -
Flags: approval-mozilla-beta?
Attachment #781872 -
Flags: approval-mozilla-aurora?
|
|
||
Updated•11 years ago
|
Attachment #781872 -
Flags: review?(luke) → review+
|
|
Reporter | |
Updated•11 years ago
|
|
||
Comment 5•11 years ago
|
||
Can you suggest a security rating here? Either way, I think we should take this. The patch is miniscule.
status-firefox22:
--- → unaffected
status-firefox23:
--- → affected
status-firefox24:
--- → affected
status-firefox25:
--- → affected
tracking-firefox23:
--- → ?
tracking-firefox24:
--- → ?
tracking-firefox25:
--- → +
|
|
Assignee | |
Comment 6•11 years ago
|
||
I think this is critical, NaN forging can lead to reads or writes at easily controlled addresses.
Keywords: sec-critical
|
||
Comment 7•11 years ago
|
||
Final FF23 beta going to build tomorrow so if you are comfortable with sec-approval here, please also approve to branches so this gets landed asap.
|
|
||
Comment 8•11 years ago
|
||
Comment on attachment 781872 [details] [diff] [review]
patch
sec-approval+.
Attachment #781872 -
Flags: sec-approval? → sec-approval+
|
|
||
Comment 9•11 years ago
|
||
Comment on attachment 781872 [details] [diff] [review]
patch
I approved for branches as well. Let's get this in.
Attachment #781872 -
Flags: approval-mozilla-beta?
Attachment #781872 -
Flags: approval-mozilla-beta+
Attachment #781872 -
Flags: approval-mozilla-aurora?
Attachment #781872 -
Flags: approval-mozilla-aurora+
|
|
Assignee | |
Comment 10•11 years ago
|
||
|
|
||
Updated•11 years ago
|
|
|
||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main23-]
|
||
Updated•11 years ago
|
Crash Signature: [@ ToPrimitive]
[@ js::ToNumberSlow] → [@ ToPrimitive]
[@ js::ToNumberSlow]
Whiteboard: [jsbugmon:update][adv-main23-] → [adv-main23-] [jsbugmon:update,ignore]
|
|
||
Comment 11•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 129ce98f4cb2).
|
||
Comment 12•11 years ago
|
||
Status: NEW → RESOLVED
Crash Signature: [@ ToPrimitive]
[@ js::ToNumberSlow] → [@ ToPrimitive]
[@ js::ToNumberSlow]
Closed: 11 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
|
|
||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
Crash Signature: [@ ToPrimitive]
[@ js::ToNumberSlow] → [@ ToPrimitive]
[@ js::ToNumberSlow]
|
|
||
Comment 13•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•11 years ago
|
Crash Signature: [@ ToPrimitive]
[@ js::ToNumberSlow] → [@ ToPrimitive]
[@ js::ToNumberSlow]
status-b2g18:
--- → unaffected
status-firefox-esr17:
--- → unaffected
|
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•