Closed Bug 949198 Opened 7 years ago Closed 7 years ago

ASan use-after-free [@ JSContext::runtime()] with TypedObject

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 953111
Tracking Status
firefox27 --- disabled
firefox28 --- disabled
firefox29 --- affected
firefox-esr24 --- disabled
b2g18 --- disabled

People

(Reporter: decoder, Assigned: nmatsakis)

Details

(Keywords: csectype-bounds, sec-critical, testcase, Whiteboard: [asan])

Attachments

(1 file)

The following testcase shows use-after-free on mozilla-central revision 3ea3d3baa67b (run with --fuzzing-safe --ion-eager --ion-compile-try-catch --ion-eager):


var N = (0);
var T = TypedObject;
var Point = new T.StructType({x: T.uint32, y: T.uint32, z: T.uint32});
var PointArray = Point.array();
var array = new PointArray(N);
Invalid write outside a heap allocation:

==13356==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf61020fb at pc 0x8205002 bp 0xff90b938 sp 0xff90b930
WRITE of size 12 at 0xf61020fb thread T0
    #0 0x8205001 in JSContext::runtime() const ../builtin/TypeRepresentation.cpp:943
    #1 0x8205001 in js::TypedObject::createZeroed(JSContext*, JS::Handle<JSObject*>, int) ../builtin/TypedObject.cpp:2561
    #2 0x81fbff2 in js::TypedObject::construct(JSContext*, unsigned int, JS::Value*) ../builtin/TypedObject.cpp:2607
    #3 0x8e1638e in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) ../jscntxtinlines.h:220
    #4 0x8e1638e in js::CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) ../jscntxtinlines.h:253
    #5 0x8e1638e in js::InvokeConstructor(JSContext*, JS::CallArgs) ../vm/Interpreter.cpp:553
    #6 0x8e16c50 in js::InvokeConstructor(JSContext*, JS::Value, unsigned int, JS::Value*, JS::Value*) ../vm/Interpreter.cpp:567
    #7 0x849e2d0 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) ../jit/BaselineIC.cpp:8076
    #8 0xf6222e1c (+0x14e1c)
0xf61020fb is located 10 bytes to the right of 1-byte region [0xf61020f0,0xf61020f1)
allocated by thread T0 here:
    #0 0x8100de0 in malloc /srv/repos/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x8a74129 in js_malloc(unsigned int) dist/include/js/Utility.h:144
    #2 0x8a74129 in js::MallocProvider<js::ThreadSafeContext>::malloc_(unsigned int) ../vm/Runtime.h:605
    #3 0x8a74129 in JS_malloc(JSContext*, unsigned int) ../jsapi.cpp:1502
SUMMARY: AddressSanitizer: heap-buffer-overflow ../builtin/TypeRepresentation.cpp:943 JSContext::runtime() const
Shadow bytes around the buggy address:
  0x3ec203c0: fa fa 00 fa fa fa 00 00 fa fa 00 fa fa fa fd fd
  0x3ec203d0: fa fa fd fd fa fa 01 fa fa fa 00 fa fa fa fd fd
  0x3ec203e0: fa fa 00 fa fa fa 00 fa fa fa fd fd fa fa 01 fa
  0x3ec203f0: fa fa fd fd fa fa 00 fa fa fa fd fd fa fa fd fd
  0x3ec20400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3ec20410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 01[fa]
  0x3ec20420:fa fa 00 04 fa fa fd fa fa fa fd fa fa fa fd fd
  0x3ec20430: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
  0x3ec20440: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 00 fa
  0x3ec20450: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
  0x3ec20460: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==13356==ABORTING
Aborted


Assuming sec-critical.
Assignee: general → nmatsakis
Whiteboard: [asan]
I suspect this is a dup of bug 953111.
Can you or decoder please confirm that this is a dupe? Thanks!
Flags: needinfo?(nmatsakis)
Confirmed that this doesn't reproduce anymore now (although it did yesterday), so I assume it's due to the landing of bug 953111.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(nmatsakis)
Resolution: --- → DUPLICATE
Duplicate of bug: 953111
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.