Crash [@ js::jit::AssertValidStringPtr] or Opt-Crash [@ js::EqualStrings]

VERIFIED FIXED in Firefox 27, Firefox OS v1.3

Status

()

Core
JavaScript Engine: JIT
--
critical
VERIFIED FIXED
4 years ago
3 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla29
x86_64
Linux
crash, regression, sec-high, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox26 unaffected, firefox27+ fixed, firefox28+ fixed, firefox29+ fixed, firefox-esr24 unaffected, b2g18 unaffected, b2g-v1.1hd unaffected, b2g-v1.2 unaffected, b2g-v1.3 fixed)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

4 years ago
The following testcase crashes on mozilla-central revision b980c2dee2e7 (run with --fuzzing-safe --ion-eager):


var GLOBAL = this + '';
function TestCase(n, d, e, a) {
  this.passed = getTestCaseResult(e, a);
}
TestCase.prototype.dump = function () {}
function getTestCaseResult(expected, actual) {
    return actual == expected;
}
function writeHeaderToLog( string ) {}
evaluate('\
var SECTION = "proto_8";\
writeHeaderToLog(SECTION);\
function Employee ( name, dept ) {\
  this.dept = "general";\
}\
function WorkerBee ( name, dept, projs ) {\
  this.base = Employee;\
}\
WorkerBee.prototype = new Employee();\
function Engineer ( name, projs, machine ) {\
  this.base = WorkerBee;\
  this.base(projs)\
}\
Engineer.prototype = new WorkerBee();\
var pat = new Engineer();\
for ( var machine in 6) base(projs, [17, 42]);\
new TestCase( SECTION, "pat.dept", "engineering", pat.dept);\
', { noScriptRval : true });
(Reporter)

Comment 1

4 years ago
Created attachment 8349153 [details]
[crash-signature] Machine-readable crash signature
(Reporter)

Updated

4 years ago
Crash Signature: [@ js::jit::AssertValidStringPtr] or Opt-Crash [@ js::EqualStrings] → [@ js::jit::AssertValidStringPtr] [@ js::EqualStrings]
Whiteboard: [jsbugmon:update,bisect]
(Reporter)

Updated

4 years ago
Crash Signature: [@ js::jit::AssertValidStringPtr] [@ js::EqualStrings] → [@ js::jit::AssertValidStringPtr] [@ js::EqualStrings]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
(Reporter)

Comment 2

4 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/81b505e9a435
user:        Brian Hackett
date:        Thu Oct 17 10:21:05 2013 -0600
summary:     Bug 925962 - Track expected contents of stack type sets in compiler constraints, r=jandem.

This iteration took 366.526 seconds to run.

Updated

4 years ago
Crash Signature: [@ js::jit::AssertValidStringPtr] [@ js::EqualStrings] → [@ js::jit::AssertValidStringPtr] [@ js::EqualStrings]
Flags: needinfo?(bhackett1024)
(Assignee)

Comment 3

4 years ago
Created attachment 8350355 [details] [diff] [review]
patch

The definite properties analysis relies on the stack type sets in a script reflecting types which IonBuilder assumed were there, so that the definite properties information is invalidated properly when the information changes (the analysis looks for type sets containing singleton functions inlined by the builder).  Since bug 925962, however, the type sets are not updated until FinishCompilation, which is never called by the definite properties analysis, and the necessary constraints aren't added.
Assignee: nobody → bhackett1024
Attachment #8350355 - Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
(Assignee)

Comment 4

4 years ago
Comment on attachment 8350355 [details] [diff] [review]
patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Not at all.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

No.

Which older supported branches are affected by this flaw?

Aurora -> Beta

If not all supported branches, which bug introduced the flaw?

bug 925962

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

Trivial.

How likely is this patch to cause regressions; how much testing does it need?

Not at all.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 925962
User impact if declined: potential exploit
Testing completed (on m-c, etc.): none
Risk to taking this patch (and alternatives if risky): none
Attachment #8350355 - Flags: sec-approval?
Attachment #8350355 - Flags: approval-mozilla-beta?
Attachment #8350355 - Flags: approval-mozilla-aurora?
This needs a security rating in order to get sec-approval (and for any potential advisories). 

Is this crash exploitable? Can it be triggered by web content or just via the shell?
status-b2g18: --- → unaffected
status-b2g-v1.1hd: --- → unaffected
status-b2g-v1.2: --- → unaffected
status-b2g-v1.3: --- → affected
status-firefox26: --- → unaffected
status-firefox27: --- → affected
status-firefox28: --- → affected
status-firefox29: --- → affected
status-firefox-esr24: --- → unaffected
tracking-firefox29: --- → +
Blocks: 925962
status-b2g-v1.1hd: unaffected → ---
status-b2g-v1.3: affected → ---
tracking-firefox29: + → ---
Keywords: regression, sec-high
status-b2g-v1.1hd: --- → unaffected
status-b2g-v1.3: --- → affected
tracking-firefox27: --- → +
tracking-firefox28: --- → +
tracking-firefox29: --- → +
Comment on attachment 8350355 [details] [diff] [review]
patch

sec-approval+.
Attachment #8350355 - Flags: sec-approval?
Attachment #8350355 - Flags: sec-approval+
Attachment #8350355 - Flags: approval-mozilla-beta?
Attachment #8350355 - Flags: approval-mozilla-beta+
Attachment #8350355 - Flags: approval-mozilla-aurora?
Attachment #8350355 - Flags: approval-mozilla-aurora+
(Assignee)

Updated

4 years ago
Keywords: checkin-needed

Updated

4 years ago
Attachment #8350355 - Flags: review?(jdemooij) → review+
is "Add type constraints at the right time" a good commit message for this?
Flags: in-testsuite?
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/5c02a8ed40ca
Status: NEW → RESOLVED
Last Resolved: 4 years ago
status-firefox29: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
(Reporter)

Updated

4 years ago
Status: RESOLVED → VERIFIED
Crash Signature: [@ js::jit::AssertValidStringPtr] [@ js::EqualStrings] → [@ js::jit::AssertValidStringPtr] [@ js::EqualStrings]
(Reporter)

Comment 10

4 years ago
JSBugMon: This bug has been automatically verified fixed.
Depends on: 956156
https://hg.mozilla.org/releases/mozilla-aurora/rev/9b1fc11fc883
https://hg.mozilla.org/releases/mozilla-beta/rev/fcd21692c906
Crash Signature: [@ js::jit::AssertValidStringPtr] [@ js::EqualStrings] → [@ js::jit::AssertValidStringPtr] [@ js::EqualStrings]
status-b2g-v1.3: affected → fixed
status-firefox27: affected → fixed
status-firefox28: affected → fixed
Group: core-security
You need to log in before you can comment on or make changes to this bug.