Crash [@ compartment] with use-after-free or Opt-Crash [@ MarkInternal<JSObject>]

VERIFIED FIXED in Firefox 31, Firefox OS v2.0

Status

()

--
critical
VERIFIED FIXED
5 years ago
2 years ago

People

(Reporter: decoder, Assigned: nmatsakis)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla31
x86_64
Linux
crash, csectype-uaf, sec-critical, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox29 disabled, firefox30+ disabled, firefox31+ verified, firefox-esr24 unaffected, b2g-v1.3 unaffected, b2g-v1.4 disabled, b2g-v2.0 fixed)

Details

(Whiteboard: [jsbugmon:origRev=6de7f6039a68,testComment=8], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following testcase crashes on mozilla-central revision 1e9f169c9715 (run with --fuzzing-safe):


gczeal(9, 2);
function toString() { 
  TypedObject.uint32.array(3); 
}
var o = {valueOf: undefined, toString: toString};
for (var i = 0; i < 100; i++)
  var q = 5 + o;
(Reporter)

Comment 1

5 years ago
Created attachment 8371971 [details]
[crash-signature] Machine-readable crash signature
(Reporter)

Comment 2

5 years ago
Debug crash trace:

Program received signal SIGSEGV, Segmentation fault.
compartment (this=<optimized out>) at js/src/frontend/NameFunctions.cpp:358
358     }
#0  compartment (this=<optimized out>) at js/src/frontend/NameFunctions.cpp:358
#1  IsObjectValueInCompartment (comp=<optimized out>, v=...) at js/src/vm/ObjectImpl.h:1641
#2  js::ObjectImpl::initSlot (this=0x7ffff615d0c0, slot=0, value=...) at js/src/vm/ObjectImpl.h:1367
#3  0x00000000004dfad8 in initReservedSlot (v=..., index=0, this=<optimized out>) at js/src/jsobj.h:445
#4  js::ArrayMetaTypeDescr::create<js::SizedArrayTypeDescr> (cx=0x1831f70, arrayTypePrototype=..., arrayTypeReprObj=..., elementType=...) at js/src/builtin/TypedObject.cpp:550
#5  0x00000000004c2b51 in js::UnsizedArrayTypeDescr::dimension (cx=0x1831f70, argc=<optimized out>, vp=0x182e318) at js/src/builtin/TypedObject.cpp:669
#6  0x00000000009210a1 in js::CallJSNative (cx=0x1831f70, native=0x4c2870 <js::UnsizedArrayTypeDescr::dimension(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:220
#7  0x000000000090e30d in js::Invoke (cx=0x1831f70, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:466
rax     0xdadadada      -2676586395008836902
rip     0x4db271 <js::ObjectImpl::initSlot(unsigned int, JS::Value const&)+257>
=> 0x4db271 <js::ObjectImpl::initSlot(unsigned int, JS::Value const&)+257>:     mov    (%rax),%rax


Marked s-s due to use-after-free.
Crash Signature: [@ compartment] with use-after-free or Opt-Crash [@ MarkInternal<JSObject>] → [@ compartment] [@ MarkInternal<JSObject>]
Keywords: csectype-uaf, sec-critical
Whiteboard: [jsbugmon:update,bisect]
(Reporter)

Comment 3

5 years ago
I'm still seeing this on tip, needinfo from :nmatsakis because this is related to TypedObject.
(Reporter)

Updated

5 years ago
Flags: needinfo?(nmatsakis)
(Assignee)

Updated

5 years ago
Assignee: nobody → nmatsakis
Flags: needinfo?(nmatsakis)
status-firefox30: --- → affected
tracking-firefox30: --- → +
(Reporter)

Updated

5 years ago
Crash Signature: [@ compartment] [@ MarkInternal<JSObject>] → [@ compartment] [@ MarkInternal<JSObject>]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect,ignore]
(Reporter)

Comment 4

5 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 18e7634d4094).
(Reporter)

Updated

5 years ago
Crash Signature: [@ compartment] [@ MarkInternal<JSObject>] → [@ compartment] [@ MarkInternal<JSObject>]
Whiteboard: [jsbugmon:update,bisect,ignore] → [jsbugmon:bisectfix]
(Assignee)

Comment 5

5 years ago
So far I've only succeed in reducing the test case to:

gczeal(9, 2);
function toString() {
  TypedObject.uint32.array(3);
}
for (var i = 0; i < 100; i++)
  toString();

Removing any part of this, including the intermediate function toString(), seems to remove the crash.
status-b2g-v1.4: --- → disabled
status-firefox29: --- → disabled
(Reporter)

Updated

5 years ago
Crash Signature: [@ compartment] [@ MarkInternal<JSObject>] → [@ compartment] [@ MarkInternal<JSObject>]
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
(Reporter)

Comment 6

5 years ago
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/22d628a02331
user:        Nicholas D. Matsakis
date:        Thu Jan 30 15:21:02 2014 -0500
summary:     Bug 966575 part 9 -- Remove unused type object r=sfink

This iteration took 351.294 seconds to run.
Crash Signature: [@ compartment] [@ MarkInternal<JSObject>] → [@ compartment] [@ MarkInternal<JSObject>]
(Assignee)

Comment 7

5 years ago
I was investigating this more. Clearly this is a bug with the weak pointer support for type representations. I can dig more into this, however I'm inclined not to, because this bug is also fixed by the patches currently under review for bug 966575.
(Assignee)

Updated

5 years ago
Depends on: 966575
status-b2g-v1.3: --- → unaffected
status-firefox-esr24: --- → unaffected
(Reporter)

Comment 8

5 years ago
Here's a test that still reproduces on tip (Revision 6de7f6039a68):


gczeal(8, 1);
try {
function TestCase( ... a )  {}
for (var i = 0; i < 2; ++i) 
TypedObject.uint32.array(3);
} catch(exc1) {}
Whiteboard: [jsbugmon:] → [jsbugmon:update,origRev=6de7f6039a68,testComment=8]
Group: javascript-core-security
Hi Niko, have all the bug 966575 patches landed? I'm guessing not based on comment 7 + comment 8.
Flags: needinfo?(nmatsakis)
(Assignee)

Comment 10

5 years ago
The remaining two patches have not landed due to a lingering ASAN failure I observe on try but haven't been able to reproduce locally. I really want to land them since I have other patches gated on them as well, so I will try to prioritize diagnosing that problem next week. I need to find an appropriate machine to run the tests on.
Flags: needinfo?(nmatsakis)
(Assignee)

Comment 11

5 years ago
Update: I've resolved the failure that was blocking bug 966575, but waiting on review.
status-firefox31: --- → affected
tracking-firefox31: --- → +
status-firefox30: affected → disabled
(Reporter)

Updated

5 years ago
Crash Signature: [@ compartment] [@ MarkInternal<JSObject>] → [@ compartment] [@ MarkInternal<JSObject>]
Whiteboard: [jsbugmon:update,origRev=6de7f6039a68,testComment=8] → [jsbugmon:update,origRev=6de7f6039a68,testComment=8,ignore]
(Reporter)

Comment 12

5 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 5b6e82e7bbbf).
(Reporter)

Updated

5 years ago
Crash Signature: [@ compartment] [@ MarkInternal<JSObject>] → [@ compartment] [@ MarkInternal<JSObject>]
Whiteboard: [jsbugmon:update,origRev=6de7f6039a68,testComment=8,ignore] → [jsbugmon:origRev=6de7f6039a68,testComment=8,bisectfix]
(Reporter)

Updated

5 years ago
Crash Signature: [@ compartment] [@ MarkInternal<JSObject>] → [@ compartment] [@ MarkInternal<JSObject>]
Whiteboard: [jsbugmon:origRev=6de7f6039a68,testComment=8,bisectfix] → [jsbugmon:origRev=6de7f6039a68,testComment=8]
(Reporter)

Comment 13

5 years ago
JSBugMon: Fix Bisection requested, result:
=== Tinderbox Build Bisection Results by autoBisect ===

The "bad" changeset has the timestamp "20140401044332" and the hash "5641d9a1653f".
The "good" changeset has the timestamp "20140401052932" and the hash "e06713a76a41".

Likely fix window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=5641d9a1653f&tochange=e06713a76a41
(Reporter)

Comment 14

5 years ago
Fixed by bug 966575 :)
Status: NEW → RESOLVED
Crash Signature: [@ compartment] [@ MarkInternal<JSObject>] → [@ compartment] [@ MarkInternal<JSObject>]
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Reporter)

Updated

5 years ago
Status: RESOLVED → VERIFIED
Crash Signature: [@ compartment] [@ MarkInternal<JSObject>] → [@ compartment] [@ MarkInternal<JSObject>]
(Reporter)

Comment 15

5 years ago
JSBugMon: This bug has been automatically verified fixed.
Crash Signature: [@ compartment] [@ MarkInternal<JSObject>] → [@ compartment] [@ MarkInternal<JSObject>]
status-b2g-v2.0: --- → fixed
status-firefox31: affected → fixed
Target Milestone: --- → mozilla31
Group: javascript-core-security
status-firefox31: fixed → verified

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.