Closed Bug 989700 Opened 12 years ago Closed 1 year ago

Firefox Access Violation Crash

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
29 Branch
Platform:
x86_64
Windows 8
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: chingshiong, Unassigned)

References

(Blocks 1 open bug)

Details

(5 keywords)

Attachments

(1 file)

FF 29 Crash.html
159 bytes, text/html
Details
Attached file FF 29 Crash.html
User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36 Steps to reproduce: This bug was found through regular expression fuzzing against Firefox. Actual results: Firefox crashed when executing the Regular Expressions using its JavaScript engine. Expected results: Firefox's JavaScript engine shall perform error detection/validation on Regular Expressions.
OS: Windows 8 → Windows Phone 8
OS: Windows Phone 8 → Windows 8
Component: Untriaged → JavaScript Engine
Flags: sec-bounty?
Product: Firefox → Core
I can confirm the crash: bp-d2230c8a-78af-403f-85a6-4b62b2140330 This appears to be an intentional abort on overflow in the CheckedInt class http://hg.mozilla.org/mozilla-central/annotate/c148f0b0c8b4/js/src/yarr/CheckedArithmetic.h#l80
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, testcase
Jason, any reason to leave this hidden?
Hi Dan, Thanks for your reply. Here is the windbg debug log: ================================================================= Microsoft (R) Windows Debugger Version 6.12.0002.633 X86 Copyright (c) Microsoft Corporation. All rights reserved. CommandLine: "C:\Program Files\Mozilla Firefox\firefox.exe" Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols Executable search path is: ModLoad: 011f0000 01235000 firefox.exe ModLoad: 77ad0000 77c0c000 ntdll.dll ModLoad: 765a0000 76674000 C:\Windows\system32\kernel32.dll ModLoad: 75db0000 75dfb000 C:\Windows\system32\KERNELBASE.dll ModLoad: 6c550000 6c60e000 C:\Program Files\Mozilla Firefox\MSVCR100.dll ModLoad: 710d0000 710f4000 C:\Program Files\Mozilla Firefox\mozglue.dll ModLoad: 74fa0000 74fa9000 C:\Windows\system32\VERSION.dll ModLoad: 76460000 7650c000 C:\Windows\system32\msvcrt.dll ModLoad: 6d3a0000 6d409000 C:\Program Files\Mozilla Firefox\MSVCP100.dll (eec.95c): Break instruction exception - code 80000003 (first chance) eax=00000000 ebx=00000000 ecx=0022fa64 edx=77b170f4 esi=fffffffe edi=00000000 eip=77b705a6 esp=0022fa80 ebp=0022faac iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 ntdll!LdrpDoDebuggerBreak+0x2c: 77b705a6 cc int 3 0:000> g ModLoad: 6bb90000 6bd4b000 C:\Program Files\Mozilla Firefox\nss3.dll ModLoad: 6fbc0000 6fbf2000 C:\Windows\system32\WINMM.dll ModLoad: 75f30000 75ff9000 C:\Windows\system32\USER32.dll ModLoad: 763e0000 7642e000 C:\Windows\system32\GDI32.dll ModLoad: 76450000 7645a000 C:\Windows\system32\LPK.dll ModLoad: 75e90000 75f2d000 C:\Windows\system32\USP10.dll ModLoad: 70490000 70497000 C:\Windows\system32\WSOCK32.dll ModLoad: 776e0000 77715000 C:\Windows\system32\WS2_32.dll ModLoad: 772e0000 77382000 C:\Windows\system32\RPCRT4.dll ModLoad: 77cf0000 77cf6000 C:\Windows\system32\NSI.dll ModLoad: 76090000 76130000 C:\Windows\system32\ADVAPI32.dll ModLoad: 77660000 77679000 C:\Windows\SYSTEM32\sechost.dll ModLoad: 76430000 7644f000 C:\Windows\system32\IMM32.DLL ModLoad: 77c20000 77cec000 C:\Windows\system32\MSCTF.dll ModLoad: 6b3a0000 6b74e000 C:\Program Files\Mozilla Firefox\mozjs.dll ModLoad: 6b260000 6b398000 C:\Program Files\Mozilla Firefox\icuin52.dll ModLoad: 6baa0000 6bb90000 C:\Program Files\Mozilla Firefox\icuuc52.dll ModLoad: 6a840000 6b25a000 C:\Program Files\Mozilla Firefox\icudt52.dll ModLoad: 772d0000 772d5000 C:\Windows\system32\PSAPI.DLL ModLoad: 73540000 73546000 C:\Program Files\Mozilla Firefox\mozalloc.dll ModLoad: 6a340000 6a83b000 C:\Program Files\Mozilla Firefox\gkmedias.dll ModLoad: 77970000 77acc000 C:\Windows\system32\ole32.dll ModLoad: 71cf0000 71cf5000 C:\Windows\system32\MSIMG32.dll ModLoad: 68b60000 6a331000 C:\Program Files\Mozilla Firefox\xul.dll ModLoad: 73d80000 73d91000 C:\Windows\system32\NETAPI32.dll ModLoad: 73d70000 73d79000 C:\Windows\system32\netutils.dll ModLoad: 75740000 75759000 C:\Windows\system32\srvcli.dll ModLoad: 73d60000 73d6f000 C:\Windows\system32\wkscli.dll ModLoad: 739d0000 739df000 C:\Windows\system32\SAMCLI.DLL ModLoad: 74060000 7407c000 C:\Windows\system32\IPHLPAPI.DLL ModLoad: 74020000 74027000 C:\Windows\system32\WINNSI.DLL ModLoad: 76680000 772ca000 C:\Windows\system32\SHELL32.dll ModLoad: 77680000 776d7000 C:\Windows\system32\SHLWAPI.dll ModLoad: 74690000 746d0000 C:\Windows\system32\UxTheme.dll ModLoad: 774c0000 7765d000 C:\Windows\system32\SETUPAPI.dll ModLoad: 75e00000 75e27000 C:\Windows\system32\CFGMGR32.dll ModLoad: 76510000 7659f000 C:\Windows\system32\OLEAUT32.dll ModLoad: 75d90000 75da2000 C:\Windows\system32\DEVOBJ.dll ModLoad: 73f20000 73f33000 C:\Windows\system32\dwmapi.dll ModLoad: 68a20000 68b55000 C:\Windows\system32\dwrite.dll ModLoad: 701b0000 7029b000 C:\Windows\system32\dbghelp.dll ModLoad: 75a30000 75a3c000 C:\Windows\system32\CRYPTBASE.dll ModLoad: 746f0000 7488e000 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll ModLoad: 76000000 76083000 C:\Windows\system32\CLBCatQ.DLL ModLoad: 74890000 74985000 C:\Windows\system32\propsys.dll ModLoad: 74fb0000 74fd1000 C:\Windows\system32\ntmarta.dll ModLoad: 75e40000 75e85000 C:\Windows\system32\WLDAP32.dll ModLoad: 75520000 7555c000 C:\Windows\system32\mswsock.dll ModLoad: 75060000 75065000 C:\Windows\System32\wshtcpip.dll Could not read chrome manifest 'file:///C:/Program%20Files/Mozilla%20Firefox/chrome.manifest'. ModLoad: 72720000 7272d000 C:\Program Files\Mozilla Firefox\browser\components\browsercomps.dll ModLoad: 719a0000 719aa000 C:\Windows\system32\wbem\wbemprox.dll ModLoad: 71c70000 71ccc000 C:\Windows\system32\wbemcomn.dll ModLoad: 754c0000 754d6000 C:\Windows\system32\CRYPTSP.dll ModLoad: 75ae0000 75aeb000 C:\Windows\system32\profapi.dll ModLoad: 752e0000 7531b000 C:\Windows\system32\rsaenh.dll ModLoad: 75aa0000 75aae000 C:\Windows\system32\RpcRtRemote.dll ModLoad: 71490000 7149f000 C:\Windows\system32\wbem\wbemsvc.dll ModLoad: 71b60000 71bf6000 C:\Windows\system32\wbem\fastprox.dll ModLoad: 71aa0000 71ab8000 C:\Windows\system32\NTDSAPI.dll Could not read chrome manifest 'file:///C:/Program%20Files/Mozilla%20Firefox/browser/extensions/%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D/chrome.manifest'. While creating services from category 'profile-after-change', could not create service for entry 'Disk Space Watcher Service', contract ID '@mozilla.org/toolkit/disk-space-watcher;1' ModLoad: 74990000 749a0000 C:\Windows\system32\NLAapi.dll ModLoad: 70a40000 70a50000 C:\Windows\system32\napinsp.dll ModLoad: 70d10000 70d22000 C:\Windows\system32\pnrpnsp.dll ModLoad: 75390000 753d4000 C:\Windows\system32\DNSAPI.dll ModLoad: 70d00000 70d08000 C:\Windows\System32\winrnr.dll ModLoad: 749d0000 74a09000 C:\Windows\System32\MMDevApi.dll ModLoad: 6e4f0000 6e526000 C:\Windows\system32\AUDIOSES.DLL ModLoad: 756d0000 756d6000 C:\Windows\System32\wship6.dll ModLoad: 75ca0000 75cce000 C:\Windows\system32\WINTRUST.dll ModLoad: 75b60000 75c80000 C:\Windows\system32\CRYPT32.dll ModLoad: 75b50000 75b5c000 C:\Windows\system32\MSASN1.dll ModLoad: 689a0000 68a19000 C:\Windows\system32\mscms.dll ModLoad: 75160000 75177000 C:\Windows\system32\USERENV.dll ModLoad: 6f9d0000 6fb3f000 C:\Windows\system32\explorerframe.dll ModLoad: 740f0000 7411f000 C:\Windows\system32\DUser.dll ModLoad: 741c0000 74272000 C:\Windows\system32\DUI70.dll ModLoad: 71450000 71456000 C:\Windows\system32\rasadhlp.dll ModLoad: 710a0000 710c7000 C:\Program Files\Mozilla Firefox\softokn3.dll ModLoad: 6eed0000 6eee8000 C:\Program Files\Mozilla Firefox\nssdbm3.dll ModLoad: 6c500000 6c550000 C:\Program Files\Mozilla Firefox\freebl3.dll ModLoad: 68930000 68994000 C:\Program Files\Mozilla Firefox\nssckbi.dll 1396238250085 Services.HealthReport.HealthReporter WARN Saved state file does not exist. 1396238250086 Services.HealthReport.HealthReporter WARN No prefs data found. ModLoad: 778f0000 7796b000 C:\Windows\System32\comdlg32.dll ModLoad: 6ee60000 6eeb8000 C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll ModLoad: 73bb0000 73ce0000 C:\Windows\system32\WindowsCodecs.dll ModLoad: 759e0000 75a2c000 C:\Windows\system32\apphelp.dll ModLoad: 6f480000 6f4b1000 C:\Windows\system32\EhStorShell.dll ModLoad: 6f410000 6f47a000 C:\Windows\System32\cscui.dll ModLoad: 6f400000 6f409000 C:\Windows\System32\CSCDLL.dll ModLoad: 72210000 7221b000 C:\Windows\system32\CSCAPI.dll ModLoad: 6f390000 6f400000 C:\Windows\system32\ntshrui.dll ModLoad: 74150000 7415a000 C:\Windows\system32\slc.dll ModLoad: 73e80000 73eaf000 C:\Windows\system32\xmllite.dll ModLoad: 72880000 72914000 C:\Windows\system32\MsftEdit.dll ModLoad: 6eef0000 6ef21000 C:\Windows\system32\msls31.dll ModLoad: 73e80000 73eaf000 C:\Windows\system32\xmllite.dll ModLoad: 73570000 735cc000 C:\Windows\System32\StructuredQuery.dll ModLoad: 757e0000 757e8000 C:\Windows\System32\Secur32.dll ModLoad: 759c0000 759db000 C:\Windows\system32\SSPICLI.DLL ModLoad: 6f2c0000 6f30e000 C:\Windows\system32\actxprxy.dll ModLoad: 6c650000 6c695000 C:\Program Files\Internet Explorer\ieproxy.dll ModLoad: 75e30000 75e34000 C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll ModLoad: 73950000 73954000 C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll ModLoad: 75d80000 75d85000 C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll ModLoad: 73550000 73566000 C:\Windows\system32\thumbcache.dll ModLoad: 6ee30000 6ee5f000 C:\Windows\system32\SHDOCVW.dll ModLoad: 6d8a0000 6e35a000 C:\Windows\system32\ieframe.DLL ModLoad: 75cd0000 75cd4000 C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll ModLoad: 72920000 72924000 C:\Windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll ModLoad: 75d70000 75d74000 C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0.dll ModLoad: 75c90000 75c93000 C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll ModLoad: 77c10000 77c13000 C:\Windows\system32\normaliz.DLL ModLoad: 76190000 763a5000 C:\Windows\system32\iertutil.dll ModLoad: 72360000 72400000 C:\Windows\system32\SearchFolder.dll ModLoad: 6ebc0000 6ed58000 C:\Windows\system32\NetworkExplorer.dll ModLoad: 6ee10000 6ee19000 C:\Windows\system32\LINKINFO.dll ModLoad: 712a0000 712ad000 C:\Windows\system32\NetworkItemFactory.dll ModLoad: 709d0000 709db000 C:\Windows\system32\dtsh.dll ModLoad: 74fe0000 75056000 C:\Windows\system32\FirewallAPI.dll ModLoad: 73730000 73742000 C:\Windows\system32\MPR.dll ModLoad: 74a50000 74a5e000 C:\Windows\System32\vmhgfs.dll ModLoad: 74a40000 74a48000 C:\Windows\System32\drprov.dll ModLoad: 75ab0000 75ad9000 C:\Windows\System32\WINSTA.dll ModLoad: 73b20000 73b34000 C:\Windows\System32\ntlanman.dll ModLoad: 73b00000 73b17000 C:\Windows\System32\davclnt.dll ModLoad: 73af0000 73af8000 C:\Windows\System32\DAVHLPR.dll ModLoad: 746d0000 746e2000 C:\Windows\system32\SAMLIB.dll (eec.f88): Unknown exception - code 000006ba (first chance) ModLoad: 6bd50000 6bf88000 C:\Windows\system32\wpdshext.dll ModLoad: 743a0000 74530000 C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll ModLoad: 70eb0000 70f39000 C:\Windows\system32\PortableDeviceApi.dll ModLoad: 683a0000 683df000 C:\Windows\system32\audiodev.dll ModLoad: 676e0000 67947000 C:\Windows\system32\WMVCore.DLL ModLoad: 67e20000 67e5d000 C:\Windows\system32\WMASF.DLL ModLoad: 6e3c0000 6e3e2000 C:\Windows\system32\EhStorAPI.dll ModLoad: 094e0000 09506000 image094e0000 ModLoad: 094e0000 09506000 image094e0000 ModLoad: 094e0000 09525000 firefox.exe ModLoad: 094e0000 09525000 firefox.exe ModLoad: 094e0000 09525000 firefox.exe ModLoad: 094e0000 09525000 firefox.exe ModLoad: 094e0000 0950f000 image094e0000 ModLoad: 71350000 71358000 C:\Windows\System32\npmproxy.dll (eec.95c): Break instruction exception - code 80000003 (first chance) eax=00000000 ebx=0022da28 ecx=00000000 edx=00000000 esi=0022d8d8 edi=0022d8f8 eip=6b5b3783 esp=0022d8b4 ebp=0022d900 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Mozilla Firefox\mozjs.dll - mozjs!icu_52::Replaceable::Replaceable+0x252: 6b5b3783 cc int 3 0:000> g (eec.95c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=0022da28 ecx=00000000 edx=00000000 esi=0022d8d8 edi=0022d8f8 eip=6b5b3786 esp=0022d8b0 ebp=0022d900 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246 mozjs!icu_52::Replaceable::Replaceable+0x255: 6b5b3786 c705000000007b000000 mov dword ptr ds:[0],7Bh ds:0023:00000000=???????? 0:000> g (eec.95c): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=0022da28 ecx=00000000 edx=00000000 esi=0022d8d8 edi=0022d8f8 eip=6b5b3786 esp=0022d8b0 ebp=0022d900 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246 mozjs!icu_52::Replaceable::Replaceable+0x255: 6b5b3786 c705000000007b000000 mov dword ptr ds:[0],7Bh ds:0023:00000000=???????? 0:000> !load winext\MSEC.dll 0:000> !exploitable -v !exploitable 1.6.0.0 HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0x0 Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Write Access Violation Faulting Instruction:6b5b3786 mov dword ptr ds:[0],7bh Basic Block: 6b5b3786 mov dword ptr ds:[0],7bh 6b5b3790 call dword ptr [mozjs!js_hasinstance+0x8ee (6b691030)] Exception Hash (Major/Minor): 0x6af0ef14.0xf3331fa9 Hash Usage : Stack Trace: Major+Minor : mozjs!icu_52::Replaceable::Replaceable+0x255 Major+Minor : mozjs!js::ToNumberSlow+0x246b4 Major+Minor : mozjs!JS_ExecuteScript+0x25a Major+Minor : mozjs!js::DirectProxyHandler::get+0x4a9 Major+Minor : mozjs!JS_NewPropertyIterator+0x3c29 Minor : mozjs!JS_WrapObject+0xbff Minor : mozjs!JS_DefineObject+0xa02 Minor : mozjs!js::AutoEnterPolicy::AutoEnterPolicy+0x7b4 Minor : mozjs!js::RootedGeneric<js::StackShape *>::~RootedGeneric<js::StackShape *>+0x10088 Minor : mozjs!js::RootedGeneric<js::StackShape *>::~RootedGeneric<js::StackShape *>+0xad3a Minor : mozjs!js::RootedGeneric<js::StackShape *>::~RootedGeneric<js::StackShape *>+0x10493 Minor : mozjs!JS_DeletePropertyStub+0x4c63 Instruction Address: 0x000000006b5b3786 Description: User Mode Write AV near NULL Short Description: WriteAVNearNull Exploitability Classification: UNKNOWN Recommended Bug Title: User Mode Write AV near NULL starting at mozjs!icu_52::Replaceable::Replaceable+0x0000000000000255 (Hash=0x6af0ef14.0xf3331fa9) User mode write access violations that are near NULL are unknown. ================================================================= It doesn't look like it is exploitable. Firefox is hitting some code which has detected an overflow and exits the process. My guess is there were bugs in this code and this is the protection your developers put in place to prevent further bugs. Thus, do you see this as a DoS bug? Thanks.
Yes, this is a Denial of service in YARR
Group: core-security
Flags: sec-bounty? → sec-bounty-
Keywords: csectype-dos
Hi Dan, Does this bug qualify for a bounty?
Keywords: sec-other
Severity: normal → S3

YARR has been removed.

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: