Closed Bug 1437125 Opened 7 years ago Closed 7 years ago

ASan heap-buffer-overflow within GET_UINT32_INDEX | js::jit::IonBuilder::inspectOpcode [JSOP_DEFFUN]

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla60
Tracking Flags:
Tracking Status
firefox60 --- fixed

People

(Reporter: nbp, Assigned: nbp)

References

Details

Attachments

(1 file)

Remove operand read of JSOP_DEFFUN from inspectOpcode.
(deleted), patch
tcampbell
: review+
Details | Diff | Splinter Review 
I am able to reproduce this crash with an x64 _debug_ + asan build.

$ js --ion-eager --ion-offthread-compile=off -f ./jit-test/tests/basic/bug568276.js

=================================================================
==19818==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300001dc09 at pc 0x00000050ae75 bp 0x7ffcbd17d8b0 sp 0x7ffcbd17d058
READ of size 4 at 0x60300001dc09 thread T0
    #0 0x50ae74 in __asan_memcpy (/home/nicolas/mozilla/_build/js/bugzil.la/1436773/wip/x64/clang/dbg/js/src/shell/js+0x50ae74)
    #1 0x130b4f1 in GET_UINT32(unsigned char const*) /home/nicolas/mozilla/wksp-6/js/src/jsopcode.h:206:5
    #2 0x1301124 in GET_UINT32_INDEX(unsigned char const*) /home/nicolas/mozilla/wksp-6/js/src/jsopcode.h:258:12
    #3 0x12e8d40 in js::jit::IonBuilder::inspectOpcode(JSOp) /home/nicolas/mozilla/wksp-6/js/src/jit/IonBuilder.cpp:1858:28
    #4 0x12e59f9 in js::jit::IonBuilder::visitBlock(js::jit::CFGBlock const*, js::jit::MBasicBlock*) /home/nicolas/mozilla/wksp-6/js/src/jit/IonBuilder.cpp:1564:9
    #5 […]

0x60300001dc09 is located 0 bytes to the right of 25-byte region [0x60300001dbf0,0x60300001dc09)
allocated by thread T0 here:
    #0 0x5216f0 in __interceptor_malloc (/home/nicolas/mozilla/_build/js/bugzil.la/1436773/wip/x64/clang/dbg/js/src/shell/js+0x5216f0)
    #1 0x673a34 in SystemMalloc::malloc(unsigned long) /home/nicolas/mozilla/wksp-6/memory/build/malloc_decls.h:37:1
    #2 0x673968 in DummyArenaAllocator<SystemMalloc>::moz_arena_malloc(unsigned long, unsigned long) /home/nicolas/mozilla/wksp-6/memory/build/malloc_decls.h:37:1
    #3 0x67384c in moz_arena_malloc /home/nicolas/mozilla/wksp-6/memory/build/malloc_decls.h:115:1
    #4 0x7a69a6 in js_malloc(unsigned long) /home/nicolas/mozilla/_build/js/bugzil.la/1436773/wip/x64/clang/dbg/dist/include/js/Utility.h:387:12
    #5 0x807f44 in unsigned char* js_pod_malloc<unsigned char>(unsigned long) /home/nicolas/mozilla/_build/js/bugzil.la/1436773/wip/x64/clang/dbg/dist/include/js/Utility.h:577:28
    #6 0x847c53 in unsigned char* js::MallocProvider<JS::Zone>::maybe_pod_malloc<unsigned char>(unsigned long) /home/nicolas/mozilla/wksp-6/js/src/vm/MallocProvider.h:54:16
    #7 0x84795a in unsigned char* js::MallocProvider<JS::Zone>::pod_malloc<unsigned char>(unsigned long) /home/nicolas/mozilla/wksp-6/js/src/vm/MallocProvider.h:87:16
    #8 0x2068045 in js::SharedScriptData::new_(JSContext*, unsigned int, unsigned int, unsigned int) /home/nicolas/mozilla/wksp-6/js/src/jsscript.cpp:2441:66
    #9 0x2057959 in JSScript::createScriptData(JSContext*, unsigned int, unsigned int, unsigned int) /home/nicolas/mozilla/wksp-6/js/src/jsscript.cpp:2478:29
    #10 0x206beb4 in JSScript::fullyInitFromEmitter(JSContext*, JS::Handle<JSScript*>, js::frontend::BytecodeEmitter*) /home/nicolas/mozilla/wksp-6/js/src/jsscript.cpp:3028:18
    #11 0x2fb002d in js::frontend::BytecodeEmitter::emitScript(js::frontend::ParseNode*) /home/nicolas/mozilla/wksp-6/js/src/frontend/BytecodeEmitter.cpp:4904:10
    #12 0x2a4a5ca in BytecodeCompiler::compileScript(JS::Handle<JSObject*>, js::frontend::SharedContext*) /home/nicolas/mozilla/wksp-6/js/src/frontend/BytecodeCompiler.cpp:345:27
    #13 0x2a4ad08 in BytecodeCompiler::compileGlobalScript(js::ScopeKind) /home/nicolas/mozilla/wksp-6/js/src/frontend/BytecodeCompiler.cpp:379:12
    #14 […]


Note, this is not a security issue.

The call to GET_UINT32 in the JSOP_DEFFUN case of inspectOpcode is used to read the argument of the IonBuilder::jsop_deffun function.
This problem might not appear with optimized builds because the index of the IonBuilder::jsop_deffun function is not used and the function is probably inlined.
Blocks: 1185106

        Attachment #8949818 -
        Flags: review?(tcampbell)

    
    

    
  
Comment on attachment 8949818 [details] [diff] [review]
Remove operand read of JSOP_DEFFUN from inspectOpcode.

Review of attachment 8949818 [details] [diff] [review]:
-----------------------------------------------------------------

Ugh. Good find

        Attachment #8949818 -
        Flags: review?(tcampbell) → review+

    
  
Priority: -- → P3

    
    

    
  
Pushed by npierron@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/772a11f3103b
Remove operand read of JSOP_DEFFUN from inspectOpcode. r=tcampbell

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/772a11f3103b
Status: ASSIGNED → RESOLVED
Closed: 7 years ago

          status-firefox60:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla60

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: