Closed Bug 1816311 Opened 1 year ago Closed 1 year ago

Assertion failure: v.hasObjectPayload(), at builtin/JSON.cpp:764

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
112 Branch
Tracking Flags:
Tracking Status
firefox112 --- fixed

People

(Reporter: lukas.bernhard, Assigned: jandem)

References

(Blocks 2 open bugs)

Details

Attachments

(1 file)

Bug 1816311 - Don't expose objects through findPath with --fuzzing-safe. r?jonco!
(deleted), text/x-phabricator-request
Details

Steps to reproduce:

On commit 1d6e2f82287c298f77f21ad0f62f1aed6155577c the attached sample crashes with an assertion violation when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js. Not setting s-s because the debugger API is not exposed to web content.

const v0 = ` 
    const v1 = [v0];
    const v2 = v1.keys;
    const v4 = [];
    v4.sameZoneAs = v4;
    with (this.newGlobal(v4).Debugger(v2).getNewestFrame()) {
        const v8 = "function f9(a10) { return f9; }";
        for (const v13 in eval(v8)) {  }
    }
    const v15 = [v1];
    const v17 = {...this};
    v17.wrapWithProto(v17, v17).findPath(v15, v15);
`;
JSON.stringify(eval(v0));

#0  0x0000555557642e14 in Str (cx=0x7ffff742f100, v=..., scx=0x7fffffffa510) at js/src/builtin/JSON.cpp:764
#1  0x0000555557688646 in JO (cx=0x7ffff742f100, obj=..., scx=0x7fffffffa510)
    at js/src/builtin/JSON.cpp:549
#2  0x000055555764309e in Str (cx=0x7ffff742f100, v=..., scx=0x7fffffffa510) at js/src/builtin/JSON.cpp:792
#3  0x0000555557688646 in JO (cx=0x7ffff742f100, obj=..., scx=0x7fffffffa510)
    at js/src/builtin/JSON.cpp:549
#4  0x000055555764309e in Str (cx=0x7ffff742f100, v=..., scx=0x7fffffffa510) at js/src/builtin/JSON.cpp:792
#5  0x00005555576877ca in JA (cx=0x7ffff742f100, obj=..., scx=0x7fffffffa510)
    at js/src/builtin/JSON.cpp:680
#6  0x0000555557643055 in Str (cx=0x7ffff742f100, v=..., scx=0x7fffffffa510) at js/src/builtin/JSON.cpp:792
#7  0x0000555557640db5 in js::Stringify (cx=0x7ffff742f100, vp=..., replacer_=0x0, space_=..., sb=...,
    stringifyBehavior=js::StringifyBehavior::Normal) at js/src/builtin/JSON.cpp:970
#8  0x0000555557643c6b in json_stringify (cx=0x7ffff742f100, argc=1, vp=0x7ffff4cec090)
    at js/src/builtin/JSON.cpp:1342
#9  0x000055555756038e in CallJSNative (cx=0x7ffff742f100, native=0x555557643960 <json_stringify(JSContext*, unsigned int, JS::Value*)>,
    reason=js::CallReason::Call, args=...) at js/src/vm/Interpreter.cpp:459
#10 0x000055555755fbcd in js::InternalCallOrConstruct (cx=0x7ffff742f100, args=..., construct=js::NO_CONSTRUCT,
    reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:547
#11 0x0000555557560f61 in InternalCall (cx=0x7ffff742f100, args=..., reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:614
#12 0x0000555557560d25 in js::CallFromStack (cx=0x7ffff742f100, args=..., reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:619
#13 0x0000555557551a54 in Interpret (cx=0x7ffff742f100, state=...) at js/src/vm/Interpreter.cpp:3362
#14 0x0000555557543b30 in js::RunScript (cx=0x7ffff742f100, state=...) at js/src/vm/Interpreter.cpp:431
#15 0x0000555557562b1c in js::ExecuteKernel (cx=0x7ffff742f100, script=..., envChainArg=..., evalInFrame=..., result=...)
    at js/src/vm/Interpreter.cpp:812
#16 0x00005555575633c5 in js::Execute (cx=0x7ffff742f100, script=..., envChain=..., rval=...)
    at js/src/vm/Interpreter.cpp:844
#17 0x0000555557799846 in ExecuteScript (cx=0x7ffff742f100, envChain=..., script=..., rval=...)
    at js/src/vm/CompilationAndEvaluation.cpp:472
#18 0x000055555779999d in JS_ExecuteScript (cx=0x7ffff742f100, scriptArg=...)
    at js/src/vm/CompilationAndEvaluation.cpp:496
Blocks: l11d-js-fuzzing
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Blocks: sm-runtime
Severity: -- → S3
Priority: -- → P2

I was wondering how this was related to the Debugger, and just executed the eval(v0) part in the interactive JS shell:

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: internal value types shouldn't leak into places wanting source representations), at …/js/src/vm/ToSource.cpp:241

So this would be an unexpected input for JSON.stringify, or an unexpected output for the debugger.
Maybe some of these API should not be exposed to fuzzers.

Jan, any idea what to do next with this bug?

Flags: needinfo?(jdemooij)

The issue in the bug is that we were returning a DebugEnvironmentProxy to JS
through findPath/UbiNode, and this object isn't safe to use from arbitrary JS.

This patch also changes findPath to not define the node property with --fuzzing-safe,
to fix similar issues elsewhere. This DebugEnvironmentProxy case is easy to fix, but
the engine also uses plain objects and arrays internally in some places and the JSClass
checks won't be sufficient for that.

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Duplicate of this bug: 1817437
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/de743860eb4e
Don't expose objects through findPath with --fuzzing-safe. r=jonco

https://hg.mozilla.org/mozilla-central/rev/de743860eb4e

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox112: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 112 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: