Closed Bug 279273 Opened 20 years ago Closed 20 years ago

Broken pointer arithmetic in jsarena code

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta2

People

(Reporter: jk, Assigned: brendan)

Details

(Keywords: js1.5, Whiteboard: [have patch])

Attachments

(1 file, 1 obsolete file)

revised fix
(deleted), patch
shaver
: review+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (X11; U; Linux ppc64; en-US; rv:1.7.5) Gecko/20050119 Galeon/1.3.19 (Debian package 1.3.19-1) Build Identifier: Mozilla/5.0 (X11; U; Linux ppc64; en-US; rv:1.7.5) Gecko/20050119 Galeon/1.3.19 (Debian package 1.3.19-1) The code in jsarena.h and jsarena.c does some bad pointer arithmetic. Here's one example: for (a = pool->current; a->avail + nb > a->limit; pool->current = a) { The problem with "a->avail + nb > a->limit" is that the addition might overflow if a->avail is close to the upper memory boundary (e.g. 0xffffe184 + 8000 == 0xc4). The consequence is that the comparision gives an unexpected result and a crash later on. The solution is to use "a->avail > a->limit - nb" instead. I've seen crashes caused by this on Linux with an ppc64 kernel running a ppc32 mozilla build. The problem might also be reproducible with AMD64 kernels and 32-bit mozilla builds. The reason is that a->avail happens to be close the upper 32-bit memory boundary in these situations. It probably isn't easily reproducibe on pure 32-bit and 64-bit systems. I'm attaching a patch which fixes the problem for me. It just touches three instances of bad pointer arithmetic. You might want to check if there are more. (Only the changes in JS_ARENA_ALLOCATE_CAST and JS_ArenaAllocate were needed to fix the crash I saw. I just modified JS_ARENA_GROW_CAST because it looked wrong too.) (I've originally reported this bug agaist Galeon but it turned out be a problem in Mozilla. See http://bugzilla.gnome.org/show_bug.cgi?id=164262) Reproducible: Always
Attached patch JS Arena Fix (obsolete) (deleted) — Splinter Review
Assignee: general → brendan
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: js1.5
Priority: -- → P3
Target Milestone: --- → mozilla1.8beta
Attached patch revised fix (deleted) — Splinter Review
There's no need for the first change to JS_ARENA_GROW_CAST in attachment 172007 [details] [diff] [review], since the allocation at p is JS_ARENA_ALIGN(pool, size) bytes long, and its last byte is at most at 0xffffffff. With 32-bit jsuword type, even if p is up against the end of the 32-bit address space, _a->avail will be zero, the outer if's condition will be true, and the inner if/else chain will find that the allocation cannot be grown in place. /be
Attachment #172007 - Attachment is obsolete: true
Attachment #172299 - Flags: review?(shaver)
Status: NEW → ASSIGNED
Whiteboard: [have patch]
Target Milestone: mozilla1.8beta1 → mozilla1.8beta2
Comment on attachment 172299 [details] [diff] [review] revised fix r=shaver
Attachment #172299 - Flags: review?(shaver) → review+
Fixed, thanks to all. /be
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Flags: testcase-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: