Closed Bug 1889049 Opened 1 year ago Closed 1 year ago

Website next.scrimba.tech crashes

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Version:
Firefox 126
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
126 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox124 --- wontfix
firefox125 + fixed
firefox126 + fixed

People

(Reporter: simonf, Assigned: alexical)

References

(Blocks 1 open bug, Regression,
URL
)

Details

(6 keywords, Whiteboard: [adv-main125+r])

Crash Data

Attachments

(2 files)

Bug 1889049 - Avoid writing to input reg in toHashableString r?iain
48 bytes, text/x-phabricator-request
dveditz
: sec-approval+
Details | Review
Bug 1889049 - Avoid writing to input reg in toHashableString r?iain
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review

https://next.scrimba.tech/ crashes in current Nightly.
Determined that this is caused by 1729044 with moz-regression.
A crash dump from my machine is available here: https://crash-stats.mozilla.org/report/index/b1127216-635b-4b5e-aaa4-43a810240402

Group: core-security
Flags: needinfo?(afranchuk)

Set release status flags based on info from the regressing bug 1729044

status-firefox124: --- → unaffected
status-firefox125: --- → unaffected
status-firefox-esr115: --- → unaffected
Group: core-security → dom-core-security

The bug is marked as tracked for firefox126 (nightly). We have limited time to fix this, the soft freeze is in 9 days. However, the bug still isn't assigned.

:gcp, could you please find an assignee for this tracked bug? Given that it is a regression and we know the cause, we could also simply backout the regressor. If you disagree with the tracking decision, please talk with the release managers.

For more information, please visit BugBot documentation.

Flags: needinfo?(gpascutto)

Bug 1729044 is almost definitely not the cause; it removed unused code.

Flags: needinfo?(afranchuk)

Also, I'm able to open the link on currently Nightly without a crash.

It also crashes for me, on MacOS. It looks like Simon is also on MacOS. What OS are you on, Alex?

Keywords: reproducible

I tried in mozregression, and I couldn't reproduce in a clean build there.

I'm on linux!

FWIW I tried both last night's and this morning's nightly.

It takes a second or ten but it also crashes for me on OSX with a current local build and on Linux with current Nightly.
(Linux: https://crash-stats.mozilla.org/report/index/01f5e5f0-f1d2-4635-804c-ddb980240303 )

So I was unable to reproduce just that site crashing (I've tried waiting, clicking around a bunch, etc), however I found that https://next.scrimba.tech/learn-javascript-c0v reliably crashes for me.

I was able to get the original URL to reproduce more reliably by spamming a bunch of tabs, but Alex's URL reproduces it much more effectively. With mozregression, I can reproduce on a 03-03 build, which predates bug 1729044, so I'll move this.

URL: https://next.scrimba.tech/https://next.scrimba.tech/learn-javas...
Component: IPC → JavaScript: GC
Keywords: csectype-wildptr, sec-high
No longer regressed by: 1729044
Group: dom-core-security → javascript-core-security

Thanks to Alex for the new test case. It reproduces a crash for me 100% of the time, in a fresh profile. mozregression says bug 1873964 is the cause here, which makes more sense.

Component: JavaScript: GC → JavaScript Engine
Regressed by: 1873964

I re-ran mozregression (with ./mach mozregression -g 2024-02-04 -b 2024-02-06) and it confirmed the regressor.

:alexical, since you are the author of the regressor, bug 1873964, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Flags: needinfo?(dothayer)
Blocks: sm-security
Severity: -- → S2
Priority: -- → P1
Crash Signature: [@ js::gc::HeaderWord::get ]
Assignee: nobody → dothayer
Status: NEW → ASSIGNED
Flags: needinfo?(dothayer)

The bug is linked to a topcrash signature, which matches the following criteria:

  • Top 20 desktop browser crashes on release (startup)
  • Top 20 desktop browser crashes on beta
  • Top 10 desktop browser crashes on nightly
  • Top 10 content process crashes on beta
  • Top 10 content process crashes on release

For more information, please visit BugBot documentation.

Keywords: topcrash, topcrash-startup

Still TBD on why this is actually a problem, given that we're replacing the
input with a pointer to an atom which is valid and equivalent to the string,
but it appears to fix the crash.

Comment on attachment 9394887 [details]
Bug 1889049 - Avoid writing to input reg in toHashableString r?iain

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: My intuition is it would be tough, but I have been unable to pin down the smoking gun here so it's possible that it's easy.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: beta, release, yes
  • If not all supported branches, which bug introduced the flaw?: Bug 1873964
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: trivial
  • How likely is this patch to cause regressions; how much testing does it need?: Very unlikely. It's fairly trivially correct.
  • Is the patch ready to land after security approval is given?: Yes
  • Is Android affected?: Yes
Attachment #9394887 - Flags: sec-approval?
Attachment #9395153 - Flags: approval-mozilla-beta?

beta Uplift Approval Request

  • User impact if declined: Crashes, potential security hole
  • Code covered by automated testing: yes
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: Navigate to the linked page in bug and verify it does not crash.
  • Risk associated with taking this patch: Little
  • Explanation of risk level: It's a small and very simple patch.
  • String changes made/needed: None
  • Is Android affected?: yes

Comment on attachment 9394887 [details]
Bug 1889049 - Avoid writing to input reg in toHashableString r?iain

sec-approval+ = dveditz

Attachment #9394887 - Flags: sec-approval? → sec-approval+
Pushed by rvandermeulen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2fa433813320 Avoid writing to input reg in toHashableString r=iain

https://hg.mozilla.org/mozilla-central/rev/2fa433813320

Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox126: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 126 Branch
Attachment #9395153 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [adv-main125+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: