Recently, I have found an interesting crash in Firefox and decided to investigate more. So I decided to Google for it and it appears that the issue is already known and was reported few months ago to Mozilla.
However, the bug is not fixed yet (at least in FF 26) and as a matter of personal exercise, I have decided to dig a little deeper and collect some notes which I am sharing in this blog post.
Here is a brief analysis of what I have found, thanks also to the pointers given from my friend Andrzej Dereszowski.
This is the crash PoC:
<html>
<head>
<script>
function main() {
regexp = /(?!Z)r{2147483647,}M\d/;
"A".match(regexp);
}
main();
</script>
</head>
<body>
</body>
</html>
Below, a windbg screen shot showing the crash on Firefox 25 / Windows 8.1 (64bit):
At this stage, we can infer that an overflow occurred and as a measure of protection FF decided to crash instead of gracefully handle the issue. In my PoC, you can see already the integer 2147483647 which is used in a regular expression.
In the call stack, there are functions dealing with the RegExp just before the mozjs!WTF::CrashOnOverflow::overflowed: . Let's put a breakpoint on the previous function: mozjs!JSC::Yarr::YarrGenerator<1>::generatePatternCharacterFixed+0x87 and see what happens just before the overflow is identified.
This is the function where we are setting the breakpoint (bp) on:
void generatePatternCharacterFixed(size_t opIndex)
{
YarrOp& op = m_ops[opIndex];
PatternTerm* term = op.m_term;
UChar ch = term->patternCharacter;
const RegisterID character = regT0;
const RegisterID countRegister = regT1;
move(index, countRegister);
sub32(Imm32(term->quantityCount.unsafeGet()), countRegister);
Label loop(this);
BaseIndex address(input, countRegister, m_charScale, (Checked<int>(term->inputPosition - m_checked + Checked<int64_t>(term->quantityCount)) * static_cast<int>(m_charSize == Char8 ? sizeof(char) : sizeof(UChar))).unsafeGet());
The bp is set on the BaseIndex address() part. This is where some checks are performed on our integer.
After stepping through different checks, our integer (2147483647) is stored in both lhs and rhs and then lhs and rhs are summed together. The sum is then stored in the "result" variable, as shown below:
The addition of lhs and rhs is 4294967294 (0xFFFFFFFE) which is stored in an int64. Following that, a further check is performed, as shown below:
template <typename U> Checked(const Checked<U, OverflowHandler>& rhs)
: OverflowHandler(rhs)
{
if (!isInBounds<T>(rhs.m_value))
this->overflowed();
m_value = static_cast<T>(rhs.m_value);
}
However, the bug is not fixed yet (at least in FF 26) and as a matter of personal exercise, I have decided to dig a little deeper and collect some notes which I am sharing in this blog post.
Here is a brief analysis of what I have found, thanks also to the pointers given from my friend Andrzej Dereszowski.
This is the crash PoC:
<html>
<head>
<script>
function main() {
regexp = /(?!Z)r{2147483647,}M\d/;
"A".match(regexp);
}
main();
</script>
</head>
<body>
</body>
</html>
Below, a windbg screen shot showing the crash on Firefox 25 / Windows 8.1 (64bit):
At this stage, we can infer that an overflow occurred and as a measure of protection FF decided to crash instead of gracefully handle the issue. In my PoC, you can see already the integer 2147483647 which is used in a regular expression.
In the call stack, there are functions dealing with the RegExp just before the mozjs!WTF::CrashOnOverflow::overflowed: . Let's put a breakpoint on the previous function: mozjs!JSC::Yarr::YarrGenerator<1>::generatePatternCharacterFixed+0x87 and see what happens just before the overflow is identified.
This is the function where we are setting the breakpoint (bp) on:
void generatePatternCharacterFixed(size_t opIndex)
{
YarrOp& op = m_ops[opIndex];
PatternTerm* term = op.m_term;
UChar ch = term->patternCharacter;
const RegisterID character = regT0;
const RegisterID countRegister = regT1;
move(index, countRegister);
sub32(Imm32(term->quantityCount.unsafeGet()), countRegister);
Label loop(this);
BaseIndex address(input, countRegister, m_charScale, (Checked<int>(term->inputPosition - m_checked + Checked<int64_t>(term->quantityCount)) * static_cast<int>(m_charSize == Char8 ? sizeof(char) : sizeof(UChar))).unsafeGet());
The bp is set on the BaseIndex address() part. This is where some checks are performed on our integer.
After stepping through different checks, our integer (2147483647) is stored in both lhs and rhs and then lhs and rhs are summed together. The sum is then stored in the "result" variable, as shown below:
template <typename U> Checked(const Checked<U, OverflowHandler>& rhs)
: OverflowHandler(rhs)
{
if (!isInBounds<T>(rhs.m_value))
this->overflowed();
m_value = static_cast<T>(rhs.m_value);
}
Within the isInBounds check (in the screen shot below), the minimum value is 0x80000000 and the maximum value is 0x7FFFFFFF, which means between -2147483648 and 2147483647, the range of a long.
The rhs.m_value is now 4294967294 (0xFFFFFFFE) as result of the previous arithmetic operation between lhs and rhs.
This triggers the check as 0xFFFFFFFE is greater than 0x7FFFFFFF (max value in the inBounds check). This would call overflowed() which would then simply crash FF.
Comments
Post a Comment