227869 2021-07-12 04:22:50 -0700 Invalid machine code emitted by SpeculativeJIT::emitObjectOrOtherBranch 2021-07-13 20:21:12 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Minor --- 1 saelo rmorisset bfulgham ews-watchlist keith_miller mark.lam msaboff product-security rmorisset saam tzagallo webkit-bug-importer oldest_to_newest 1776283 0 saelo 2021-07-12 04:22:50 -0700 Fuzzilli found the following sample which sometimes crashes a recent build of JSC (commit https://github.com/WebKit/WebKit/commit/36c74cfbcf3e8ced764bbb06d01a725610cc1948): function main() { let v2 = 0; do { for (let v19 = 0; v19 < 10000; v19++) { function* v21(v22,v23,v24) { } const v26 = class V26 extends Object { constructor(v28,v29) { do { const v31 = 8 * this; } while (v2 < 8); const v32 = Object(); } }; function v36(v37,v38) { if (v21) { const v41 = Object(); } else { const v71 = Object; } } const v73 = new Promise(v36); } const v74 = v2++; makeMasquerader(); print("Invalidated masqueradesAsUndefinedWatchpoint"); } while (v2 < Object); // Wait for JIT thread to finish? gc(); } main(); // STDERR: // ASSERTION FAILED: r >= 0 // /home/builder/webkit/Source/JavaScriptCore/assembler/X86Assembler.h(4113) : void JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::emitRex(bool, int, int, int) The bug is due to a race between a JIT compiler thread checking the state of a watchpoint and the main thread invalidating that watchpoint. The following patch can be used to trigger the race reliably: diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp index 2ea95177b9bf..3b943b0e146e 100644 --- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp +++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp @@ -1992,6 +1992,9 @@ void SpeculativeJIT::emitObjectOrOtherBranch(Edge nodeUse, BasicBlock* taken, Ba structureGPR = structure.gpr(); } + puts("Waiting in SpeculativeJIT::emitObjectOrOtherBranch. Press <enter> after the masqueradesAsUndefinedWatchpoint was invalidated."); + getchar(); + MacroAssembler::Jump notCell = m_jit.branchIfNotCell(JSValueRegs(valueGPR)); if (masqueradesAsUndefinedWatchpointIsStillValid()) { DFG_TYPE_CHECK( The issue is that SpeculativeJIT::emitObjectOrOtherBranch checks the state of the masqueradesAsUndefinedWatchpoint twice, the first time initializing a local register only if the watchpoint is invalid, the second time emitting code using that register if the watchpoint is invalid. If the state of the watchpoint changes in between the two queries, then the compiler will emit code with an invalid register number (-1), leading to corrupted and somewhat controllable machine code being emitted (or, in debug builds, an assertion failure). However, I do not believe that this bug is exploitable because the WatchpointCollectionPhase will watch the masqueradesAsUndefinedWatchpoint prior to the SpeculativeJIT emitting the invalid code. As such, as far as I can tell, the corrupted machine code is never installed, and can thus never be executed at runtime, as the watchpoint will have been invalidated by then. I'm still marking this issue as restricted out of precaution, but feel free to derestrict it if you share my assessment. 1776284 1 webkit-bug-importer 2021-07-12 04:23:01 -0700 <rdar://problem/80457566> 1776463 2 rmorisset 2021-07-12 14:58:15 -0700 Thank you for this bug report, and the great analysis. I agree with you, both on the root cause and on the fact that is should not be exploitable. 1776474 3 433365 rmorisset 2021-07-12 15:52:53 -0700 Created attachment 433365 Patch 1776476 4 433365 mark.lam 2021-07-12 15:57:57 -0700 Comment on attachment 433365 Patch r=me 1776851 5 ews-feeder 2021-07-13 20:21:10 -0700 Committed r279903 (239652@main): <https://commits.webkit.org/239652@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 433365. 433365 2021-07-12 15:52:53 -0700 2021-07-13 20:21:11 -0700 Patch patch227869 text/plain 2672 rmorisset ZGlmZiAtLWdpdCBhL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cgYi9Tb3VyY2UvSmF2 YVNjcmlwdENvcmUvQ2hhbmdlTG9nCmluZGV4IGQzZTYyZTdlZmVlMC4uYjY5MmJjOTVhZjM5IDEw MDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9K YXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKQEAgLTEsMyArMSwyMiBAQAorMjAyMS0wNy0xMiAgUm9i aW4gTW9yaXNzZXQgIDxybW9yaXNzZXRAYXBwbGUuY29tPgorCisgICAgICAgIEludmFsaWQgbWFj aGluZSBjb2RlIGVtaXR0ZWQgYnkgU3BlY3VsYXRpdmVKSVQ6OmVtaXRPYmplY3RPck90aGVyQnJh bmNoCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yMjc4 NjkKKyAgICAgICAgPHJkYXI6Ly9wcm9ibGVtLzgwNDU3NTY2PgorCisgICAgICAgIFJldmlld2Vk IGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIFNwZWN1bGF0aXZlSklUOjplbWl0T2JqZWN0 T3JPdGhlckJyYW5jaCB1c2VkIHRvIGNoZWNrIHRoZSB2YWxpZGl0eSBvZiB0aGUgbWFzcXVlcmFk ZXNBc1VuZGVmaW5lZCB3YXRjaHBvaW50IHR3aWNlLCBhbmQgYXNzdW1lZCB0aGF0IGl0IGNvdWxk IG5vdCBjaGFuZ2UgaW4gYmV0d2Vlbi4KKyAgICAgICAgVGhhdCBpcyBjbGVhcmx5IGluY29ycmVj dCBhcyB0aGUgbWFpbiB0aHJlYWQgaXMgcnVubmluZyBjb25jdXJyZW50bHkgd2l0aCBpdCwgYW5k IHNvIHRoZSB3YXRjaHBvaW50IGNvdWxkIGZpcmUgYXQgYW55IHRpbWUuCisgICAgICAgIFRoZSBm aXggaXMgdHJpdmlhbDoganVzdCBjaGVjayB0aGUgdmFsaWRpdHkgb25jZSwgYW5kIHN0b3JlIHRo ZSByZXN1bHQgaW4gYSBib29sZWFuLgorICAgICAgICBJZiB0aGUgd2F0Y2hwb2ludCB0cmlnZ2Vy cyBsYXRlciB0aGF0IGlzIGZpbmU6IHdlJ2xsIG5vdGljZSBhbmQgY2FuY2VsIHRoZSBjb21waWxh dGlvbiAoc2VlIFdhdGNocG9pbnRDb2xsZWN0aW9uUGhhc2UsIFBsYW46OmlzU3RpbGxWYWxpZCgp IGFuZCBQbGFuOjpmaW5hbGl6ZSgpKS4KKyAgICAgICAgVGhlIGNoYW5nZSBvbmx5IHByb3RlY3Rz IHVzIGZyb20gcmFyZSBhbmQgaGFyZC10by1yZXByb2R1Y2UgY3Jhc2hlcyBvbiBkZWJ1ZyBidWls ZHMgY2F1c2VkIGJ5IGFuIEFTU0VSVCBmaXJpbmcuCisKKyAgICAgICAgSSBkaWQgbm90IGFkZCBh IHRlc3RjYXNlLCBhcyBJIGNhbiBvbmx5IHJlcHJvZHVjZSB0aGUgYnVnIGJ5IGFkZGluZyBhbiBl eHRyYSB3YWl0IGluIHRoZSBtaWRkbGUgb2YgZW1pdE9iamVjdE9yT3RoZXJCcmFuY2guCisKKyAg ICAgICAgKiBkZmcvREZHU3BlY3VsYXRpdmVKSVQ2NC5jcHA6CisgICAgICAgIChKU0M6OkRGRzo6 U3BlY3VsYXRpdmVKSVQ6OmVtaXRPYmplY3RPck90aGVyQnJhbmNoKToKKwogMjAyMS0wNy0wOCAg WWlqaWEgSHVhbmcgIDx5aWppYV9odWFuZ0BhcHBsZS5jb20+CiAKICAgICAgICAgQWRkIEFpciBv cGNvZGUgYWRkL3N1Yi1hbmQtc2hpZnQgZm9yIEFSTTY0IGFuZCBzZWxlY3QgdGhpcyBpbnN0cnVj dGlvbiBpbiBBaXIKZGlmZiAtLWdpdCBhL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9kZmcvREZHU3Bl Y3VsYXRpdmVKSVQ2NC5jcHAgYi9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvZGZnL0RGR1NwZWN1bGF0 aXZlSklUNjQuY3BwCmluZGV4IDJlYTk1MTc3YjliZi4uYjVlMWNjM2U0MmQyIDEwMDY0NAotLS0g YS9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvZGZnL0RGR1NwZWN1bGF0aXZlSklUNjQuY3BwCisrKyBi L1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9kZmcvREZHU3BlY3VsYXRpdmVKSVQ2NC5jcHAKQEAgLTE5 ODYsMTQgKzE5ODYsMTUgQEAgdm9pZCBTcGVjdWxhdGl2ZUpJVDo6ZW1pdE9iamVjdE9yT3RoZXJC cmFuY2goRWRnZSBub2RlVXNlLCBCYXNpY0Jsb2NrKiB0YWtlbiwgQmEKICAgICBHUFJSZWcgc2Ny YXRjaEdQUiA9IHNjcmF0Y2guZ3ByKCk7CiAgICAgR1BSUmVnIHN0cnVjdHVyZUdQUiA9IEludmFs aWRHUFJSZWc7CiAKLSAgICBpZiAoIW1hc3F1ZXJhZGVzQXNVbmRlZmluZWRXYXRjaHBvaW50SXNT dGlsbFZhbGlkKCkpIHsKKyAgICBib29sIG9iamVjdE1heU1hc3F1ZXJhZGVBc1VuZGVmaW5lZCA9 ICFtYXNxdWVyYWRlc0FzVW5kZWZpbmVkV2F0Y2hwb2ludElzU3RpbGxWYWxpZCgpOworICAgIGlm IChvYmplY3RNYXlNYXNxdWVyYWRlQXNVbmRlZmluZWQpIHsKICAgICAgICAgR1BSVGVtcG9yYXJ5 IHJlYWxTdHJ1Y3R1cmUodGhpcyk7CiAgICAgICAgIHN0cnVjdHVyZS5hZG9wdChyZWFsU3RydWN0 dXJlKTsKICAgICAgICAgc3RydWN0dXJlR1BSID0gc3RydWN0dXJlLmdwcigpOwogICAgIH0KIAog ICAgIE1hY3JvQXNzZW1ibGVyOjpKdW1wIG5vdENlbGwgPSBtX2ppdC5icmFuY2hJZk5vdENlbGwo SlNWYWx1ZVJlZ3ModmFsdWVHUFIpKTsKLSAgICBpZiAobWFzcXVlcmFkZXNBc1VuZGVmaW5lZFdh dGNocG9pbnRJc1N0aWxsVmFsaWQoKSkgeworICAgIGlmICghb2JqZWN0TWF5TWFzcXVlcmFkZUFz VW5kZWZpbmVkKSB7CiAgICAgICAgIERGR19UWVBFX0NIRUNLKAogICAgICAgICAgICAgSlNWYWx1 ZVJlZ3ModmFsdWVHUFIpLCBub2RlVXNlLCAoflNwZWNDZWxsQ2hlY2spIHwgU3BlY09iamVjdCwg bV9qaXQuYnJhbmNoSWZOb3RPYmplY3QodmFsdWVHUFIpKTsKICAgICB9IGVsc2Ugewo=