[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #19400 [Applications/Tor Browser]: [Asan] Crash in js::AsmJSModule::deserialize / DeserializeSig



#19400: [Asan] Crash in js::AsmJSModule::deserialize / DeserializeSig
-------------------------------------------------+-------------------------
 Reporter:  cypherpunks                          |          Owner:  tbb-
     Type:  defect                               |  team
 Priority:  Very High                            |         Status:
Component:  Applications/Tor Browser             |  assigned
 Severity:  Critical                             |      Milestone:
 Keywords:  tbb-crash, TorBrowserTeam201606,     |        Version:
  tbb-6.0-issues                                 |     Resolution:
Parent ID:                                       |  Actual Points:
 Reviewer:                                       |         Points:
                                                 |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by mcs):

 Kathy and I are waiting for our own gitian build to finish before we can
 be sure (and you may already know some of this), but we believe that a
 not-so-beautiful combination of factors led to this crash:

 1) This Firefox change that was made for 45.2.0 ESR:
 https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-
 browser-45.2.0esr-6.5-1&id=fcb31773712f1e2adce790771f7978ba30056645

 2) The fact that our build ID does not change between releases. The
 asmjscache code includes the build ID in serialized files and uses it to
 determine if cached files should be used or not (because serialized data
 structure sizes may change between browser releases). I would feel better
 if the serialized data structures had built-in bounds checking, e.g., by
 using a <length><payload> format for everything, but they do not. For
 build ID usage, see:
  https://gitweb.torproject.org/tor-
 browser.git/tree/dom/asmjscache/AsmJSCache.cpp?h=tor-
 browser-45.2.0esr-6.5-1#n113
  https://gitweb.torproject.org/tor-
 browser.git/tree/dom/asmjscache/AsmJSCache.cpp?h=tor-
 browser-45.2.0esr-6.5-1#n1697
  https://gitweb.torproject.org/tor-
 browser.git/tree/js/src/asmjs/AsmJSModule.cpp?h=tor-
 browser-45.2.0esr-6.5-1#n2000
  https://gitweb.torproject.org/tor-
 browser.git/tree/js/src/asmjs/AsmJSModule.cpp?h=tor-
 browser-45.2.0esr-6.5-1#n2317

 The build ID issue also explains why our non-gitian builds do not crash
 (those builds use a build ID that is based on the actual build date like
 Firefox does).

 If we do not want to disable the asmjscache unconditionally, then we will
 have to come up with a way to return a value from
 dom/asmjscache/AsmJSCache.cpp's GetBuildId() method that is unique for
 each of our releases.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19400#comment:30>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs