CVE-2024-7652: An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption and an…

CVE-2024-7652 [HIGH] CWE-843 mozilla: Type Confusion in Async Generators in Javascript Engine mozilla: Type Confusion in Async Generators in Javascript Engine An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption and an exploitable crash. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128. A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes this flaw as follows: An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption and an exploitable crash. Statement: Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory. Mitigation: Mitigation for this issue is

CVE-2024-7652 [HIGH] CVE-2024-7652: firefox - An error in the ECMA-262 specification relating to Async Generators could have r... An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption and an exploitable crash. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128. Scope: local sid: resolved (fixed in 128.0-1)

CVE-2024-7652 [HIGH] Mozilla Foundation Security Advisory 2024-31: CVE-2024-7652 Mozilla Foundation Security Advisory 2024-31 CVE: CVE-2024-7652 Product: Thunderbird Impact: high Fixed in: Thunderbird 115.13

CVE-2024-7652 [HIGH] Mozilla Foundation Security Advisory 2024-30: CVE-2024-7652 Mozilla Foundation Security Advisory 2024-30 CVE: CVE-2024-7652 Product: Firefox ESR Impact: high Fixed in: Firefox ESR 115.13

CVE-2024-7652 [HIGH] Mozilla Foundation Security Advisory 2024-32: CVE-2024-7652 Mozilla Foundation Security Advisory 2024-32 CVE: CVE-2024-7652 Product: Thunderbird Impact: high Fixed in: Thunderbird 128

CVE-2024-7652 [HIGH] Mozilla Foundation Security Advisory 2024-29: CVE-2024-7652 Mozilla Foundation Security Advisory 2024-29 CVE: CVE-2024-7652 Product: Firefox Impact: high Fixed in: Firefox 128

CVE-2024-7652 [HIGH] CVE-2024-7652: An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption and an exploitable crash. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128.

CVE-2024-7652 [HIGH] CWE-476 GHSA-crg5-c758-hm56: An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption and an exploitable crash. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128.

Assertion failure: generator->isCompleted(), at /root/src/js/src/vm/AsyncIteration.cpp:605 Assertion failure: generator->isCompleted(), at /root/src/js/src/vm/AsyncIteration.cpp:605 Created attachment 9406244 bug.js Steps to reproduce: Checkout commit 15778b8c32f8535624fff2af36fc669e65a9af3 and invoke the js shell as follows: ``` /root/js-spidermonkey-shell --fuzzing-safe ``` Actual results: ``` Assertion failure: generator->isCompleted(), at /root/src/js/src/vm/AsyncIteration.cpp:605 ``` Discussion: arai, needinfo'ing you because this looks like an issue with async functions and/or promises. --- Good find! Apparently this is a bug in the spec. Here's reduced testcase: ```js async function* f() {} const g = f(); Object.defineProperty(Object.prototype, "then", { get: function() { g.return(); return; }, }); g.return(); ``` The first step is the top-level `g.return();