In April 2023, Mozilla discovered a security bug tagged as CVE-2023-29548. This vulnerability surfaced due to a faulty lowering instruction in the ARM64 Ion compiler. Essentially, this means the part of Firefox and Thunderbird responsible for turning high-level JavaScript to efficient machine code made a critical mistake on ARM64 (the processor architecture for many Android devices and some newer laptops). This error led to incorrect optimization, which can allow attackers to exploit it for dangerous outcomes like memory corruption.
Thunderbird < 102.10
Let’s break down how this happened, how it can be misused, and how the Mozilla team fixed it.
What is the ARM64 Ion Compiler?
Before diving in, remember: web browsers like Firefox don't run website code directly. Instead, JavaScript code gets compiled on-the-fly for performance. The "IonMonkey" (Ion) compiler is the part of Firefox handling this optimization.
"Lowering" is the step where high-level operations get translated into platform-specific machine code. A faulty instruction here means the browser might *think* it's doing the right thing, when in reality, it isn't—making security holes possible.
What Went Wrong?
On the ARM64 platform, a specific lowering instruction caused Ion compiler to generate wrong machine code for certain JavaScript operations. Because this happened during optimization, the resulting machine code could read or write memory incorrectly.
For developers, here’s a general idea in pseudocode
// High-level lowering stage
LInstruction *LIR = new LInstruction();
MInstruction *MIR = mirInstr; // The high-level representation
// Faulty lowering step
LIR->setOperand(, useRegister(MIR->getOperand()));
LIR->setOperand(1, useRegister(MIR->getOperand(1)));
// The issue: produced assembly didn't match operation's needs
addInstruction(LIR, MIR);
For example, if you had a function manipulating array sizes or integers, the compiler might optimize it in a way that enables an attacker to overflow internal limits—something not possible in the official JavaScript spec.
Who Is at Risk?
Anyone using a vulnerable version of Firefox, Firefox ESR, Focus for Android, or Thunderbird *on ARM64 devices* is at risk. This includes many Android phones and some ARM-based laptops.
How Could Attackers Abuse This?
With knowledge of the bug, a malicious site could trigger the faulty optimization in the Ion compiler by using carefully constructed JavaScript. For example:
// Example JS that could trigger unsafe optimization
function triggerBug(a, b) {
return (a | ) + (b | );
}
for (let i = ; i < 100000; i++) {
triggerBug(1, 2);
}
// Now, call with crafted inputs to exploit compiler confusion.
triggerBug(fakeObject, craftedValue);
Leak personal or sensitive data.
These outcomes depend on the attacker's skills, but the vulnerability *does* open the door.
Mozilla Security Advisory:
Mozilla Security Blog:
Firefox 112, Focus for Android 112 and Thunderbird 102.10 Security Fixes
CVE Details:
How Did Mozilla Fix It?
Mozilla’s team corrected the faulty lowering step and updated their IonMonkey JIT so that lowering instructions produce the right machine code on ARM64. Here’s a simplified fix pattern:
// Fixed lowering instruction
LIR->setOperand(, tryUseRegisterOrConstant(MIR->getOperand()));
LIR->setOperand(1, tryUseRegisterOrConstant(MIR->getOperand(1)));
// Validate input range to prevent overflows
MOZ_ASSERT(validOperandRange(MIR->getOperand()) && validOperandRange(MIR->getOperand(1)));
Additionally, Mozilla quickly published new Firefox and Thunderbird releases to patch the vulnerability (versions listed above).
Conclusion
CVE-2023-29548 is a perfect example of how even a small oversight in a compiler's internal logic can risk millions of users' security. ARM64 is only becoming more common, so mistakes in its support code matter more each day.
By updating regularly and following security advisories, users and developers can stay resilient—even as attackers and vulnerabilities evolve.
Timeline
Published on: 06/02/2023 17:15:00 UTC
Last modified on: 06/09/2023 03:56:00 UTC