Closed Bug 313500 Opened 19 years ago Closed 19 years ago

Unrooted access to "prototype" property

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8rc1

People

(Reporter: igor, Assigned: brendan)

Details

(Keywords: js1.6, verified1.8, Whiteboard: [sg:critical?])

Attachments

(2 files)

proposed fix
5.56 KB, patch
igor
: review+
shaver
: superreview+
dveditz
: approval1.8rc1+
Details | Diff | Splinter Review
js1_5/Regress/regress-313500.js
2.28 KB, text/plain
Details 
js_Interpret in jsinterp.c stores the result of accessing "prototype" property of function objects in unrooted "rval" local variable. This is GC-unsafe since there is object allocation before the result of accessing "prototype" property is rooted.

If one recompiles JS shell with TOO_MUCH_GC defined then the following example gives segmentation fault:

function F() { }

var prepared = new Object();

F.prototype = {};
F.__defineGetter__('prototype', function() {
	var tmp = prepared;
	prepared = null;
	return tmp;
});

new F();

There is a similar pattern is 2 places in jsobj.c with problematic access of "prototype" property. I suspect that there is a problem in fun_resolve from jsfun.c as well, but it may be actually GC-safe. On the other hand accessing the property in Exception from jsexn.c is GC safe since a script can not define a getter for "prototype" for Error object as it already defined as read-only property.
Assignee: general → brendan
Flags: blocking1.8rc1+
Keywords: js1.6
OS: Linux → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.8rc1
(In reply to comment #0)
> There is a similar pattern is 2 places in jsobj.c with problematic access of
> "prototype" property. I suspect that there is a problem in fun_resolve from
> jsfun.c as well, but it may be actually GC-safe.

No, those are both hazardous -- thanks for finding them.  Are you reviewing all OBJ_GET_PROPERTY usage, or looking for classPrototypeAtom usage, or both?

> On the other hand accessing
> the property in Exception from jsexn.c is GC safe since a script can not define
> a getter for "prototype" for Error object as it already defined as read-only
> property.

Yes, a saving grace of ECMA-262!

Patch soon, thanks again.

/be
Assignee: brendan → general
(In reply to comment #1)
> (In reply to comment #0)
> > On the other hand accessing
> > the property in Exception from jsexn.c is GC safe since a script can not define
> > a getter for "prototype" for Error object as it already defined as read-only
> > property.
> 
> Yes, a saving grace of ECMA-262!

Although it is the permanent (ECMA DontDelete) attribute that saves us here.  A read-only property can be deleted, and then its id rebound to a getter.  So only the permanent attribute prevents an exploit such as this bug's testcase.

/be
Assignee: general → brendan
(In reply to comment #1)
> Are you reviewing all
> OBJ_GET_PROPERTY usage, or looking for classPrototypeAtom usage, or both?

I try to go through all cases of OBJ_GET_PROPERTY/ValueToString/ValueToSource in js/src/*.c as time permits. The case of classPrototypeAtom was just a common pattern easy to spot and sufficiently unique to justify a separated bug.
Attached patch proposed fixSplinter Review 
mrbkap, please have a look too.  The comments tell the tale.

/be
Attachment #200549 - Flags: superreview?(shaver)
Attachment #200549 - Flags: review?(igor.bukanov)
Attachment #200549 - Flags: review?(igor.bukanov) → review+
Comment on attachment 200549 [details] [diff] [review]
proposed fix

Checked into trunk.

/be
Attachment #200549 - Flags: approval1.8rc1?
Comment on attachment 200549 [details] [diff] [review]
proposed fix

sr=shaver.  Almost into XXX territory with the newborn-root hacking!

Can you add a comment before GetClassPrototype stating the 'delegate-or-get-class' invariant that it expects its callers to uphold?
Attachment #200549 - Flags: superreview?(shaver) → superreview+
Comment on attachment 200549 [details] [diff] [review]
proposed fix

a=dveditz
Attachment #200549 - Flags: approval1.8rc1? → approval1.8rc1+
Whiteboard: [sg:critical?]
Fixed on branch and trunk.

/be
Status: NEW → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8
Resolution: --- → FIXED
Flags: testcase?
verified firefox 1.5 rc2 linux/win32 2005-11-07
Keywords: fixed1.8verified1.8
testcase+ to get this off my radar. when this is made public, i will check in the test.
Flags: testcase? → testcase+
This should have gone on the old branches
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?
Attachment #200549 - Flags: approval1.7.14?
Attachment #200549 - Flags: approval-aviary1.0.9?
Dan, has there already been an advisory for this, so I can release the patch in 'pseudo 1.7.15/1.0.10' ?

How to procede with this one?
Yes, this was part of MFSA 2006-10 but wasn't explicitly mentioned. I'll go update that advisory.
verified fixed 1.9 windows/mac(ppc|tel)/linux 20060812
Status: RESOLVED → VERIFIED
Group: security
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-313500.js,v  <--  regress-313500.js
Attachment #200549 - Flags: approval1.7.14?
Attachment #200549 - Flags: approval-aviary1.0.9?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: