Closed
Bug 631723
Opened 13 years ago
Closed 13 years ago
Deleted watchpoints can make obj->addProperty/putProperty return a shape not in obj
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla2.0
Tracking | Status | |
---|---|---|
blocking2.0 | --- | final+ |
status1.9.2 | --- | unaffected |
status1.9.1 | --- | unaffected |
People
(Reporter: jorendorff, Assigned: jorendorff)
References
Details
(Whiteboard: [sg-critical?][softblocker][fixed-in-tracemonkey])
Attachments
(1 file, 2 obsolete files)
9.70 KB,
patch
|
jimb
:
review+
|
Details | Diff | Splinter Review |
At the end of JSObject::addProperty: /* Update any watchpoints referring to this property. */ if (!js_UpdateWatchpointsForShape(cx, this, shape)) { METER(wrapWatchFails); return NULL; } return shape; } Before js_UpdateWatchpointsForShape, shape is sure to be in this; but afterwards shape can be GC-unreachable (therefore this is security-sensitive for now). No test case as yet, but it seems likely this is observable and possible it's exploitable. Taking.
Assignee | ||
Comment 1•13 years ago
|
||
I don't think this is limited to deleted watchpoints. putProperty and changeProperty seemed to have the same bug. This fixes them all.
Attachment #510409 -
Flags: review?
Assignee | ||
Updated•13 years ago
|
Attachment #510409 -
Flags: review? → review?(jimb)
Assignee | ||
Comment 2•13 years ago
|
||
Attachment #510409 -
Attachment is obsolete: true
Attachment #510449 -
Flags: review?(jimb)
Attachment #510409 -
Flags: review?(jimb)
Assignee | ||
Comment 3•13 years ago
|
||
This should softblock, IMHO.
blocking2.0: --- → ?
Whiteboard: [sg-critical?]
Updated•13 years ago
|
blocking2.0: ? → betaN+
Whiteboard: [sg-critical?] → [sg-critical?][softblocker]
Updated•13 years ago
|
blocking2.0: betaN+ → final+
Assignee | ||
Comment 4•13 years ago
|
||
Attachment #510449 -
Attachment is obsolete: true
Attachment #511817 -
Flags: review?(jimb)
Attachment #510449 -
Flags: review?(jimb)
Comment 6•13 years ago
|
||
Comment on attachment 511817 [details] [diff] [review] v3 - same as v1 but with 2 tests, and rebased Makes sense; thank you for cleaning up the various style issues, as well.
Attachment #511817 -
Flags: review?(jimb) → review+
Assignee | ||
Comment 7•13 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/206a4c1c8ad8
Whiteboard: [sg-critical?][softblocker] → [sg-critical?][softblocker][fixed-in-tracemonkey]
Comment 8•13 years ago
|
||
cdleary-bot mozilla-central merge info: http://hg.mozilla.org/mozilla-central/rev/206a4c1c8ad8
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Group: core-security
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
Target Milestone: --- → mozilla2.0
You need to log in
before you can comment on or make changes to this bug.
Description
•