Closed
Bug 1107936
Opened 9 years ago
Closed 9 years ago
The "os" object in the JS shell is not fuzzing-safe and dangerous
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla37
Tracking | Status | |
---|---|---|
firefox37 | --- | affected |
People
(Reporter: decoder, Assigned: sfink)
References
Details
(Whiteboard: [fuzzblocker])
Attachments
(1 file)
1.11 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
Since recently, the shell seems to have an os object that has a system method. This object is obviously not fuzzing-safe and potentially dangerous to the fuzzing infrastructure. It should be entirely disabled with --fuzzing-safe. Assigning to Jason for now so it has an owner. It is critical for fuzzing to fix this before the fuzzer starts using it in some dangerous way.
Reporter | ||
Updated•9 years ago
|
Whiteboard: [fuzzblocker]
Assignee | ||
Comment 1•9 years ago
|
||
I don't see fuzzing value in any of the os.* functions. os.getpid() is safe but will mess up differential output and doesn't seem that useful to test. So for now at least, it seems easiest to just not create the os object at all.
Attachment #8532562 -
Flags: review?(jorendorff)
Assignee | ||
Updated•9 years ago
|
Assignee: jorendorff → sphink
Status: NEW → ASSIGNED
Comment 2•9 years ago
|
||
Comment on attachment 8532562 [details] [diff] [review] Do not define os for fuzzing-safe shell Review of attachment 8532562 [details] [diff] [review]: ----------------------------------------------------------------- r=me with comments addressed ::: js/src/shell/js.cpp @@ +5656,5 @@ > return 1; > > JSAutoCompartment ac(cx, glob); > > + if (fuzzingSafe) { I think this is upside-down: it should be `if (!fuzzingSafe)`. Also... do you remember why we call DefineOS here instead of in NewGlobalObject with all the other global-defining stuff? r=me to move it in there, if not...
Attachment #8532562 -
Flags: review?(jorendorff) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/42df82421ca2
status-firefox37:
--- → affected
Target Milestone: --- → mozilla37
Comment 4•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/42df82421ca2
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•