Closed
Bug 1357330
Opened 7 years ago
Closed 7 years ago
Frozen NaN-valued property can be overwritten with different NaN value
Categories
(Core :: JavaScript Engine, enhancement)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla55
People
(Reporter: anba, Assigned: anba)
Details
(Keywords: sec-other, Whiteboard: [adv-main55-][post-critsmash-triage])
Attachments
(2 files, 1 obsolete file)
12.16 KB,
patch
|
shu
:
review+
|
Details | Diff | Splinter Review |
1.01 KB,
patch
|
shu
:
review+
|
Details | Diff | Splinter Review |
Test case: --- function byteValue(value) { var isLittleEndian = new Uint8Array(new Uint16Array([1]).buffer)[0] !== 0; var ui8 = new Uint8Array(new Float64Array([value]).buffer); var hex = "0123456789ABCDEF"; var s = ""; for (var i = 0; i < 8; ++i) { var v = ui8[isLittleEndian ? 7 - i : i]; s += hex[(v >> 4) & 0xf] + hex[v & 0xf]; } return s; } var obj = {}; Object.defineProperty(obj, "prop", {value: NaN}); Object.defineProperty(obj, "prop", {value: -NaN}); assertEq(byteValue(obj.prop), byteValue(NaN)); --- Expected: Test passes Actual: Assertion failed: got "FFF8000000000000", expected "7FF8000000000000"
Assignee | ||
Comment 1•7 years ago
|
||
Adds the missing step 7.a.i.3. from ES2018 9.1.6.3 ValidateAndApplyPropertyDescriptor. Also updates a couple of outdated comments and replaces manual bit-testing for shape attributes with the existing IsXXX helpers.
Comment 2•7 years ago
|
||
Comment on attachment 8859285 [details] [diff] [review] bug1357330.patch Review of attachment 8859285 [details] [diff] [review]: ----------------------------------------------------------------- Nice find, could you commit a test for this as well? Out of curiosity, was this observable some other way than distinct NaNs before, like Proxy traps?
Attachment #8859285 -
Flags: review?(shu) → review+
Comment 3•7 years ago
|
||
What's the severity of this and how far back does it go?
Flags: needinfo?(andrebargull)
Comment 4•7 years ago
|
||
Is this the immediately exploitable kind of security-sensitive or is it the leaking information kind of security-sensitive?
Assignee | ||
Comment 5•7 years ago
|
||
(In reply to [Out of Office Until 24-April] Ryan VanderMeulen [:RyanVM] from comment #3) > What's the severity of this and how far back does it go? I think it goes back to bug 1125624 and bug 1148750. For the severity I'd probably go with sec-other, because this issue is limited to different NaN values and when similar issues happened in the past (search for "non-configurable" or "frozen"), most of the time we didn't even treat them as sec-bugs.
Flags: needinfo?(andrebargull)
Assignee | ||
Comment 6•7 years ago
|
||
Test case from comment #0. We'll get more thorough coverage through test262 as soon as I fix (and extend) [1]. [1] https://github.com/tc39/test262/blob/master/test/built-ins/Object/internals/DefineOwnProperty/nan-equivalence.js
Attachment #8859497 -
Flags: review?(shu)
Assignee | ||
Comment 7•7 years ago
|
||
(In reply to Shu-yu Guo [:shu] from comment #2) > Nice find, could you commit a test for this as well? Added. > Out of curiosity, was this observable some other way than distinct NaNs > before, like Proxy traps? No, I don't think so. This should only be reproducible with native objects.
Assignee | ||
Comment 8•7 years ago
|
||
Comment on attachment 8859497 [details] [diff] [review] bug1357330-testcase.patch Forgot to qref, will add the proper patch later. :-/
Attachment #8859497 -
Attachment is obsolete: true
Attachment #8859497 -
Flags: review?(shu)
Assignee | ||
Comment 9•7 years ago
|
||
Attachment #8859570 -
Flags: review?(shu)
Updated•7 years ago
|
Attachment #8859570 -
Flags: review?(shu) → review+
Updated•7 years ago
|
Group: core-security → javascript-core-security
Assignee | ||
Updated•7 years ago
|
Keywords: checkin-needed
Comment 10•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/76bff2cde94c44b7bd1c3d2ce847db095175577f https://hg.mozilla.org/integration/mozilla-inbound/rev/da5a14ae4ce3084aa63a502e96af1a4c6ef76853 Doesn't sound like it's worth backporting to ESR52 (and Fx54 RC build is this week, so won't be going there either), but feel free to set the status back to affected and argue for it if you feel otherwise.
status-firefox53:
--- → wontfix
status-firefox54:
--- → wontfix
status-firefox-esr45:
--- → wontfix
status-firefox-esr52:
--- → wontfix
Flags: in-testsuite+
Keywords: checkin-needed
Comment 11•7 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/76bff2cde94c https://hg.mozilla.org/mozilla-central/rev/da5a14ae4ce3
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Updated•7 years ago
|
Group: javascript-core-security → core-security-release
Updated•7 years ago
|
Whiteboard: [adv-main55-]
Updated•7 years ago
|
Flags: qe-verify-
Whiteboard: [adv-main55-] → [adv-main55-][post-critsmash-triage]
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•