Closed Bug 313938 Opened 19 years ago Closed 19 years ago

Unrooted access in jsscript.c

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: igor, Assigned: igor)

Details

(Keywords: js1.6, verified1.7.13, verified1.8, Whiteboard: [sg:critical?])

Attachments

(3 files)

Fix
760 bytes, patch
brendan
: review+
mrbkap
: review+
shaver
: superreview+
Details | Diff | Splinter Review
roll-up patch to ride along
1.37 KB, patch
brendan
: review+
brendan
: superreview+
asa
: approval1.8rc2+
Details | Diff | Splinter Review
js1_5/String/regress-313938.js
2.67 KB, text/plain
Details
script_compile in jsscript.c does not root str, the result of js_ValueToObject applied to the first argument, before calling js_ValueToObject on the second and using str later. The following "standard" demo shows the bug in the shell/browser. var str = " 2;".substring(1); "1".substring(2); var expected = Script.prototype.compile(str).toSource(); var likeString = { toString: function() { var tmp = str; str = null; return tmp; } }; TWO = 2.0; var likeObject = { valueOf: function() { if (typeof gc == "function") gc(); for (var i = 0; i != 40000; ++i) { var tmp = 1e100 * TWO; } return this; } } var s = Script.prototype.compile(likeString, likeObject); var actual = s.toSource(); print(expected === actual);
I have found the problem accidentally when I tried to eliminate inherently unsafe js_ValueToString by a safer variant js_EnsureStringValue(JSContext *cx, jsval *pv); where pv is a rooted pointer. I believe such "active" search for bugs when one tries to replace the culprits of the resent bugs by a safer versions is a better way to locate problems then simply looking through the code. In particular, I missed the problem when looked through the file few days ago.
Summary: Unrooted access in jsscript.c → Unrooted access in jsscript.c
Flags: blocking1.8rc1?
Flags: blocking1.7.13?
Flags: blocking-aviary1.0.8?
Whiteboard: [sg:critical?]
Bellow is a test case version that shows the bug even with fix from bug 313952 applied. The new version adds extra "String(likeString);" to replace "str" that newly introduced lastInvokeResult holds by null before forcing GC. var str = " 2;".substring(1); "1".substring(2); var expected = Script.prototype.compile(str).toSource(); var likeString = { toString: function() { var tmp = str; str = null; return tmp; } }; TWO = 2.0; var likeObject = { valueOf: function() { String(likeString); // To remove str from lastresult if (typeof gc == "function") gc(); for (var i = 0; i != 40000; ++i) { var tmp = 1e100 * TWO; } return this; } } var s = Script.prototype.compile(likeString, likeObject); var actual = s.toSource(); print(expected === actual);
Assignee: general → igor.bukanov
Attached patch FixSplinter Review
Attachment #201107 - Flags: superreview?(shaver)
Attachment #201107 - Flags: review?(brendan)
Comment on attachment 201107 [details] [diff] [review] Fix I think we should get these in as quickly as possible. r=mrbkap
Attachment #201107 - Flags: review+
(In reply to comment #4) > (From update of attachment 201107 [details] [diff] [review] [edit]) > I think we should get these in as quickly as possible. r=mrbkap > Given that should I simply commit the patch, mark it as fixed and nominate for all the branches?
Yes. We're currently in "lock-down" since RC1 is currently out. If there's an RC2 then drivers will go over the nominations list to get bugs approved and into the branch.
I committed the fix to the trunk: marking as fixed. Somebody with sufficient power can change those "?" in bloking nomintaions to "+".
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Comment on attachment 201107 [details] [diff] [review] Fix sr=shaver
Attachment #201107 - Flags: superreview?(shaver) → superreview+
Comment on attachment 201107 [details] [diff] [review] Fix This is safe for 1.8 checkin at any time. /be
Attachment #201107 - Flags: review?(brendan)
Attachment #201107 - Flags: review+
Attachment #201107 - Flags: approval1.8rc1?
Script thaw also fails to set a converted argv. I'll put a branch patch here that fixes both, in a minute. /be
Though blocking, please wait for patch approval to land.
Flags: blocking1.8rc1?
Flags: blocking1.8rc1+
Flags: blocking1.7.13?
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8+
Attachment #201179 - Flags: superreview+
Attachment #201179 - Flags: review+
Attachment #201179 - Flags: approval1.8rc1?
Attachment #201107 - Flags: approval1.8rc1?
moving this to the nomination state with the rest of our RC2 ride along bugs.
Flags: blocking1.8rc1+ → blocking1.8rc1?
Flags: testcase?
moving out to the 1.8 rc2 ride-along candidate list. We'll consider taking this if we do an RC2.
Flags: blocking1.8rc1? → blocking1.8rc2?
Attachment #201179 - Flags: approval1.8rc1? → approval1.8rc1+
Attachment #201179 - Flags: approval1.8rc1+ → approval1.8rc2+
Fixed on the 1.8 branch. /be
Keywords: fixed1.8, js1.6
Flags: blocking1.8rc2?
verified firefox 1.5 rc2 linux/win32 2005-11-07
Keywords: fixed1.8verified1.8
testcase+ to get this off my radar. when this is made public, i will check in the test.
Flags: testcase? → testcase+
Fixes checked into the 1.7 branch.
Keywords: fixed-aviary1.0.8, fixed1.7.13
verified firefox/1.7.13,1.8.0.1,1.8,1.9a1 win/linux/mac
Status: RESOLVED → VERIFIED
Keywords: fixed-aviary1.0.8verified-aviary1.0.8
v moz 1.7.13 windows 20060212
Keywords: fixed1.7.13verified1.7.13
Group: security
RCS file: /cvsroot/mozilla/js/tests/js1_5/GC/regress-313938.js,v done Checking in regress-313938.js; /cvsroot/mozilla/js/tests/js1_5/GC/regress-313938.js,v <-- regress-313938.js initial revision: 1.1 done
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: