scanner: memory exposure to scripts

VERIFIED FIXED

Status

()

Core
JavaScript Engine
VERIFIED FIXED
11 years ago
11 years ago

People

(Reporter: Igor Bukanov, Assigned: Igor Bukanov)

Tracking

({verified1.8.0.5, verified1.8.1})

Trunk
verified1.8.0.5, verified1.8.1
Points:
---
Bug Flags:
blocking1.8.0.5 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?])

Attachments

(3 attachments, 2 obsolete attachments)

(Assignee)

Description

11 years ago
The code of GetXMLEntity from jsscan.c contains the following code:

    bp = ts->tokenbuf.base + offset;
....
    FastAppendChar(&ts->tokenbuf, ';');
    bytes = js_DeflateString(cx, bp + 1,
                             PTRDIFF(ts->tokenbuf.ptr, bp, jschar) - 2);
 
This does not take into account that FastAppendChar may grow and reallocate the buffer. When such reallocation happens, ts->tokenbuf.ptr - bp can be an arbitrary number. If js_DeflateString can allocate and access the corresponding region of memory, bytes would be C string corresponding to this arbitrary number of characters. Then this string would be embedded in the throw error object that the script can catch and read.

Since in principle this could allow to read various bytes that travels through arena area via catching from script the thrown error object, I mark this as security problem.
(Assignee)

Comment 1

11 years ago
Created attachment 223899 [details]
Test case for JS shell

Note that depending on memory layout the test case may actually. If this is the case, try to change N in test() function to 127, 511 or other 2^p - 1 values.
(Assignee)

Comment 2

11 years ago
Created attachment 223901 [details]
Better test (for JS shell)

This is a better version as in the previous case that "must_be_good" string could be bad in fact.
Attachment #223899 - Attachment is obsolete: true
(Assignee)

Comment 3

11 years ago
Created attachment 223907 [details] [diff] [review]
Fix

The fix just remove appending of ';' to the buffer as it was not included in the error message in any case.
Assignee: general → igor.bukanov
Status: NEW → ASSIGNED
Attachment #223907 - Flags: review?(mrbkap)
Attachment #223907 - Flags: approval1.8.0.5?
Attachment #223907 - Flags: approval-branch-1.8.1?(brendan)

Updated

11 years ago
Attachment #223907 - Flags: review?(mrbkap) → review+
(Assignee)

Updated

11 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
(Assignee)

Comment 4

11 years ago
I committed the fix
(Assignee)

Comment 5

11 years ago
Created attachment 223958 [details]
Even better test case

The test case now contains a loop to try various N itself.
Attachment #223901 - Attachment is obsolete: true
Comment on attachment 223907 [details] [diff] [review]
Fix

Wow, what was I thinking?  Thanks,

/be
Attachment #223907 - Flags: approval-branch-1.8.1?(brendan) → approval-branch-1.8.1+
(Assignee)

Comment 7

11 years ago
I committed the patch to MOZILLA_1_8_BRANCH
Keywords: fixed1.8.1
Comment on attachment 223907 [details] [diff] [review]
Fix

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #223907 - Flags: approval1.8.0.5? → approval1.8.0.5+
Flags: blocking1.8.0.5+
(Assignee)

Comment 9

11 years ago
I committed the patch from comment 3 to MOZILLA_1_8_0_BRANCH
Keywords: fixed1.8.0.5

Comment 10

11 years ago
Created attachment 225875 [details]
e4x/GC/regress-339785.js

Updated

11 years ago
Flags: in-testsuite+

Comment 11

11 years ago
verified fixed 1.8.0.5, 1.8.1, 1.9a1 20060622 builds on all platforms.
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.5, fixed1.8.1 → verified1.8.0.5, verified1.8.1
Whiteboard: [sg:critical?]

Comment 12

11 years ago
note to self: e4x/GC/regress-339785.js: TIMED OUT browser firefox-trunk-dbg-1.9a1_2006072314 windows, not seen on any other platform.

Comment 13

11 years ago
'Even better testcase' appeaers to be okay aviary. So I guess this is not present there. Igor?
(Assignee)

Comment 14

11 years ago
(In reply to comment #13)
> 'Even better testcase' appeaers to be okay aviary. So I guess this is not
> present there. Igor?
> 

The bug was introduces during 1.8 development. So assuming "aviary" means branches with version < 1.8, then the answer is that the bug does not exist there.
Group: security

Comment 15

11 years ago
/cvsroot/mozilla/js/tests/e4x/GC/regress-339785.js,v  <--  regress-339785.js
You need to log in before you can comment on or make changes to this bug.