Closed Bug 354978 Opened 13 years ago Closed 13 years ago

privilege escalation using watchpoint


(Core :: JavaScript Engine, defect, P1)






(Reporter: sync2d, Assigned: mrbkap)



(Keywords: testcase, verified1.8.0.9, verified1.8.1.1, Whiteboard: [sg:critical])


(3 files)

Pseudo stack frame constructed by js_watch_set() is not aware of function
cloning. So it can be used to execute arbitrary code with elevated privilege.
Attached file testcase
works on:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1)
  Gecko/20060930 BonEcho/2.0
Mozilla/5.0 (Windows; U; Win98; en-US; rv:
  Gecko/20060930 Firefox/
Johnny: you just landed bug 336731. Although that doesn't fix this, is it similar enough to this one that you'd want to look into the fix?
Flags: blocking1.8.1.1+
Flags: blocking1.8.0.9+
Whiteboard: [sg:critical]
Attached patch FixSplinter Review
I have a feeling that brendan won't be too happy with this fix, but I haven't given this bug enough thought to fix it in a better way. This fix makes the faux frame maintain the illusion of the cloned function object.
Assignee: general → mrbkap
Attachment #244855 - Flags: review?(brendan)
Priority: -- → P1
Target Milestone: --- → mozilla1.9alpha
Comment on attachment 244855 [details] [diff] [review]

No, I like this fix.  But didn't Igor try an auto-storage-class array initialiser with runtime values and find some old compiler we still care about choking on it?

Attachment #244855 - Flags: review?(brendan) → review+
Igor, do you remember the compiler that comment 4 mentions?
Fix checked into trunk. I'll fix compiler bustage as needed.
Closed: 13 years ago
Resolution: --- → FIXED
Comment on attachment 244855 [details] [diff] [review]

>+                jsval argv[2] = { OBJECT_TO_JSVAL(funobj), JSVAL_NULL };
Note: gcc 2.96 won't compile this because OBJECT_TO_JSVAL(funobj) is not a constant - "initializer element is not computable at load time".
Comment on attachment 244959 [details] [diff] [review]
Fix (potential) build bustage

Attachment #244959 - Flags: review?(brendan) → review+
Eagerly awaiting branch patch(es).

The "potential" build bustage is breaking BeOS, can we get attachment 244959 [details] [diff] [review] checked in?
Depends on: 360376
filed bug 360376 so we can hand out the bustage patch more easily.
This is just a combination of the other two patches in this bug.
Attachment #245376 - Flags: approval1.8.1.1?
Attachment #245376 - Flags: approval1.8.0.9?
Comment on attachment 245376 [details] [diff] [review]
Combined branch patch

approved for 1.8/1.8.0 branches, a=dveditz for drivers
Attachment #245376 - Flags: approval1.8.1.1?
Attachment #245376 - Flags: approval1.8.1.1+
Attachment #245376 - Flags: approval1.8.0.9?
Attachment #245376 - Flags: approval1.8.0.9+
Fixed on the 1.8.* branches.
20061127 windows/linux

verified fixed no alert appears, but the security error about Components.classes does not appear until the page is refreshed.

verified fixed no alert appears, security error appears when the link is clicked.
hi shutdown,

I've tried to send you e-mail a few times without success.  Can you contact so we can pay you bug bounty in connection with this bug and other research that you have done.


chris h.
pvnick is doing a bit of research on XSS and also gathering up bugs with security related test cases to help add to the regression/certification test suites.  adding him to the cc list in these...
Group: security
Flags: in-testsuite?
i Like this technologie of browsers, but i need one version of mozzila orriginal wich body , iguality of 98 windos or os  9.2. more jflat ..

sorry for   my inglish friends 

Keywords: testcase
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.