As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact
Last Comment Bug 354978 - privilege escalation using watchpoint
: privilege escalation using watchpoint
: testcase, verified1.8.0.9, verified1.8.1.1
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: P1 normal (vote)
: mozilla1.9alpha1
Assigned To: Blake Kaplan (:mrbkap)
: Jason Orendorff [:jorendorff]
Depends on: 360376
  Show dependency treegraph
Reported: 2006-09-30 13:45 PDT by shutdown
Modified: 2013-03-26 08:03 PDT (History)
13 users (show)
dveditz: blocking1.8.1.1+
dveditz: blocking1.8.0.9+
choller: in‑testsuite-
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Fix (1.42 KB, patch)
2006-11-06 18:44 PST, Blake Kaplan (:mrbkap)
brendan: review+
Details | Diff | Splinter Review
Fix (potential) build bustage (1.28 KB, patch)
2006-11-07 16:25 PST, Blake Kaplan (:mrbkap)
jst: review+
Details | Diff | Splinter Review
Combined branch patch (1.48 KB, patch)
2006-11-11 23:37 PST, Blake Kaplan (:mrbkap)
dveditz: approval1.8.0.9+
dveditz: approval1.8.1.1+
Details | Diff | Splinter Review

Description User image shutdown 2006-09-30 13:45:25 PDT
Pseudo stack frame constructed by js_watch_set() is not aware of function
cloning. So it can be used to execute arbitrary code with elevated privilege.
Comment 1 User image shutdown 2006-09-30 13:46:38 PDT
Created attachment 240755 [details]

works on:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1)
  Gecko/20060930 BonEcho/2.0
Mozilla/5.0 (Windows; U; Win98; en-US; rv:
  Gecko/20060930 Firefox/
Comment 2 User image Daniel Veditz [:dveditz] 2006-11-06 16:56:56 PST
Johnny: you just landed bug 336731. Although that doesn't fix this, is it similar enough to this one that you'd want to look into the fix?
Comment 3 User image Blake Kaplan (:mrbkap) 2006-11-06 18:44:35 PST
Created attachment 244855 [details] [diff] [review]

I have a feeling that brendan won't be too happy with this fix, but I haven't given this bug enough thought to fix it in a better way. This fix makes the faux frame maintain the illusion of the cloned function object.
Comment 4 User image Brendan Eich [:brendan] 2006-11-06 19:24:03 PST
Comment on attachment 244855 [details] [diff] [review]

No, I like this fix.  But didn't Igor try an auto-storage-class array initialiser with runtime values and find some old compiler we still care about choking on it?

Comment 5 User image Blake Kaplan (:mrbkap) 2006-11-06 19:25:15 PST
Igor, do you remember the compiler that comment 4 mentions?
Comment 6 User image Blake Kaplan (:mrbkap) 2006-11-06 21:10:18 PST
Fix checked into trunk. I'll fix compiler bustage as needed.
Comment 7 User image 2006-11-07 16:17:16 PST
Comment on attachment 244855 [details] [diff] [review]

>+                jsval argv[2] = { OBJECT_TO_JSVAL(funobj), JSVAL_NULL };
Note: gcc 2.96 won't compile this because OBJECT_TO_JSVAL(funobj) is not a constant - "initializer element is not computable at load time".
Comment 8 User image Blake Kaplan (:mrbkap) 2006-11-07 16:25:13 PST
Created attachment 244959 [details] [diff] [review]
Fix (potential) build bustage
Comment 9 User image Johnny Stenback (:jst, 2006-11-08 14:11:52 PST
Comment on attachment 244959 [details] [diff] [review]
Fix (potential) build bustage

Comment 10 User image Brendan Eich [:brendan] 2006-11-08 23:51:39 PST
Eagerly awaiting branch patch(es).

Comment 11 User image Daniel Veditz [:dveditz] 2006-11-11 10:56:21 PST
The "potential" build bustage is breaking BeOS, can we get attachment 244959 [details] [diff] [review] checked in?
Comment 12 User image Daniel Veditz [:dveditz] 2006-11-11 11:05:57 PST
filed bug 360376 so we can hand out the bustage patch more easily.
Comment 13 User image Blake Kaplan (:mrbkap) 2006-11-11 23:37:02 PST
Created attachment 245376 [details] [diff] [review]
Combined branch patch

This is just a combination of the other two patches in this bug.
Comment 14 User image Daniel Veditz [:dveditz] 2006-11-13 12:18:56 PST
Comment on attachment 245376 [details] [diff] [review]
Combined branch patch

approved for 1.8/1.8.0 branches, a=dveditz for drivers
Comment 15 User image Blake Kaplan (:mrbkap) 2006-11-24 11:45:53 PST
Fixed on the 1.8.* branches.
Comment 16 User image Bob Clary [:bc:] 2006-11-27 23:01:42 PST
20061127 windows/linux

verified fixed no alert appears, but the security error about Components.classes does not appear until the page is refreshed.

verified fixed no alert appears, security error appears when the link is clicked.
Comment 17 User image chris hofmann 2007-01-23 12:10:02 PST
hi shutdown,

I've tried to send you e-mail a few times without success.  Can you contact so we can pay you bug bounty in connection with this bug and other research that you have done.


chris h.
Comment 18 User image chris hofmann 2007-04-24 15:29:35 PDT
pvnick is doing a bit of research on XSS and also gathering up bugs with security related test cases to help add to the regression/certification test suites.  adding him to the cc list in these...
Comment 19 User image 071273 2008-01-25 07:33:00 PST
i Like this technologie of browsers, but i need one version of mozzila orriginal wich body , iguality of 98 windos or os  9.2. more jflat ..

sorry for   my inglish friends 


Note You need to log in before you can comment on or make changes to this bug.