block object allows access to arbitrary stack slots

VERIFIED FIXED

Status

()

--
critical
VERIFIED FIXED
12 years ago
12 years ago

People

(Reporter: sync2d, Unassigned)

Tracking

({crash, verified1.8.1})

Trunk
crash, verified1.8.1
Points:
---
Bug Flags:
blocking1.8.1 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical] js1.7 fixed in bug 355590)

Attachments

(1 attachment)

(Reporter)

Description

12 years ago
$ cat block-object-stack-access.txt
(function() {
  let b = function(){}.__parent__;
  print(b[1] = throwError);
})();

$ dbg.obj/js -v 170 block-object-stack-access.txt
block-object-stack-access.txt:3: Error: This is an error

You can read/write arbitrary interpreter stack slots.
I'm going to file a cover bug for this one, to hold the trunk patch so we can get it in as a standard conformance fix.  Thanks for finding this -- __parent__ is not something that should leak lexical scope, let alone internal memory access!

/be
Filed bug 355590 for public patching of this bug.  Patch attached there is attachment 241369 [details] [diff] [review].

/be
Nominating this bug as blocking1.8.1* but the patch nominated for approval1.8.1 is over in bug 355590.  Please don't mark a dependency on that bug.

/be
Flags: blocking1.8.1?
Flags: blocking1.8.1.1?
Again, not in 1.8, fixed on 1.9 trunk in bug 355590.  Still hoping to use that as the public bug and not link any s-s bug to it until we ship.

/be
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Flags: blocking1.9?
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.8?
Resolution: --- → FIXED

Comment 5

12 years ago
Created attachment 241452 [details]
js1_7/regress/regress-355583.js

Updated

12 years ago
Flags: in-testsuite+
Whiteboard: [sg:critical] js1.7 fixed in bug 355590
Blocking for Fx2 RC3
Flags: blocking1.8.1? → blocking1.8.1+
Keywords: fixed1.8.1

Comment 7

12 years ago
verified fixed 20061009 1.8 windows/linux/mac*, 1.9 windows/linux
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1 → verified1.8.1
Already fixed, clearing nomination flag; also clearing security flag per comment 4
Group: security
Flags: blocking1.8.1.1?

Comment 9

12 years ago
/cvsroot/mozilla/js/tests/js1_7/extensions/regress-355583.js,v  <--  regress-355583.js
You need to log in before you can comment on or make changes to this bug.