355583 - block object allows access to arbitrary stack slots

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[shutdown]

$ cat block-object-stack-access.txt
(function() {
  let b = function(){}.__parent__;
  print(b[1] = throwError);
})();

$ dbg.obj/js -v 170 block-object-stack-access.txt
block-object-stack-access.txt:3: Error: This is an error

You can read/write arbitrary interpreter stack slots.

Comment 1

[Brendan Eich [:brendan]]

I'm going to file a cover bug for this one, to hold the trunk patch so we can get it in as a standard conformance fix.  Thanks for finding this -- __parent__ is not something that should leak lexical scope, let alone internal memory access!

/be

Comment 2

[Brendan Eich [:brendan]]

Filed bug 355590 for public patching of this bug.  Patch attached there is attachment 241369 [details] [diff] [review].

/be

Comment 3

[Brendan Eich [:brendan]]

Nominating this bug as blocking1.8.1* but the patch nominated for approval1.8.1 is over in bug 355590.  Please don't mark a dependency on that bug.

/be

Comment 4

[Brendan Eich [:brendan]]

Again, not in 1.8, fixed on 1.9 trunk in bug 355590.  Still hoping to use that as the public bug and not link any s-s bug to it until we ship.

/be

Comment 5

[Bob Clary [:bc] (inactive)]

Attachment: js1_7/regress/regress-355583.js

Comment 6

[Mike Beltzner [:beltzner, not reading bugmail]]

Blocking for Fx2 RC3

Comment 7

[Bob Clary [:bc] (inactive)]

verified fixed 20061009 1.8 windows/linux/mac*, 1.9 windows/linux

Comment 8

[Daniel Veditz [:dveditz]]

Already fixed, clearing nomination flag; also clearing security flag per comment 4

Comment 9

[Bob Clary [:bc] (inactive)]

/cvsroot/mozilla/js/tests/js1_7/extensions/regress-355583.js,v  <--  regress-355583.js