running script can be recompiled (CVE-2006-5463)

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
11 years ago
10 years ago

People

(Reporter: shutdown, Assigned: brendan)

Tracking

({crash, verified1.8.0.8, verified1.8.1})

Trunk
crash, verified1.8.0.8, verified1.8.1
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.7.14 +
blocking-aviary1.0.9 +
blocking1.8.1 +
blocking1.8.0.8 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?])

Attachments

(4 attachments, 4 obsolete attachments)

(Reporter)

Description

11 years ago
$ dbg.obj/js -e "t='1';s=Script('s.compile(t);print(t);');s();"
Assertion failure: map->vector && i < map->length, at jsatom.c:919

$ opt.obj/js -e "t='1';s=Script('s.compile(t);print(t);');s();"
=> crash

You can execute arbitary interpreter bytecodes using this bug.
(Reporter)

Updated

11 years ago
Severity: normal → critical
(Reporter)

Comment 1

11 years ago
Created attachment 241424 [details]
proof of concept

$ dbg.obj/js script-recompile.txt
uncaught exception: this should never be thrown!
(Assignee)

Comment 2

11 years ago
This is a shell-only bug (please confirm), since Script is deconfigured in the Mozilla client embeddings.

/be

Comment 3

11 years ago
(In reply to comment #2)
> This is a shell-only bug (please confirm), since Script is deconfigured in the
> Mozilla client embeddings.

I can crash in 1.8 from today using Jesse's shell with the example code:
TB24198572

js_LookupPropertyWithFlags  [mozilla/js/src/jsobj.c, line 3107]
js_LookupProperty  [mozilla/js/src/jsobj.c, line 3082]
with_LookupProperty  [mozilla/js/src/jsobj.c, line 1753]
js_FindProperty  [mozilla/js/src/jsobj.c, line 3291]
js_Interpret  [mozilla/js/src/jsinterp.c, line 4198]
js_Execute  [mozilla/js/src/jsinterp.c, line 1619]
script_exec  [mozilla/js/src/jsscript.c, line 329]
script_call  [mozilla/js/src/jsscript.c, line 846]
js_Invoke  [mozilla/js/src/jsinterp.c, line 1373]
js_Interpret  [mozilla/js/src/jsinterp.c, line 4115]
js_Execute  [mozilla/js/src/jsinterp.c, line 1619]
obj_eval  [mozilla/js/src/jsobj.c, line 1357]
js_Invoke  [mozilla/js/src/jsinterp.c, line 1373]
js_Interpret  [mozilla/js/src/jsinterp.c, line 4115]
js_Execute  [mozilla/js/src/jsinterp.c, line 1619]
JS_EvaluateUCScriptForPrincipals  [mozilla/js/src/jsapi.c, line 4375]
nsJSContext::EvaluateString  [mozilla/dom/src/base/nsJSEnvironment.cpp, line 1100]
nsJSThunk::EvaluateScript  [mozilla/dom/src/jsurl/nsJSProtocolHandler.cpp, line 302]
nsJSChannel::InternalOpen  [mozilla/dom/src/jsurl/nsJSProtocolHandler.cpp, line 566]
...

and Script appears to be available to Firefox from what I can tell.

(Assignee)

Updated

11 years ago
Flags: blocking1.8.1?
(Assignee)

Comment 4

11 years ago
Created attachment 241468 [details] [diff] [review]
fix

I'm horrified by the Script object, and want to remove it.  It was a youthful exuberance that's not standard, not thread safe, and probably not memory safe even with this patch.  For 1.9, all that should be left of jsscript.c are the internal APIs used by the code generator and debug/introspection modules (perhaps some of the utility functions in jsemit.c could move to jsscript.c, as a cleanup).

Anyway, this is a minimal patch to close the self-modifying script hole.  It does not detect oldscript running on other contexts, but that "can't happen" without a run-to-completion violation.  The only known r2c violations have to-do with events and timeouts/intervals nesting while a modal dialog is running.  All modal dialog script is sourced in .xul files or .js files, not generated via new Script.

/be
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #241468 - Flags: review?(igor.bukanov)
Attachment #241468 - Flags: approval1.8.1?

Updated

11 years ago
Attachment #241468 - Flags: review?(igor.bukanov) → review+
(Assignee)

Comment 5

11 years ago
Fixed on trunk (checking message mentions attachment number):

Checking in js.msg;
/cvsroot/mozilla/js/src/js.msg,v  <--  js.msg
new revision: 3.72; previous revision: 3.71
done
Checking in jsscript.c;
/cvsroot/mozilla/js/src/jsscript.c,v  <--  jsscript.c
new revision: 3.116; previous revision: 3.115
done

/be
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Blocks: 256195
Flags: blocking1.8.0.8?
Whiteboard: [sg:critical?]
In firefox 1.5.0.7+ I get the "this should never be thrown!" exception, but no crash. In Firefox 2 I crash TB24233863, somewhat different stack from comment 3.

Comment 7

11 years ago
Created attachment 241538 [details]
js1_5/Regress/regress-355655.js

Updated

11 years ago
Flags: in-testsuite+

Comment 8

11 years ago
Created attachment 241573 [details]
js1_5/Regress/regress-355655.js

catch error
Attachment #241538 - Attachment is obsolete: true

Comment 9

11 years ago
verified fixed 1.9 20061007 windows/linux
Status: RESOLVED → VERIFIED
(Reporter)

Updated

11 years ago
Depends on: 355982
Blocking for Fx2 RC3
Flags: blocking1.8.1? → blocking1.8.1+

Comment 11

11 years ago
Comment on attachment 241468 [details] [diff] [review]
fix

Approved for RC3.
Attachment #241468 - Flags: approval1.8.1? → approval1.8.1+
(Assignee)

Comment 12

11 years ago
Fixed on the 1.8 branch, along with bug 355982:

Checking in js.msg;
/cvsroot/mozilla/js/src/js.msg,v  <--  js.msg
new revision: 3.43.8.13; previous revision: 3.43.8.12
done
Checking in jsscript.c;
/cvsroot/mozilla/js/src/jsscript.c,v  <--  jsscript.c
new revision: 3.79.2.15; previous revision: 3.79.2.14
done

/be
Keywords: fixed1.8.1
Flags: blocking1.8.0.8? → blocking1.8.0.8+
Comment on attachment 241468 [details] [diff] [review]
fix

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #241468 - Flags: approval1.8.0.8+

Comment 14

11 years ago
verified fixed 20061009 1.8 windows/linux/mac*, 1.9 windows/linux
Keywords: fixed1.8.1 → verified1.8.1
Created attachment 242584 [details] [diff] [review]
1.8.0 branch patch

There are no unused slots on the branch, so adding to the end.
Created attachment 242585 [details] [diff] [review]
1.8.0 branch patch

oops, wrong patch...
Attachment #242584 - Attachment is obsolete: true
Attachment #242585 - Flags: review?(brendan)
Attachment #242585 - Flags: approval1.8.0.8?
Attachment #241468 - Flags: approval1.8.0.8+
(Assignee)

Comment 17

11 years ago
Comment on attachment 242585 [details] [diff] [review]
1.8.0 branch patch

Please include the null test patch from bug 355982 (which this bug's patch regressed on trunk and was fixed all at once with this bug for the 1.8 branch).

/be
Attachment #242585 - Flags: review?(brendan) → review-
Created attachment 242682 [details] [diff] [review]
1.8.0 branch patch (with null check)
Attachment #242585 - Attachment is obsolete: true
Attachment #242682 - Flags: review?
Attachment #242585 - Flags: approval1.8.0.8?
Attachment #242682 - Flags: review? → review?(brendan)
Attachment #242682 - Flags: approval1.8.0.8?
(Assignee)

Comment 19

11 years ago
Comment on attachment 242682 [details] [diff] [review]
1.8.0 branch patch (with null check)

r=me, thanks.

/be
Attachment #242682 - Flags: review?(brendan) → review+
Comment on attachment 242682 [details] [diff] [review]
1.8.0 branch patch (with null check)

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #242682 - Flags: approval1.8.0.8? → approval1.8.0.8+
mozilla/js/src/js.msg 	3.43.8.2.2.2
mozilla/js/src/jsscript.c 	3.79.2.5.2.2
Keywords: fixed1.8.0.8

Comment 22

11 years ago
v.fixed on 1.8.0 branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.8pre) Gecko/20061020 Firefox/1.5.0.8pre, no crash or uncaught exception with PoC.
Keywords: fixed1.8.0.8 → verified1.8.0.8
This is old code, aviary/moz1.7 should get this fix as well.
Flags: blocking1.7.14+
Flags: blocking-aviary1.0.9+
This has been assigned CVE-2006-5463
Summary: running script can be recompiled → running script can be recompiled (CVE-2006-5463)

Comment 25

10 years ago
CCing moz_bug_r_a4 so he can understand what he found in bug 367121.

Comment 26

10 years ago
pvnick is doing a bit of research on XSS and also gathering up bugs with security related test cases to help add to the regression/certification test suites.  adding him to the cc list in these...

Comment 27

10 years ago
Created attachment 263074 [details]
 js1_5/Regress/regress-355655.js  

error message has changed due to bug 376121
Attachment #241573 - Attachment is obsolete: true
Group: security

Comment 28

10 years ago
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-355655.js,v  <--  regress-355655.js
initial revision: 1.1
You need to log in before you can comment on or make changes to this bug.