Last Comment Bug 355655 - running script can be recompiled (CVE-2006-5463)
: running script can be recompiled (CVE-2006-5463)
Status: VERIFIED FIXED
[sg:critical?]
: crash, verified1.8.0.8, verified1.8.1
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: -- critical (vote)
: ---
Assigned To: Brendan Eich [:brendan]
:
Mentors:
Depends on: 355982
Blocks: sbb?
  Show dependency treegraph
 
Reported: 2006-10-05 23:17 PDT by shutdown
Modified: 2007-06-14 15:27 PDT (History)
11 users (show)
dveditz: blocking1.7.14+
dveditz: blocking‑aviary1.0.9+
mbeltzner: blocking1.8.1+
dveditz: blocking1.8.0.8+
bob: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
proof of concept (1.35 KB, text/html)
2006-10-05 23:23 PDT, shutdown
no flags Details
fix (4.16 KB, patch)
2006-10-06 10:57 PDT, Brendan Eich [:brendan]
igor: review+
mtschrep: approval1.8.1+
Details | Diff | Splinter Review
js1_5/Regress/regress-355655.js (2.30 KB, text/plain)
2006-10-07 03:52 PDT, Bob Clary [:bc:]
no flags Details
js1_5/Regress/regress-355655.js (2.43 KB, text/plain)
2006-10-07 12:15 PDT, Bob Clary [:bc:]
no flags Details
1.8.0 branch patch (3.48 KB, patch)
2006-10-17 17:27 PDT, :Gavin Sharp [email: gavin@gavinsharp.com]
no flags Details | Diff | Splinter Review
1.8.0 branch patch (3.48 KB, patch)
2006-10-17 17:28 PDT, :Gavin Sharp [email: gavin@gavinsharp.com]
brendan: review-
Details | Diff | Splinter Review
1.8.0 branch patch (with null check) (3.54 KB, patch)
2006-10-18 13:14 PDT, :Gavin Sharp [email: gavin@gavinsharp.com]
brendan: review+
dveditz: approval1.8.0.8+
Details | Diff | Splinter Review
js1_5/Regress/regress-355655.js (2.57 KB, text/plain)
2007-04-27 17:52 PDT, Bob Clary [:bc:]
no flags Details

Description shutdown 2006-10-05 23:17:14 PDT
$ dbg.obj/js -e "t='1';s=Script('s.compile(t);print(t);');s();"
Assertion failure: map->vector && i < map->length, at jsatom.c:919

$ opt.obj/js -e "t='1';s=Script('s.compile(t);print(t);');s();"
=> crash

You can execute arbitary interpreter bytecodes using this bug.
Comment 1 shutdown 2006-10-05 23:23:48 PDT
Created attachment 241424 [details]
proof of concept

$ dbg.obj/js script-recompile.txt
uncaught exception: this should never be thrown!
Comment 2 Brendan Eich [:brendan] 2006-10-05 23:28:00 PDT
This is a shell-only bug (please confirm), since Script is deconfigured in the Mozilla client embeddings.

/be
Comment 3 Bob Clary [:bc:] 2006-10-05 23:59:53 PDT
(In reply to comment #2)
> This is a shell-only bug (please confirm), since Script is deconfigured in the
> Mozilla client embeddings.

I can crash in 1.8 from today using Jesse's shell with the example code:
TB24198572

js_LookupPropertyWithFlags  [mozilla/js/src/jsobj.c, line 3107]
js_LookupProperty  [mozilla/js/src/jsobj.c, line 3082]
with_LookupProperty  [mozilla/js/src/jsobj.c, line 1753]
js_FindProperty  [mozilla/js/src/jsobj.c, line 3291]
js_Interpret  [mozilla/js/src/jsinterp.c, line 4198]
js_Execute  [mozilla/js/src/jsinterp.c, line 1619]
script_exec  [mozilla/js/src/jsscript.c, line 329]
script_call  [mozilla/js/src/jsscript.c, line 846]
js_Invoke  [mozilla/js/src/jsinterp.c, line 1373]
js_Interpret  [mozilla/js/src/jsinterp.c, line 4115]
js_Execute  [mozilla/js/src/jsinterp.c, line 1619]
obj_eval  [mozilla/js/src/jsobj.c, line 1357]
js_Invoke  [mozilla/js/src/jsinterp.c, line 1373]
js_Interpret  [mozilla/js/src/jsinterp.c, line 4115]
js_Execute  [mozilla/js/src/jsinterp.c, line 1619]
JS_EvaluateUCScriptForPrincipals  [mozilla/js/src/jsapi.c, line 4375]
nsJSContext::EvaluateString  [mozilla/dom/src/base/nsJSEnvironment.cpp, line 1100]
nsJSThunk::EvaluateScript  [mozilla/dom/src/jsurl/nsJSProtocolHandler.cpp, line 302]
nsJSChannel::InternalOpen  [mozilla/dom/src/jsurl/nsJSProtocolHandler.cpp, line 566]
...

and Script appears to be available to Firefox from what I can tell.

Comment 4 Brendan Eich [:brendan] 2006-10-06 10:57:44 PDT
Created attachment 241468 [details] [diff] [review]
fix

I'm horrified by the Script object, and want to remove it.  It was a youthful exuberance that's not standard, not thread safe, and probably not memory safe even with this patch.  For 1.9, all that should be left of jsscript.c are the internal APIs used by the code generator and debug/introspection modules (perhaps some of the utility functions in jsemit.c could move to jsscript.c, as a cleanup).

Anyway, this is a minimal patch to close the self-modifying script hole.  It does not detect oldscript running on other contexts, but that "can't happen" without a run-to-completion violation.  The only known r2c violations have to-do with events and timeouts/intervals nesting while a modal dialog is running.  All modal dialog script is sourced in .xul files or .js files, not generated via new Script.

/be
Comment 5 Brendan Eich [:brendan] 2006-10-06 13:14:31 PDT
Fixed on trunk (checking message mentions attachment number):

Checking in js.msg;
/cvsroot/mozilla/js/src/js.msg,v  <--  js.msg
new revision: 3.72; previous revision: 3.71
done
Checking in jsscript.c;
/cvsroot/mozilla/js/src/jsscript.c,v  <--  jsscript.c
new revision: 3.116; previous revision: 3.115
done

/be
Comment 6 Daniel Veditz [:dveditz] 2006-10-06 18:05:45 PDT
In firefox 1.5.0.7+ I get the "this should never be thrown!" exception, but no crash. In Firefox 2 I crash TB24233863, somewhat different stack from comment 3.
Comment 7 Bob Clary [:bc:] 2006-10-07 03:52:49 PDT
Created attachment 241538 [details]
js1_5/Regress/regress-355655.js
Comment 8 Bob Clary [:bc:] 2006-10-07 12:15:46 PDT
Created attachment 241573 [details]
js1_5/Regress/regress-355655.js

catch error
Comment 9 Bob Clary [:bc:] 2006-10-07 12:16:38 PDT
verified fixed 1.9 20061007 windows/linux
Comment 10 Mike Beltzner [:beltzner, not reading bugmail] 2006-10-08 19:55:41 PDT
Blocking for Fx2 RC3
Comment 11 Mike Schroepfer 2006-10-08 20:19:01 PDT
Comment on attachment 241468 [details] [diff] [review]
fix

Approved for RC3.
Comment 12 Brendan Eich [:brendan] 2006-10-08 21:25:00 PDT
Fixed on the 1.8 branch, along with bug 355982:

Checking in js.msg;
/cvsroot/mozilla/js/src/js.msg,v  <--  js.msg
new revision: 3.43.8.13; previous revision: 3.43.8.12
done
Checking in jsscript.c;
/cvsroot/mozilla/js/src/jsscript.c,v  <--  jsscript.c
new revision: 3.79.2.15; previous revision: 3.79.2.14
done

/be
Comment 13 Daniel Veditz [:dveditz] 2006-10-09 10:47:24 PDT
Comment on attachment 241468 [details] [diff] [review]
fix

approved for 1.8.0 branch, a=dveditz for drivers
Comment 14 Bob Clary [:bc:] 2006-10-10 00:06:20 PDT
verified fixed 20061009 1.8 windows/linux/mac*, 1.9 windows/linux
Comment 15 :Gavin Sharp [email: gavin@gavinsharp.com] 2006-10-17 17:27:30 PDT
Created attachment 242584 [details] [diff] [review]
1.8.0 branch patch

There are no unused slots on the branch, so adding to the end.
Comment 16 :Gavin Sharp [email: gavin@gavinsharp.com] 2006-10-17 17:28:31 PDT
Created attachment 242585 [details] [diff] [review]
1.8.0 branch patch

oops, wrong patch...
Comment 17 Brendan Eich [:brendan] 2006-10-18 13:05:36 PDT
Comment on attachment 242585 [details] [diff] [review]
1.8.0 branch patch

Please include the null test patch from bug 355982 (which this bug's patch regressed on trunk and was fixed all at once with this bug for the 1.8 branch).

/be
Comment 18 :Gavin Sharp [email: gavin@gavinsharp.com] 2006-10-18 13:14:19 PDT
Created attachment 242682 [details] [diff] [review]
1.8.0 branch patch (with null check)
Comment 19 Brendan Eich [:brendan] 2006-10-18 13:16:20 PDT
Comment on attachment 242682 [details] [diff] [review]
1.8.0 branch patch (with null check)

r=me, thanks.

/be
Comment 20 Daniel Veditz [:dveditz] 2006-10-18 15:08:37 PDT
Comment on attachment 242682 [details] [diff] [review]
1.8.0 branch patch (with null check)

approved for 1.8.0 branch, a=dveditz for drivers
Comment 21 :Gavin Sharp [email: gavin@gavinsharp.com] 2006-10-19 13:34:15 PDT
mozilla/js/src/js.msg 	3.43.8.2.2.2
mozilla/js/src/jsscript.c 	3.79.2.5.2.2
Comment 22 Jay Patel [:jay] 2006-10-20 14:12:17 PDT
v.fixed on 1.8.0 branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.8pre) Gecko/20061020 Firefox/1.5.0.8pre, no crash or uncaught exception with PoC.
Comment 23 Daniel Veditz [:dveditz] 2006-11-01 18:01:28 PST
This is old code, aviary/moz1.7 should get this fix as well.
Comment 24 Daniel Veditz [:dveditz] 2006-11-07 13:50:52 PST
This has been assigned CVE-2006-5463
Comment 25 Jesse Ruderman 2007-01-16 07:23:05 PST
CCing moz_bug_r_a4 so he can understand what he found in bug 367121.
Comment 26 chris hofmann 2007-04-24 15:29:38 PDT
pvnick is doing a bit of research on XSS and also gathering up bugs with security related test cases to help add to the regression/certification test suites.  adding him to the cc list in these...
Comment 27 Bob Clary [:bc:] 2007-04-27 17:52:59 PDT
Created attachment 263074 [details]
 js1_5/Regress/regress-355655.js  

error message has changed due to bug 376121
Comment 28 Bob Clary [:bc:] 2007-06-14 15:27:43 PDT
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-355655.js,v  <--  regress-355655.js
initial revision: 1.1

Note You need to log in before you can comment on or make changes to this bug.