running script can be recompiled (CVE-2006-5463)

VERIFIED FIXED

Status

()

defect
--
critical
VERIFIED FIXED
13 years ago
12 years ago

People

(Reporter: sync2d, Assigned: brendan)

Tracking

({crash, verified1.8.0.8, verified1.8.1})

Trunk
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.7.14 +
blocking-aviary1.0.9 +
blocking1.8.1 +
blocking1.8.0.8 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?])

Attachments

(4 attachments, 4 obsolete attachments)

Reporter

Description

13 years ago
$ dbg.obj/js -e "t='1';s=Script('s.compile(t);print(t);');s();"
Assertion failure: map->vector && i < map->length, at jsatom.c:919

$ opt.obj/js -e "t='1';s=Script('s.compile(t);print(t);');s();"
=> crash

You can execute arbitary interpreter bytecodes using this bug.
Reporter

Updated

13 years ago
Severity: normal → critical
Reporter

Comment 1

13 years ago
Posted file proof of concept
$ dbg.obj/js script-recompile.txt
uncaught exception: this should never be thrown!
Assignee

Comment 2

13 years ago
This is a shell-only bug (please confirm), since Script is deconfigured in the Mozilla client embeddings.

/be

Comment 3

13 years ago
(In reply to comment #2)
> This is a shell-only bug (please confirm), since Script is deconfigured in the
> Mozilla client embeddings.

I can crash in 1.8 from today using Jesse's shell with the example code:
TB24198572

js_LookupPropertyWithFlags  [mozilla/js/src/jsobj.c, line 3107]
js_LookupProperty  [mozilla/js/src/jsobj.c, line 3082]
with_LookupProperty  [mozilla/js/src/jsobj.c, line 1753]
js_FindProperty  [mozilla/js/src/jsobj.c, line 3291]
js_Interpret  [mozilla/js/src/jsinterp.c, line 4198]
js_Execute  [mozilla/js/src/jsinterp.c, line 1619]
script_exec  [mozilla/js/src/jsscript.c, line 329]
script_call  [mozilla/js/src/jsscript.c, line 846]
js_Invoke  [mozilla/js/src/jsinterp.c, line 1373]
js_Interpret  [mozilla/js/src/jsinterp.c, line 4115]
js_Execute  [mozilla/js/src/jsinterp.c, line 1619]
obj_eval  [mozilla/js/src/jsobj.c, line 1357]
js_Invoke  [mozilla/js/src/jsinterp.c, line 1373]
js_Interpret  [mozilla/js/src/jsinterp.c, line 4115]
js_Execute  [mozilla/js/src/jsinterp.c, line 1619]
JS_EvaluateUCScriptForPrincipals  [mozilla/js/src/jsapi.c, line 4375]
nsJSContext::EvaluateString  [mozilla/dom/src/base/nsJSEnvironment.cpp, line 1100]
nsJSThunk::EvaluateScript  [mozilla/dom/src/jsurl/nsJSProtocolHandler.cpp, line 302]
nsJSChannel::InternalOpen  [mozilla/dom/src/jsurl/nsJSProtocolHandler.cpp, line 566]
...

and Script appears to be available to Firefox from what I can tell.

Assignee

Updated

13 years ago
Flags: blocking1.8.1?
Assignee

Comment 4

13 years ago
Posted patch fixSplinter Review
I'm horrified by the Script object, and want to remove it.  It was a youthful exuberance that's not standard, not thread safe, and probably not memory safe even with this patch.  For 1.9, all that should be left of jsscript.c are the internal APIs used by the code generator and debug/introspection modules (perhaps some of the utility functions in jsemit.c could move to jsscript.c, as a cleanup).

Anyway, this is a minimal patch to close the self-modifying script hole.  It does not detect oldscript running on other contexts, but that "can't happen" without a run-to-completion violation.  The only known r2c violations have to-do with events and timeouts/intervals nesting while a modal dialog is running.  All modal dialog script is sourced in .xul files or .js files, not generated via new Script.

/be
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #241468 - Flags: review?(igor.bukanov)
Attachment #241468 - Flags: approval1.8.1?

Updated

13 years ago
Attachment #241468 - Flags: review?(igor.bukanov) → review+
Assignee

Comment 5

13 years ago
Fixed on trunk (checking message mentions attachment number):

Checking in js.msg;
/cvsroot/mozilla/js/src/js.msg,v  <--  js.msg
new revision: 3.72; previous revision: 3.71
done
Checking in jsscript.c;
/cvsroot/mozilla/js/src/jsscript.c,v  <--  jsscript.c
new revision: 3.116; previous revision: 3.115
done

/be
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Blocks: sbb?
Flags: blocking1.8.0.8?
Whiteboard: [sg:critical?]
In firefox 1.5.0.7+ I get the "this should never be thrown!" exception, but no crash. In Firefox 2 I crash TB24233863, somewhat different stack from comment 3.

Comment 7

13 years ago
Posted file js1_5/Regress/regress-355655.js (obsolete) —

Updated

13 years ago
Flags: in-testsuite+

Comment 8

13 years ago
Posted file js1_5/Regress/regress-355655.js (obsolete) —
catch error
Attachment #241538 - Attachment is obsolete: true

Comment 9

13 years ago
verified fixed 1.9 20061007 windows/linux
Status: RESOLVED → VERIFIED
Reporter

Updated

13 years ago
Depends on: 355982
Blocking for Fx2 RC3
Flags: blocking1.8.1? → blocking1.8.1+

Comment 11

13 years ago
Comment on attachment 241468 [details] [diff] [review]
fix

Approved for RC3.
Attachment #241468 - Flags: approval1.8.1? → approval1.8.1+
Assignee

Comment 12

13 years ago
Fixed on the 1.8 branch, along with bug 355982:

Checking in js.msg;
/cvsroot/mozilla/js/src/js.msg,v  <--  js.msg
new revision: 3.43.8.13; previous revision: 3.43.8.12
done
Checking in jsscript.c;
/cvsroot/mozilla/js/src/jsscript.c,v  <--  jsscript.c
new revision: 3.79.2.15; previous revision: 3.79.2.14
done

/be
Keywords: fixed1.8.1
Flags: blocking1.8.0.8? → blocking1.8.0.8+
Comment on attachment 241468 [details] [diff] [review]
fix

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #241468 - Flags: approval1.8.0.8+

Comment 14

13 years ago
verified fixed 20061009 1.8 windows/linux/mac*, 1.9 windows/linux
Posted patch 1.8.0 branch patch (obsolete) — Splinter Review
There are no unused slots on the branch, so adding to the end.
Posted patch 1.8.0 branch patch (obsolete) — Splinter Review
oops, wrong patch...
Attachment #242584 - Attachment is obsolete: true
Attachment #242585 - Flags: review?(brendan)
Attachment #242585 - Flags: approval1.8.0.8?
Attachment #241468 - Flags: approval1.8.0.8+
Assignee

Comment 17

13 years ago
Comment on attachment 242585 [details] [diff] [review]
1.8.0 branch patch

Please include the null test patch from bug 355982 (which this bug's patch regressed on trunk and was fixed all at once with this bug for the 1.8 branch).

/be
Attachment #242585 - Flags: review?(brendan) → review-
Attachment #242585 - Attachment is obsolete: true
Attachment #242682 - Flags: review?
Attachment #242585 - Flags: approval1.8.0.8?
Attachment #242682 - Flags: review? → review?(brendan)
Assignee

Comment 19

13 years ago
Comment on attachment 242682 [details] [diff] [review]
1.8.0 branch patch (with null check)

r=me, thanks.

/be
Attachment #242682 - Flags: review?(brendan) → review+
Comment on attachment 242682 [details] [diff] [review]
1.8.0 branch patch (with null check)

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #242682 - Flags: approval1.8.0.8? → approval1.8.0.8+
mozilla/js/src/js.msg 	3.43.8.2.2.2
mozilla/js/src/jsscript.c 	3.79.2.5.2.2
Keywords: fixed1.8.0.8

Comment 22

13 years ago
v.fixed on 1.8.0 branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.8pre) Gecko/20061020 Firefox/1.5.0.8pre, no crash or uncaught exception with PoC.
This is old code, aviary/moz1.7 should get this fix as well.
Flags: blocking1.7.14+
Flags: blocking-aviary1.0.9+
This has been assigned CVE-2006-5463
Summary: running script can be recompiled → running script can be recompiled (CVE-2006-5463)

Comment 25

13 years ago
CCing moz_bug_r_a4 so he can understand what he found in bug 367121.

Comment 26

12 years ago
pvnick is doing a bit of research on XSS and also gathering up bugs with security related test cases to help add to the regression/certification test suites.  adding him to the cc list in these...

Comment 27

12 years ago
error message has changed due to bug 376121
Attachment #241573 - Attachment is obsolete: true
Group: security

Comment 28

12 years ago
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-355655.js,v  <--  regress-355655.js
initial revision: 1.1
You need to log in before you can comment on or make changes to this bug.