1.35 KB, text/html
4.16 KB, patch
|Details | Diff | Splinter Review|
3.54 KB, patch
|Details | Diff | Splinter Review|
2.57 KB, text/plain
$ dbg.obj/js -e "t='1';s=Script('s.compile(t);print(t);');s();" Assertion failure: map->vector && i < map->length, at jsatom.c:919 $ opt.obj/js -e "t='1';s=Script('s.compile(t);print(t);');s();" => crash You can execute arbitary interpreter bytecodes using this bug.
$ dbg.obj/js script-recompile.txt uncaught exception: this should never be thrown!
This is a shell-only bug (please confirm), since Script is deconfigured in the Mozilla client embeddings. /be
(In reply to comment #2) > This is a shell-only bug (please confirm), since Script is deconfigured in the > Mozilla client embeddings. I can crash in 1.8 from today using Jesse's shell with the example code: TB24198572 js_LookupPropertyWithFlags [mozilla/js/src/jsobj.c, line 3107] js_LookupProperty [mozilla/js/src/jsobj.c, line 3082] with_LookupProperty [mozilla/js/src/jsobj.c, line 1753] js_FindProperty [mozilla/js/src/jsobj.c, line 3291] js_Interpret [mozilla/js/src/jsinterp.c, line 4198] js_Execute [mozilla/js/src/jsinterp.c, line 1619] script_exec [mozilla/js/src/jsscript.c, line 329] script_call [mozilla/js/src/jsscript.c, line 846] js_Invoke [mozilla/js/src/jsinterp.c, line 1373] js_Interpret [mozilla/js/src/jsinterp.c, line 4115] js_Execute [mozilla/js/src/jsinterp.c, line 1619] obj_eval [mozilla/js/src/jsobj.c, line 1357] js_Invoke [mozilla/js/src/jsinterp.c, line 1373] js_Interpret [mozilla/js/src/jsinterp.c, line 4115] js_Execute [mozilla/js/src/jsinterp.c, line 1619] JS_EvaluateUCScriptForPrincipals [mozilla/js/src/jsapi.c, line 4375] nsJSContext::EvaluateString [mozilla/dom/src/base/nsJSEnvironment.cpp, line 1100] nsJSThunk::EvaluateScript [mozilla/dom/src/jsurl/nsJSProtocolHandler.cpp, line 302] nsJSChannel::InternalOpen [mozilla/dom/src/jsurl/nsJSProtocolHandler.cpp, line 566] ... and Script appears to be available to Firefox from what I can tell.
I'm horrified by the Script object, and want to remove it. It was a youthful exuberance that's not standard, not thread safe, and probably not memory safe even with this patch. For 1.9, all that should be left of jsscript.c are the internal APIs used by the code generator and debug/introspection modules (perhaps some of the utility functions in jsemit.c could move to jsscript.c, as a cleanup). Anyway, this is a minimal patch to close the self-modifying script hole. It does not detect oldscript running on other contexts, but that "can't happen" without a run-to-completion violation. The only known r2c violations have to-do with events and timeouts/intervals nesting while a modal dialog is running. All modal dialog script is sourced in .xul files or .js files, not generated via new Script. /be
Fixed on trunk (checking message mentions attachment number): Checking in js.msg; /cvsroot/mozilla/js/src/js.msg,v <-- js.msg new revision: 3.72; previous revision: 3.71 done Checking in jsscript.c; /cvsroot/mozilla/js/src/jsscript.c,v <-- jsscript.c new revision: 3.116; previous revision: 3.115 done /be
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
In firefox 18.104.22.168+ I get the "this should never be thrown!" exception, but no crash. In Firefox 2 I crash TB24233863, somewhat different stack from comment 3.
Attachment #241538 - Attachment is obsolete: true
verified fixed 1.9 20061007 windows/linux
Status: RESOLVED → VERIFIED
Blocking for Fx2 RC3
Flags: blocking1.8.1? → blocking1.8.1+
Comment on attachment 241468 [details] [diff] [review] fix Approved for RC3.
Attachment #241468 - Flags: approval1.8.1? → approval1.8.1+
Fixed on the 1.8 branch, along with bug 355982: Checking in js.msg; /cvsroot/mozilla/js/src/js.msg,v <-- js.msg new revision: 22.214.171.124; previous revision: 126.96.36.199 done Checking in jsscript.c; /cvsroot/mozilla/js/src/jsscript.c,v <-- jsscript.c new revision: 188.8.131.52; previous revision: 184.108.40.206 done /be
Comment on attachment 241468 [details] [diff] [review] fix approved for 1.8.0 branch, a=dveditz for drivers
verified fixed 20061009 1.8 windows/linux/mac*, 1.9 windows/linux
There are no unused slots on the branch, so adding to the end.
oops, wrong patch...
Attachment #242584 - Attachment is obsolete: true
Comment on attachment 242585 [details] [diff] [review] 1.8.0 branch patch Please include the null test patch from bug 355982 (which this bug's patch regressed on trunk and was fixed all at once with this bug for the 1.8 branch). /be
Attachment #242585 - Flags: review?(brendan) → review-
Attachment #242682 - Flags: review? → review?(brendan)
Attachment #242682 - Flags: approval220.127.116.11?
Comment on attachment 242682 [details] [diff] [review] 1.8.0 branch patch (with null check) r=me, thanks. /be
Attachment #242682 - Flags: review?(brendan) → review+
Comment on attachment 242682 [details] [diff] [review] 1.8.0 branch patch (with null check) approved for 1.8.0 branch, a=dveditz for drivers
Attachment #242682 - Flags: approval18.104.22.168? → approval22.214.171.124+
mozilla/js/src/js.msg 126.96.36.199.2.2 mozilla/js/src/jsscript.c 188.8.131.52.2.2
v.fixed on 1.8.0 branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:184.108.40.206pre) Gecko/20061020 Firefox/220.127.116.11pre, no crash or uncaught exception with PoC.
This is old code, aviary/moz1.7 should get this fix as well.
This has been assigned CVE-2006-5463
Summary: running script can be recompiled → running script can be recompiled (CVE-2006-5463)
CCing moz_bug_r_a4 so he can understand what he found in bug 367121.
pvnick is doing a bit of research on XSS and also gathering up bugs with security related test cases to help add to the regression/certification test suites. adding him to the cc list in these...
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-355655.js,v <-- regress-355655.js initial revision: 1.1
You need to log in before you can comment on or make changes to this bug.