Closed Bug 365527 Opened 18 years ago Closed 18 years ago

JSOP_ARGUMENTS does not set obj register

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: igor, Assigned: igor)

Details

(Keywords: verified1.8.0.10, verified1.8.1.2, Whiteboard: [sg:critical?])

Attachments

(3 files)

HTML test case that crashes the browser
578 bytes, text/html
Details
Fix v1
779 bytes, patch
brendan
: review+
dveditz
: approval1.8.1.2+
dveditz
: approval1.8.0.10+
Details | Diff | Splinter Review
js1_5/Function/regress-365527.js
2.74 KB, text/plain
Details 
The interpreter case for JSOP_ARGUMENTS does not set obj register. As such using arguments() in a function body will push the older value of obj register to the stack. 

This is exploitable AFAICS as a script can organize to GC the old value and override arguments with an arbitrary function that would see as its this value GC-ed object.
The test case "hopes" that the branch callback calls the GC at the right moment after executing obj.x getter which unroots the old obj value stored in the register. To see the crash it may be necessary to click continue in the slow script alert.
Whiteboard: [sg:critical?]
Attached patch Fix v1Splinter Review 
The fix sets obj to NULL as arguments should be treated as any other var declared in a function at the call site.
Attachment #250055 - Flags: review?(brendan)
The same problem exists on branches.
Status: NEW → ASSIGNED
Flags: blocking1.8.1.2?
Flags: blocking1.8.0.10?
Comment on attachment 250055 [details] [diff] [review]
Fix v1

The patch applies to the branches, 1.8.0 requires a trivial merger as the patch is not applicable there as-is due to too much context.
Attachment #250055 - Flags: approval1.8.1.2?
Attachment #250055 - Flags: approval1.8.0.10?
Comment on attachment 250055 [details] [diff] [review]
Fix v1

r=me, should go into branches ASAP as it is a totally safe fix. Thanks,

/be
Attachment #250055 - Flags: review?(brendan) → review+
Here is a test case for jsshell to demonstrate the problem:

~/m/files> cat y1.js 
function gc_obj()
{
  obj = null;
  gc();
}

var obj = { x: { valueOf: gc_obj }};

function f()
{
  arguments = function() { this.something };
  // obj.x stores obj in the register and +obj.x calls gc_obj 
  // as valueOf method. That GC the register value.
  +obj.x;
  arguments();
}

f();
~/m/files> ~/m/trunk/mozilla/js/src/Linux_All_DBG.OBJ/js  y1.js
before 27696, after 27696, break 0812a000
Segmentation fault (core dumped)

I committed the patch from comment 2 to the trunk:

Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.316; previous revision: 3.315
done
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Comment on attachment 250055 [details] [diff] [review]
Fix v1

Approved for 1.8/1.8.0 branches, a=dveditz for drivers
Attachment #250055 - Flags: approval1.8.1.2?
Attachment #250055 - Flags: approval1.8.1.2+
Attachment #250055 - Flags: approval1.8.0.10?
Attachment #250055 - Flags: approval1.8.0.10+
Flags: blocking1.8.1.2?
Flags: blocking1.8.1.2+
Flags: blocking1.8.0.10?
Flags: blocking1.8.0.10+
I committed the patch from comment 2 to MOZILLA_1_8_BRANCH:

Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.181.2.79; previous revision: 3.181.2.78
done
Keywords: fixed1.8.1.2
I committed the patch from comment 2 to MOZILLA_1_8_0_BRANCH:

Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.181.2.17.2.25; previous revision: 3.181.2.17.2.24
done
Keywords: fixed1.8.0.10
Flags: in-testsuite+
verified fixed 1.8.0, 1.8.1, 1.9.0 2007-01-23 win/mac*/linux
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.10, fixed1.8.1.2verified1.8.0.10, verified1.8.1.2
Group: security
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-365527.js,v  <--  regress-365527.js
initial revision: 1.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: