Potential memory corruption in script_toSource and script_toString

VERIFIED FIXED

Status

()

Core
JavaScript Engine
VERIFIED FIXED
10 years ago
10 years ago

People

(Reporter: moz_bug_r_a4, Assigned: Brian Crowder)

Tracking

({verified1.8.0.10, verified1.8.1.2})

Trunk
verified1.8.0.10, verified1.8.1.2
Points:
---
Bug Flags:
wanted1.8.1.x +
wanted1.8.0.x +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical])

Attachments

(4 attachments, 1 obsolete attachment)

(Reporter)

Description

10 years ago
Created attachment 251634 [details]
testcase

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/js/src/jsscript.c&rev=3.129&mark=84,95-98#72
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/js/src/jsscript.c&rev=3.129&mark=142,149-152#133

In script_toSource and script_toString, we retrieve |script| before calling
js_ValueToECMAUint32(cx, argv[0], &indent)).  During the call to
js_ValueToECMAUint32, |script| can be freed by calling script.compile().

  var s = new Script("");
  var o = {
    valueOf : function() {
      s.compile("");
    }
  };
  s.toSource(o);
or
  s.toString(o);

---
js> var s = new Script(""), o = {
  valueOf : function() {
    s.compile("");
    Array(11).join(Array(11).join(Array(101).join("aaaaa")));
    return;
  }
}; s.toString(o); void 0;

Breakpoint 2, script_toString (cx=0x81556a8, obj=0x815b1c0, argc=1,
    argv=0x81648a8, rval=0xbf91eda0) at jsscript.c:149
149         if (argc && !js_ValueToECMAUint32(cx, argv[0], &indent))
(gdb) p script
$1 = (JSScript *) 0x8163af0
(gdb) p/x *script
$2 = {code = 0x8163b20, length = 0x1, main = 0x8163b20, version = 0x0,
  numGlobalVars = 0x0, atomMap = {vector = 0x0, length = 0x0},
  filename = 0x8162481, lineno = 0x1, depth = 0x0, trynotes = 0x0,
  principals = 0x0, object = 0x815b1c0}
(gdb) c
Continuing.

Breakpoint 3, script_toString (cx=0x81556a8, obj=0x815b1c0, argc=1,
    argv=0x81648a8, rval=0xbf91eda0) at jsscript.c:151
151         str = JS_DecompileScript(cx, script, "Script.prototype.toString",
(gdb) p/x *script
$3 = {code = 0x610061, length = 0x610061, main = 0x610061, version = 0x61,
  numGlobalVars = 0x61, atomMap = {vector = 0x610061, length = 0x610061},
  filename = 0x610061, lineno = 0x610061, depth = 0x610061,
  trynotes = 0x610061, principals = 0x610061, object = 0x610061}
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x080c85ec in Decompile (ss=0xbf91ec58,
    pc=0x610061 <Address 0x610061 out of bounds>, nb=6357089)
    at jsopcode.c:1614
1614            op = (JSOp) *pc;
(gdb) bt
#0  0x080c85ec in Decompile (ss=0xbf91ec58,
    pc=0x610061 <Address 0x610061 out of bounds>, nb=6357089)
    at jsopcode.c:1614
#1  0x080d2513 in js_DecompileCode (jp=0x81632e0, script=0x8163af0,
    pc=0x610061 <Address 0x610061 out of bounds>, len=6357089, pcdepth=0)
    at jsopcode.c:4192
#2  0x080d26a1 in js_DecompileScript (jp=0x81632e0, script=0x8163af0)
    at jsopcode.c:4212
#3  0x0805fc74 in JS_DecompileScript (cx=0x81556a8, script=0x8163af0,
    name=0x81304c2 "Script.prototype.toString", indent=0) at jsapi.c:4158
#4  0x080f7293 in script_toString (cx=0x81556a8, obj=0x815b1c0, argc=1,
    argv=0x81648a8, rval=0xbf91eda0) at jsscript.c:151
#5  0x080990e5 in js_Invoke (cx=0x81556a8, argc=1, flags=0) at jsinterp.c:1348
#6  0x080a93a4 in js_Interpret (cx=0x81556a8, pc=0x816485c ":",
    result=0xbf91f354) at jsinterp.c:4070
#7  0x080999f2 in js_Execute (cx=0x81556a8, chain=0x815a020, script=0x81647f8,
    down=0x0, flags=0, result=0xbf920424) at jsinterp.c:1607
#8  0x0805fe17 in JS_ExecuteScript (cx=0x81556a8, obj=0x815a020,
    script=0x81647f8, rval=0xbf920424) at jsapi.c:4212
#9  0x08049760 in Process (cx=0x81556a8, obj=0x815a020, filename=0x0,
    forceTTY=0) at js.c:268
#10 0x08049ecb in ProcessArgs (cx=0x81556a8, obj=0x815a020, argv=0xbf9205b8,
    argc=0) at js.c:489
---Type <return> to continue, or q <return> to quit---
#11 0x0804e5b7 in main (argc=0, argv=0xbf9205b8, envp=0xbf9205bc) at js.c:3167
(gdb)
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Whiteboard: [sg:critical?]
Critical security bugs must have owners. If you can't work on this bug help us find another active owner for it.
Assignee: general → brendan

Updated

10 years ago
Assignee: brendan → crowder
(Assignee)

Comment 2

10 years ago
Created attachment 252964 [details] [diff] [review]
Moving the value conversions earlier.

Moving the value conversions earlier.
Attachment #252964 - Flags: review?(brendan)
(Assignee)

Comment 3

10 years ago
Sorry for spam; I meant to add:  This is a patch against the trunk.  To test it, since the Script removal is checked in, you'll need to manually turn it back on in jsconfig.h.  I will port to branches if moz_bug doesn't defeat this.
Comment on attachment 252964 [details] [diff] [review]
Moving the value conversions earlier.

>Index: jsscript.c
>===================================================================
>RCS file: /cvsroot/mozilla/js/src/jsscript.c,v
>retrieving revision 3.130
>diff -u -p -8 -r3.130 jsscript.c
>--- jsscript.c	25 Jan 2007 23:08:52 -0000	3.130
>+++ jsscript.c	26 Jan 2007 23:53:20 -0000
>@@ -74,31 +74,32 @@ script_toSource(JSContext *cx, JSObject 
> {
>     JSScript *script;
>     size_t i, j, k, n;
>     char buf[16];
>     jschar *s, *t;
>     uint32 indent;
>     JSString *str;
> 
>+    indent = 0;
>+    if (argc && !js_ValueToECMAUint32(cx, argv[0], &indent))
>+        return JS_FALSE;

Nit: move indent's decl up to first place to match use order, same for toString.

Great spot-fix, thanks.

/be
Attachment #252964 - Flags: review?(brendan) → review+
(Assignee)

Comment 5

10 years ago
Created attachment 252995 [details] [diff] [review]
moved index decls to match use-order as suggested

This is the patch I am landing on the main trunk.  Branch patches coming.
Attachment #252964 - Attachment is obsolete: true
Attachment #252995 - Flags: review+
(Assignee)

Comment 6

10 years ago
Went to go check-in; but this is one of my first interesting security-bugs, so I stopped myself.  Seems like it might be a good idea for this one to have some sort of cover-bug?
Status: NEW → ASSIGNED
(Assignee)

Comment 7

10 years ago
Patch applies cleanly on both branches as-is.  Please advice with regard to landing strategy.
OS: Windows XP → All
Hardware: PC → All
(Assignee)

Updated

10 years ago
Attachment #252995 - Flags: approval1.8.1.2?
Attachment #252995 - Flags: approval1.8.0.10?
Comment on attachment 252995 [details] [diff] [review]
moved index decls to match use-order as suggested

a=dveditz for 1.8/1.8.0 branches.

You could use a public cover bug, but what would it say? You could also check in under the attachment number rather than bug number (without saying it's an attachment number -- we'll know). The checkin comment should be vague in any case, like "bail earlier if we can't get the value"
Attachment #252995 - Flags: approval1.8.1.2?
Attachment #252995 - Flags: approval1.8.1.2+
Attachment #252995 - Flags: approval1.8.0.10?
Attachment #252995 - Flags: approval1.8.0.10+
(Assignee)

Comment 9

10 years ago
Checking in jsscript.c;
/cvsroot/mozilla/js/src/jsscript.c,v  <--  jsscript.c
new revision: 3.133; previous revision: 3.132
done
(Assignee)

Comment 10

10 years ago
Checking in jsscript.c;
/cvsroot/mozilla/js/src/jsscript.c,v  <--  jsscript.c
new revision: 3.79.2.21; previous revision: 3.79.2.20
done
Whiteboard: [sg:critical?] → [sg:critical]
(Assignee)

Comment 11

10 years ago
Checking in jsscript.c;
/cvsroot/mozilla/js/src/jsscript.c,v  <--  jsscript.c
new revision: 3.79.2.5.2.4; previous revision: 3.79.2.5.2.3
done
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
(Assignee)

Updated

10 years ago
Keywords: fixed1.8.0.10, fixed1.8.1.2

Comment 12

10 years ago
Created attachment 254262 [details]
js1_5/extensions/regress-367120-01.js

Comment 13

10 years ago
Created attachment 254263 [details]
js1_5/extensions/regress-367120-02.js

Updated

10 years ago
Flags: in-testsuite+
Verified using testcase in comment #0 on:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.10pre) Gecko/20070206 Firefox/1.5.0.10pre
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070206 BonEcho/2.0.0.2pre
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10pre) Gecko/20070208 Firefox/1.5.0.10pre
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2pre) Gecko/20070207 BonEcho/2.0.0.2pre

Also on latest linux trunk, and latest Mac 2002pre nightly.
Keywords: fixed1.8.0.10, fixed1.8.1.2 → verified1.8.0.10, verified1.8.1.2
(Assignee)

Comment 15

10 years ago
Another one Taras might find interesting.  Similar bad pattern with pointer-usage.
Depends on: 368534

Comment 16

10 years ago
verified fixed 2007-02-17 1.9.0 windows/mac*/linux
Status: RESOLVED → VERIFIED
Group: security

Comment 17

10 years ago
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-367120-01.js,v  <--  regress-367120-01.js
initial revision: 1.1

/cvsroot/mozilla/js/tests/js1_5/extensions/regress-367120-02.js,v  <--  regress-367120-02.js
initial revision: 1.1
You need to log in before you can comment on or make changes to this bug.