getter/setter issue is not yet fixed on branches

VERIFIED FIXED

Status

()

Core
JavaScript Engine
VERIFIED FIXED
11 years ago
10 years ago

People

(Reporter: moz_bug_r_a4, Unassigned)

Tracking

({verified1.8.0.10, verified1.8.1.2})

Trunk
x86
Windows XP
verified1.8.0.10, verified1.8.1.2
Points:
---
Bug Flags:
blocking1.8.1.2 +
blocking1.8.0.10 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical] fix in bug 366292)

Attachments

(5 attachments)

(Reporter)

Description

11 years ago
Created attachment 252060 [details]
testcase

The patch in bug 366396 is not sufficient to fix this on branches.
CACHED_GET, CACHED_SET, NATIVE_GET, NATIVE_SET are related.

And, this could be potentially exploitable.

---
var a = { set x() {} };
a.x;

A resulting value is 2 (obj->slots[-1] == 5).

---
var a = { set x() {} };
for (var i = 0; i < 92169 - 3; ++i) a[i] = 1;
a.x;
a.x;

A resulting value is 46084 (obj->slots[-1] == 92169).

---
var a = { set x() {} };
for (var i = 0; i < 0x4bf20 - 3; ++i) a[i] = 1;
a.x;
a.x.x;

Crash (obj->slots[-1] == 0x4bf20).

---
var a = { set x() {} };
for (var i = 0; i < 0x10050c - 3; ++i) a[i] = 1;
a.x;
typeof a.x;

A resulting value is "string" (obj->slots[-1] == 0x10050c).

---
var a = { get y() {} };
a.y = 10;
for (var i = 0; i < 3; ++i) a[i] = 1;

*** glibc detected *** double free or corruption (out): 0x08a42d90 ***

#0  0xffffe410 in __kernel_vsyscall ()
#1  0xb74d19a1 in raise () from /lib/tls/i686/cmov/libc.so.6
#2  0xb74d32b9 in abort () from /lib/tls/i686/cmov/libc.so.6
#3  0xb750587a in __fsetlocking () from /lib/tls/i686/cmov/libc.so.6
#4  0xb750bfd4 in malloc_usable_size () from /lib/tls/i686/cmov/libc.so.6
#5  0xb750c34a in free () from /lib/tls/i686/cmov/libc.so.6
#6  0xb7e6fe75 in JS_free (cx=0x885a1f0, p=0x8a42d90) at jsapi.c:1690
#7  0xb7ee9436 in AllocSlots (cx=0x885a1f0, slots=0x8a42d94, nslots=8)
    at jsobj.c:2280
#8  0xb7eeb140 in js_AllocSlot (cx=0x885a1f0, obj=0x8a80b30, slotp=0xbfa80e04)
    at jsobj.c:2733
#9  0xb7f26a7c in js_AddScopeProperty (cx=0x885a1f0, scope=0x8a29d38, id=5,
    getter=0, setter=0, slot=4294967295, attrs=1, flags=0, shortid=0)
    at jsscope.c:1134
#10 0xb7eee70a in js_SetProperty (cx=0x885a1f0, obj=0x8a80b30, id=5,
    vp=0xbfa815f0) at jsobj.c:3699
#11 0xb7eca7e2 in js_Interpret (cx=0x885a1f0, pc=0x88017ad "8\002)",
    result=0xbfa81990) at jsinterp.c:3737
#12 0xb7eb94f5 in js_Execute (cx=0x885a1f0, chain=0x8a80b48, script=0x8801740,
    down=0x81baff8, flags=32, result=0xbfa81b70) at jsinterp.c:1654
#13 0xb7ee5e07 in obj_eval (cx=0x885a1f0, obj=0x8a94418, argc=1,
    argv=0x81bb078, rval=0xbfa81b70) at jsobj.c:1360
#14 0xb7eb8927 in js_Invoke (cx=0x885a1f0, argc=1, flags=0) at jsinterp.c:1396
---Type <return> to continue, or q <return> to quit---
(Reporter)

Comment 1

11 years ago
SeaMonkey 1.1 has been released with this bug.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070111 SeaMonkey/1.1
Bug 366292 was never checked into the 1.8 branch...
Is this a duplicate of bug 366292 then, or is that just a prerequisite to fixing this?
(In reply to comment #1)
> SeaMonkey 1.1 has been released with this bug.

The seamonkey team decided to release the much delayed 1.1 now rather than wait for 1.8.1.2 and plan to catch up with a subsequent security update.
Flags: blocking1.8.1.2?
Flags: blocking1.8.1.2?
Flags: blocking1.8.1.2+
Flags: blocking1.8.0.10+
Whiteboard: [sg:critical] fix in bug 366292

Comment 5

11 years ago
brendan:  Is this a dup of bug 366292?  If so, we need to mark it so and remove the blocking flags (since we already approved and landed the fixes in that other bug).  Let us know... thanks!
Depends on: 366292
(Reporter)

Comment 6

11 years ago
This has been fixed in bug 366292.

Tested with:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070122
BonEcho/2.0.0.2pre
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.10pre) Gecko/20070122
Firefox/1.5.0.10pre
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Keywords: fixed1.8.0.10, fixed1.8.1.2
Resolution: --- → FIXED

Comment 7

10 years ago
Created attachment 254253 [details]
js1_5/extensions/regress-367501-01.js

Comment 8

10 years ago
Created attachment 254254 [details]
js1_5/extensions/regress-367501-02.js

Comment 9

10 years ago
Created attachment 254255 [details]
js1_5/extensions/regress-367501-03.js

Comment 10

10 years ago
Created attachment 254256 [details]
js1_5/extensions/regress-367501-04.js

Updated

10 years ago
Flags: in-testsuite+

Comment 11

10 years ago
verified fixed 1.8.0.10, 1.8.1.2 2007-02-08 windows/mac*/linux
Keywords: fixed1.8.0.10, fixed1.8.1.2 → verified1.8.0.10, verified1.8.1.2

Comment 12

10 years ago
verified fixed 2007-02-17 1.9.0 windows/mac*/linux
Status: RESOLVED → VERIFIED
Group: security

Comment 13

10 years ago
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-367501-01.js,v  <--  regress-367501-01.js
initial revision: 1.1

/cvsroot/mozilla/js/tests/js1_5/extensions/regress-367501-02.js,v  <--  regress-367501-02.js
initial revision: 1.1

/cvsroot/mozilla/js/tests/js1_5/extensions/regress-367501-03.js,v  <--  regress-367501-03.js
initial revision: 1.1

/cvsroot/mozilla/js/tests/js1_5/extensions/regress-367501-04.js,v  <--  regress-367501-04.js
initial revision: 1.1
You need to log in before you can comment on or make changes to this bug.