Status

()

VERIFIED FIXED
10 years ago
5 years ago

People

(Reporter: jruderman, Assigned: mrbkap)

Tracking

(Blocks: 1 bug, {testcase, verified1.9.1})

Trunk
x86
Mac OS X
testcase, verified1.9.1
Points:
---
Bug Flags:
blocking1.9.1 +
blocking1.9.0.6 -
wanted1.9.0.x -
in-testsuite ?
in-litmus -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:moderate?])

Attachments

(3 attachments)

(Reporter)

Description

10 years ago
js> { let d = 3;  new (this.d |= d |= d); }
typein:1: TypeError: this.d |= ???this |= d is not a constructor

Security-sensitive because the "???" makes me think it's reading from uninitialized memory, and making that memory available to scripts through try..catch.

The fuzzer in bug 465479 found this accidentally: it noticed a slight difference in the error message, due to what I'm guessing is uninitialized memory, and interpreted it as a difference between JIT and non-JIT.

I'll see if I can retrofit one of my fuzzers to really look for bugs like this, perhaps by trying to compile every expression that appears in a "is not a constructor" error message.
(Reporter)

Comment 1

10 years ago
js> for each (let x in [1]) { (x = {}).y(); }
typein:1: TypeError: (???{} = {}).y is not a function
(Reporter)

Updated

10 years ago
Whiteboard: [sg:moderate?]
Created attachment 349301 [details] [diff] [review]
Fix

Seems like an obvious fix...
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #349301 - Flags: review?(brendan)
(Reporter)

Updated

10 years ago
Flags: blocking1.9.1?

Updated

10 years ago
Flags: blocking1.9.1? → blocking1.9.1+
Comment on attachment 349301 [details] [diff] [review]
Fix

Whoops, was this never right? Thanks for fixing.

/be
Attachment #349301 - Flags: review?(brendan) → review+

Updated

10 years ago
Attachment #349301 - Flags: approval1.9.1b2?

Updated

10 years ago
Attachment #349301 - Flags: approval1.9.1b2? → approval1.9.1b2+
http://hg.mozilla.org/mozilla-central/rev/1c0893f3e640
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED

Comment 5

10 years ago
Created attachment 351382 [details]
js1_8/regress/regress-465901-01.js

Comment 6

10 years ago
Created attachment 351383 [details]
js1_8/regress/regress-465901-02.js

Updated

10 years ago
Flags: wanted1.9.0.x?
Flags: in-testsuite+
Flags: in-litmus-

Comment 8

10 years ago
verified fixed mozilla-central but not tracemonkey
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.6+
Whiteboard: [sg:moderate?] → [sg:moderate?][needs 1.9.0 patch]
The 1.9.0 branch is not affected by this bug.
Keywords: fixed1.9.0.6
Whiteboard: [sg:moderate?][needs 1.9.0 patch] → [sg:moderate?]
If 1.9.0 is not affected by this, why did we fix it there?
For security bugs we use wanted-minus to indicate "Not needed for branch, and yes, we've checked". (For other bugs it tends to mean "we don't care--stop bugging us")
Flags: wanted1.9.0.x-
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.6-
Flags: blocking1.9.0.6+
Keywords: fixed1.9.0.6
Sorry, I was confused by what we did in bug 464174.

Comment 13

10 years ago
v 1.9.1, 1.9.2
Keywords: fixed1.9.1 → verified1.9.1

Comment 14

9 years ago
when this bug is opened, the test should be checked in.
Flags: in-testsuite+ → in-testsuite?
Group: core-security
You need to log in before you can comment on or make changes to this bug.