Closed Bug 576020 Opened 14 years ago Closed 14 years ago

OOB access when applying the slice() method to incorrect objects

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: serg.glazunov, Assigned: vlad)

Details

(Whiteboard: [sg:critical])

Attachments

(1 file)

fix
1.32 KB, patch
jorendorff
: review+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.2 (KHTML, like Gecko) Chrome/6.0.451.0 Safari/534.2
Build Identifier: 

Simple repro:
a = Int8Array(0x1000000);
b = Int32Array.prototype.slice.apply(a, [0, 0x1000000]);
//We can now access 4 times more data than the array buffer contains.
alert(b[0x1000000 - 1]);

Clearly it can lead to arbitrary code execution.

Reproducible: Always
What version of Firefox were you testing against?
Assignee: nobody → general
Component: Canvas: WebGL → JavaScript Engine
QA Contact: canvas.webgl → general
Whiteboard: [sg:critical]
Status: UNCONFIRMED → NEW
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
Ever confirmed: true
Vlad?
blocking2.0: --- → ?
Man am I starting to hate dynamic languages.. slice() just needs to check that the array type is what it expects.  Will patch tomorrow.
Assignee: general → vladimir
Status: NEW → ASSIGNED
Attached patch fixSplinter Review 
Here's the fix.  We just add a check into slice().
Attachment #455574 - Flags: review?(jorendorff)
Comment on attachment 455574 [details] [diff] [review]
fix

I think this bug is a duplicate of bug 571014. The fix is already in.

The test is welcome, though, if we don't already have a test like that.
Attachment #455574 - Flags: review?(jorendorff) → review+
Not sure if it is -- slice() is the only method on typed arrays, so the only one that can be used with apply this way.  The other bug was mainly dealing with properties, and just walks the proto chain until it finds a typed array. That will still succeed in this case, but it'll still be the wrong type.  Also applying slice to a non-typed-array will likely walk the proto chain up to NULL (I guess?), and then the getPrivate() would crash.
http://hg.mozilla.org/mozilla-central/rev/8a745dc12044
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
blocking2.0: ? → betaN+
Summary: OOB access when incorrect array type created → OOB access when applying the slice() method to incorrect objects
Group: core-security
You need to log in before you can comment on or make changes to this bug.