Closed Bug 619255 Opened 15 years ago Closed 15 years ago

GC hazard in JO() from json.cpp due to reuse of root (1.9.[12]-only)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
1.9.2 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 616009
Tracking Flags:
Tracking Status
blocking2.0 --- -
status2.0 --- unaffected
blocking1.9.2 --- .14+
status1.9.2 --- .14-fixed
blocking1.9.1 --- .17+
status1.9.1 --- .17-fixed

People

(Reporter: igor, Assigned: igor)

Details

(Keywords: verified1.9.1, verified1.9.2, Whiteboard: [sg:dupe 616009])

Attachments

(2 files)

fix
841 bytes, patch
gal
: review+
christian
: approval1.9.2.14+
Details | Diff | Splinter Review
fix for 191
880 bytes, patch
christian
: approval1.9.1.17+
Details | Diff | Splinter Review
On 1.9.2 branch JO() from json.cpp incorrectly reuse the passed vp parameter for rooting an iterator leading to a GC hazard. The following example demonstrates this for a debug build of JS shell: function iter() { ({}); gc(); yield 1; } function create_iter() { return iter(); } JSON.stringify({ get o() { var obj = {}; obj.__iterator__ = create_iter; return obj; }}); ~/m/192/js/src> ~/b/js/192dbg32/js ~/s/x.js Segmentation fault (core dumped) On trunk we are safe due to the conservative GC scanner.
Attached patch fixSplinter Review
The patch copies the initial value of *vp into an extra root.
Attachment #497715 - Flags: review?(gal)
Comment on attachment 497715 [details] [diff] [review] fix >diff --git a/js/src/json.cpp b/js/src/json.cpp >--- a/js/src/json.cpp >+++ b/js/src/json.cpp >@@ -241,20 +241,20 @@ WriteIndent(JSContext *cx, StringifyCont > > static JSBool > JO(JSContext *cx, jsval *vp, StringifyContext *scx) > { > JSObject *obj = JSVAL_TO_OBJECT(*vp); > > if (!scx->cb.append('{')) > return JS_FALSE; > >- jsval vec[3] = {JSVAL_NULL, JSVAL_NULL, JSVAL_NULL}; >- JSAutoTempValueRooter tvr(cx, 3, vec); >+ jsval vec[] = {JSVAL_NULL, JSVAL_NULL, JSVAL_NULL, *vp}; >+ JSAutoTempValueRooter tvr(cx, JS_ARRAY_LENGTH(vec), vec); > jsval& key = vec[0]; > jsval& outputValue = vec[1]; > > JSObject *iterObj = NULL; > jsval *keySource = vp; > bool usingWhitelist = false; > > // if the replacer is an array, we use the keys from it > if (scx->replacer && JS_IsArrayObject(cx, scx->replacer)) {
Attachment #497715 - Flags: review?(gal) → review+
Attachment #497715 - Flags: approval1.9.2.14?
Nominating for 1.9.2 due to the critical status.
blocking1.9.2: --- → ?
Whiteboard: [sg:critical]
Does this affect 1.9.1 as well?
blocking1.9.1: --- → ?
blocking1.9.2: ? → .14+
status2.0: --- → unaffected
(waiting to approve until we know 1.9.1 is (un)affected.
(In reply to comment #4) > Does this affect 1.9.1 as well? Yes, this affects 1.9.1 - I forgot that the native JSON were introduced on that branch first.
Attached patch fix for 191Splinter Review
191 version of the patch needed a trivial merge. Here is a plain diff between patches: /home/igor/s/> diff json_bug619255.patch json_bug619255_191.patch 4,5c4 < @@ -241,20 +241,20 @@ WriteIndent(JSContext *cx, StringifyCont < --- > @@ -261,20 +261,20 @@ WriteIndent(JSContext *cx, StringifyCont 11c10,11 < if (!scx->cb.append('{')) --- > jschar c = jschar('{'); > if (!scx->callback(&c, 1, scx->data))
Attachment #498868 - Flags: approval1.9.1.17?
blocking1.9.1: ? → .17+
Comment on attachment 497715 [details] [diff] [review] fix a=LegNeato for 1.9.2.14
Attachment #497715 - Flags: approval1.9.2.14? → approval1.9.2.14+
Comment on attachment 498868 [details] [diff] [review] fix for 191 a=LegNeato for 1.9.1.17
Attachment #498868 - Flags: approval1.9.1.17? → approval1.9.1.17+
blocking2.0: --- → -
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:critical] → [sg:dupe 616009]
Summary: GC hazard in JO() from json.cpp due to reuse of root (1.9.2-only) → GC hazard in JO() from json.cpp due to reuse of root (1.9.[12]-only)
Verified for branches by verifying bug 616009.
Keywords: verified1.9.1, verified1.9.2
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: