Closed Bug 631723 Opened 9 years ago Closed 9 years ago

Deleted watchpoints can make obj->addProperty/putProperty return a shape not in obj

Categories

(Core :: JavaScript Engine, defect)

Other Branch
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla2.0
Tracking Status
blocking2.0 --- final+
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: jorendorff, Assigned: jorendorff)

References

Details

(Whiteboard: [sg-critical?][softblocker][fixed-in-tracemonkey])

Attachments

(1 file, 2 obsolete files)

At the end of JSObject::addProperty:

    /* Update any watchpoints referring to this property. */
    if (!js_UpdateWatchpointsForShape(cx, this, shape)) {
        METER(wrapWatchFails);
        return NULL;
    }

    return shape;
}

Before js_UpdateWatchpointsForShape, shape is sure to be in this; but afterwards shape can be GC-unreachable (therefore this is security-sensitive for now).

No test case as yet, but it seems likely this is observable and possible it's exploitable. Taking.
Attached patch v1 (obsolete) — Splinter Review
I don't think this is limited to deleted watchpoints. putProperty and changeProperty seemed to have the same bug. This fixes them all.
Attachment #510409 - Flags: review?
Attachment #510409 - Flags: review? → review?(jimb)
Attached patch v2 - Same as v1 but with a test. (obsolete) — Splinter Review
Attachment #510409 - Attachment is obsolete: true
Attachment #510449 - Flags: review?(jimb)
Attachment #510409 - Flags: review?(jimb)
This should softblock, IMHO.
blocking2.0: --- → ?
Whiteboard: [sg-critical?]
blocking2.0: ? → betaN+
Whiteboard: [sg-critical?] → [sg-critical?][softblocker]
blocking2.0: betaN+ → final+
Blocks: 631305
Attachment #510449 - Attachment is obsolete: true
Attachment #511817 - Flags: review?(jimb)
Attachment #510449 - Flags: review?(jimb)
Duplicate of this bug: 630366
Comment on attachment 511817 [details] [diff] [review]
v3 - same as v1 but with 2 tests, and rebased

Makes sense; thank you for cleaning up the various style issues, as well.
Attachment #511817 - Flags: review?(jimb) → review+
http://hg.mozilla.org/tracemonkey/rev/206a4c1c8ad8
Whiteboard: [sg-critical?][softblocker] → [sg-critical?][softblocker][fixed-in-tracemonkey]
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Group: core-security
Target Milestone: --- → mozilla2.0
You need to log in before you can comment on or make changes to this bug.