If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Deleted watchpoints can make obj->addProperty/putProperty return a shape not in obj

RESOLVED FIXED in mozilla2.0

Status

()

Core
JavaScript Engine
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: jorendorff, Assigned: jorendorff)

Tracking

Other Branch
mozilla2.0
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 final+, status1.9.2 unaffected, status1.9.1 unaffected)

Details

(Whiteboard: [sg-critical?][softblocker][fixed-in-tracemonkey])

Attachments

(1 attachment, 2 obsolete attachments)

(Assignee)

Description

7 years ago
At the end of JSObject::addProperty:

    /* Update any watchpoints referring to this property. */
    if (!js_UpdateWatchpointsForShape(cx, this, shape)) {
        METER(wrapWatchFails);
        return NULL;
    }

    return shape;
}

Before js_UpdateWatchpointsForShape, shape is sure to be in this; but afterwards shape can be GC-unreachable (therefore this is security-sensitive for now).

No test case as yet, but it seems likely this is observable and possible it's exploitable. Taking.
(Assignee)

Comment 1

7 years ago
Created attachment 510409 [details] [diff] [review]
v1

I don't think this is limited to deleted watchpoints. putProperty and changeProperty seemed to have the same bug. This fixes them all.
Attachment #510409 - Flags: review?
(Assignee)

Updated

7 years ago
Attachment #510409 - Flags: review? → review?(jimb)
(Assignee)

Comment 2

7 years ago
Created attachment 510449 [details] [diff] [review]
v2 - Same as v1 but with a test.
Attachment #510409 - Attachment is obsolete: true
Attachment #510449 - Flags: review?(jimb)
Attachment #510409 - Flags: review?(jimb)
(Assignee)

Comment 3

7 years ago
This should softblock, IMHO.
blocking2.0: --- → ?
Whiteboard: [sg-critical?]
blocking2.0: ? → betaN+
Whiteboard: [sg-critical?] → [sg-critical?][softblocker]
blocking2.0: betaN+ → final+
(Assignee)

Updated

7 years ago
Blocks: 631305
(Assignee)

Comment 4

7 years ago
Created attachment 511817 [details] [diff] [review]
v3 - same as v1 but with 2 tests, and rebased
Attachment #510449 - Attachment is obsolete: true
Attachment #511817 - Flags: review?(jimb)
Attachment #510449 - Flags: review?(jimb)
(Assignee)

Updated

7 years ago
Duplicate of this bug: 630366

Comment 6

7 years ago
Comment on attachment 511817 [details] [diff] [review]
v3 - same as v1 but with 2 tests, and rebased

Makes sense; thank you for cleaning up the various style issues, as well.
Attachment #511817 - Flags: review?(jimb) → review+
(Assignee)

Comment 7

7 years ago
http://hg.mozilla.org/tracemonkey/rev/206a4c1c8ad8
Whiteboard: [sg-critical?][softblocker] → [sg-critical?][softblocker][fixed-in-tracemonkey]
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/206a4c1c8ad8
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Group: core-security
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
Target Milestone: --- → mozilla2.0
You need to log in before you can comment on or make changes to this bug.