Closed
Bug 715819
Opened 13 years ago
Closed 13 years ago
__defineGetter__ and __defineSetter__ can mutate non-configurable properties
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox12 | --- | verified |
People
(Reporter: Waldo, Unassigned)
Details
(Whiteboard: fixed by bug 715821 [qa+])
Good behavior:
[jwalden@wheres-wally firefox]$ ~/moz/slots/js/src/gcc-dbg/js
js> var obj = { get x() { return 17; } };
js> Object.defineProperty(obj, "x", { configurable: false });
({get x () {return 17;}})
js> Object.defineProperty(obj, "x", { set: function(v) { print(v); } })
typein:3: TypeError: can't redefine non-configurable property 'x'
Bad behavior:
[jwalden@wheres-wally firefox]$ ~/moz/slots/js/src/gcc-dbg/js
js> var obj = { get x() { return 17; } };
js> Object.defineProperty(obj, "x", { configurable: false });
({get x () {return 17;}})
js> obj.__defineSetter__("x", function(v) { print(v); });
js> obj
({get x () {return 17;}, set x (v) {print(v);}})
I wonder what the chances are that we rely on a non-configurable accessor property never mutating, or its shape remaining live and in use, or *something* of that nature, such that this can be turned into something exploitable. Non-negligible, I bet. But I don't much know what reliances our JITs or anything are making these days. bhackett? dvander? bueller?
I've already written a patch to fix this which I'll be posting in another bug (not filed yet). I discovered this issue when analyzing the patch for potential behavioral differences from the current code. I plan to file that bug, and post that patch, while doing what I can to not clue anyone watching to the existence of this flaw in the existing code.
|
Reporter | |
Comment 1•13 years ago
|
||
The patch is in bug 715821. I'm not going to mark a dependence or relationship for the moment out of an abundance of caution/paranoia.
|
||
Comment 2•13 years ago
|
||
Nothing I know of performs optimizations based on a property being non-configurable. We can assume that a property will remain a data property, but as soon as __defineGetter__, delete or any other reconfiguration happens it will be marked as such and the code deoptimized.
|
||
Comment 3•13 years ago
|
||
According to comment 1 this should be fixed
Status: NEW → RESOLVED
Closed: 13 years ago
status-firefox12:
--- → fixed
Resolution: --- → FIXED
Whiteboard: fixed by bug 715821
|
|
||
Comment 4•12 years ago
|
||
CC'ing moz_bug_r_a4 to see if this leads to any interesting vulnerabilities
|
|
||
Comment 5•12 years ago
|
||
Waldo: what's your best guess about a security severity here, and should we take this on the ESR branch?
|
|
Reporter | |
Comment 6•12 years ago
|
||
Given comment 2, and that every time I assume we've optimized for some ECMAScript invariant only to find out that we haven't yet, I don't think we need to worry about this -- unhiding.
Group: core-security
|
||
Comment 7•12 years ago
|
||
Verified with Firefox 12.0b6 js-shell with the input from comment 0. Got: typein:3: TypeError: can't redefine non-configurable property 'x'
You need to log in
before you can comment on or make changes to this bug.
Description
•