Closed
Bug 735104
Opened 12 years ago
Closed 12 years ago
Array toString Remote Code Execution (ZDI-CAN-1549)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 720079
People
(Reporter: dveditz, Unassigned)
Details
(Whiteboard: [sg:dupe 720079])
Attachments
(1 file)
131 bytes,
text/plain
|
Details |
ZDI-CAN-1549: Mozilla Firefox Array toString Remote Code Execution Vulnerability - -- CVSS ----------------------------------------- 9, AV:N/AC:L/Au:N/C:P/I:P/A:C - -- ABSTRACT ------------------------------------- TippingPoint has identified a vulnerability affecting the following products: Mozilla Firefox - -- VULNERABILITY DETAILS ------------------------ /* js/src/jsarray.cpp array_join calls array_toString_sub which has: ... const Value *beg = obj->getDenseArrayElements(); const Value *end = beg + Min(length, obj->getDenseArrayInitializedLength()); for (const Value *vp = beg; vp != end; ++vp) { if (!JS_CHECK_OPERATION_LIMIT(cx)) return false; if (!vp->isMagic(JS_ARRAY_HOLE) && !vp->isNullOrUndefined()) { if (!ValueToStringBuffer(cx, *vp, sb)) return false; } ... ValueToStringBuffer calls back to javascript using a toString function, we can change the array from under it, without beg and end being updated, and the gc will free them since they are not marked as in use. run in Jshell! (else, you need gc code and print code) */ - -- CREDIT --------------------------------------- This vulnerability was discovered by: Vincenzo Iozzo
Reporter | ||
Comment 1•12 years ago
|
||
PoC from ZDI (not an exploit)
Comment 2•12 years ago
|
||
This is a blatant duplicate of bug 720079 and bug 720511. As those are both fixed in all branches now, I don't think this affects 10.0.3 at all -- so, bonus, we precog-fixed this for the release tomorrow or thereabouts! But. Is there any reason whatsoever to believe the exploit wasn't cobbled together by looking at the trunk, aurora, beta, or even ESR (!) pushlogs? At the very least I guess this is useful information for future bugfixing. (So, how about that shadow-central thing again? :-\ )
Comment 3•12 years ago
|
||
Bug 720079 was landed to ESR 10: http://hg.mozilla.org/releases/mozilla-esr10/rev/7ab20b45eee8
Reporter | ||
Updated•12 years ago
|
Whiteboard: [sg:critical]
Comment 4•12 years ago
|
||
According to bug 720079 comment 11, the regressing bug landed well after 1.9.2, so apparently 3.6.x should not be affected.
Comment 5•12 years ago
|
||
I verified that the test does not crash on central, aurora, beta and release (64 bit debug shells). Also tested 1.9.2. and it does not crash either. ESR is pending as I need to clone it first.
Comment 6•12 years ago
|
||
Verified fixed also on ESR-10.
Comment 7•12 years ago
|
||
> Verified fixed also on ESR-10.
Also does not crash on ESR 10 tip changeset 046308ccc9e2 using 32-bit debug and opt shell on Mac OS X Lion.
Comment 8•12 years ago
|
||
> According to bug 720079 comment 11, the regressing bug landed well after > 1.9.2, so apparently 3.6.x should not be affected. Just to reiterate, the regressing bug is bug 587257, which landed in April 2011. > I verified that the test does not crash on central, aurora, beta and release > (64 bit debug shells). Also tested 1.9.2. and it does not crash either. Also verified not to crash on mozilla-beta, mozilla-aurora and mozilla-central tip using 32-bit debug and opt js shells in Mac OS X Lion.
Reporter | ||
Comment 9•12 years ago
|
||
decoder DID check that the testcase crashed an old aurora build so we know the testcase went from crashing to fixed, and it's not just that we're running it differently than ZDI.
Reporter | ||
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:critical] → [sg:dupe 720079]
Reporter | ||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•