Closed
Bug 887495
Opened 11 years ago
Closed 10 years ago
Ensure neutered ArrayBuffers don't invalidate assumptions made in JS JITs
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 845899
People
(Reporter: roc, Unassigned)
References
Details
(Keywords: csectype-uaf, sec-high)
HTML5 allows an ArrayBuffer to be neutered. Effectively, its length is set to zero. Potentially this might interact badly with LICM and hoisting of array bounds checks. It should at least be investigated and an automated test written. Neutering a buffer in the browser is as simple as function neuter(arrayBuffer) { window.postMessage(arrayBuffer, "*", [arrayBuffer]); } which indirectly calls JS_StealArrayBufferContents. Note that neutering is most likely to happen in performance-sensitive code using workers (and, possibly, Web Audio), so deoptimizing the universe forever is best avoided.
Comment 1•11 years ago
|
||
sfink has done a bunch of work on this. I'd be very surprised if there are unanticipated and unhandled issues here.
Comment 2•11 years ago
|
||
Well, there is one really big unhandled issue: bug 845899. I suspect LICM etc is also totally broken in view of neutering (we just emit constants for singleton objects). Fortunately, the fix for bug 845899 would fix all these since it simply discards all JIT code that depends on a singleton typed array.
Updated•11 years ago
|
Comment 3•11 years ago
|
||
How do you neuter an ArrayBuffer in the shell?
Comment 4•11 years ago
|
||
Last time I looked, there wasn't a way to simulate the transfer of an ArrayBuffer between web workers in the shell. I definitely agree there should be.
Comment 6•11 years ago
|
||
(In reply to Jesse Ruderman from comment #3) > How do you neuter an ArrayBuffer in the shell? (You know this now, but) there is now a shell primitive neuter(buffer). Alternatively, you can do serialize(typedarray, [typedarray.buffer]). (In reply to Andrew McCreight [:mccr8] from comment #5) > Steve, is there anything to do here? As luke said, bug 845899. I'll leave a comment there.
Flags: needinfo?(sphink)
Comment 7•11 years ago
|
||
Yep, jsfunfuzz now calls neuter() in the shell :)
Updated•10 years ago
|
Group: javascript-core-security
Updated•10 years ago
|
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Updated•10 years ago
|
Group: core-security, javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•