Closed Bug 894956 Opened 8 years ago Closed 8 years ago

Use-After-Free with JS::CompileOptions

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 893684

People

(Reporter: bholley, Unassigned)

References

Details

(Keywords: sec-critical)

This is being discussed in another bug, but I'm pretty sure it's s-s. So I'm filing a security bug here.

Basically, asm.js does a shallow copy of CompileOptions, and sticks it on the heap (see bug 892643 comment 5). But CompileOptions has a caller-allocated filename char*. And while there's no explicitly-documented contract of its lifetime, the only sane thing to assume is that it's stack-scoped along with the CompileOptions struct. So when we stick a copy of CompileOptions on the heap, we end up with a pointer to soon-to-be-dead memory, which is likely to cause a use-after-free.

This is blocking gabor in bug 877673.
Blocks: 877673
(though actually we may never write to it, so it might not be sec-critical. But either way this is simple enough that we should just fix it pronto).
Fix should land today.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 893684
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.