Closed Bug 355655 Opened 18 years ago Closed 18 years ago

running script can be recompiled (CVE-2006-5463)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: sync2d, Assigned: brendan)

References

Details

(Keywords: crash, verified1.8.0.8, verified1.8.1, Whiteboard: [sg:critical?])

Attachments

(4 files, 4 obsolete files)

proof of concept
(deleted), text/html
Details
fix
(deleted), patch
igor
: review+
mtschrep
: approval1.8.1+
Details | Diff | Splinter Review
1.8.0 branch patch (with null check)
(deleted), patch
brendan
: review+
dveditz
: approval1.8.0.8+
Details | Diff | Splinter Review
js1_5/Regress/regress-355655.js
(deleted), text/plain
Details
$ dbg.obj/js -e "t='1';s=Script('s.compile(t);print(t);');s();" Assertion failure: map->vector && i < map->length, at jsatom.c:919 $ opt.obj/js -e "t='1';s=Script('s.compile(t);print(t);');s();" => crash You can execute arbitary interpreter bytecodes using this bug.
Severity: normal → critical
Attached file proof of concept (deleted) —
$ dbg.obj/js script-recompile.txt uncaught exception: this should never be thrown!
This is a shell-only bug (please confirm), since Script is deconfigured in the Mozilla client embeddings. /be
(In reply to comment #2) > This is a shell-only bug (please confirm), since Script is deconfigured in the > Mozilla client embeddings. I can crash in 1.8 from today using Jesse's shell with the example code: TB24198572 js_LookupPropertyWithFlags [mozilla/js/src/jsobj.c, line 3107] js_LookupProperty [mozilla/js/src/jsobj.c, line 3082] with_LookupProperty [mozilla/js/src/jsobj.c, line 1753] js_FindProperty [mozilla/js/src/jsobj.c, line 3291] js_Interpret [mozilla/js/src/jsinterp.c, line 4198] js_Execute [mozilla/js/src/jsinterp.c, line 1619] script_exec [mozilla/js/src/jsscript.c, line 329] script_call [mozilla/js/src/jsscript.c, line 846] js_Invoke [mozilla/js/src/jsinterp.c, line 1373] js_Interpret [mozilla/js/src/jsinterp.c, line 4115] js_Execute [mozilla/js/src/jsinterp.c, line 1619] obj_eval [mozilla/js/src/jsobj.c, line 1357] js_Invoke [mozilla/js/src/jsinterp.c, line 1373] js_Interpret [mozilla/js/src/jsinterp.c, line 4115] js_Execute [mozilla/js/src/jsinterp.c, line 1619] JS_EvaluateUCScriptForPrincipals [mozilla/js/src/jsapi.c, line 4375] nsJSContext::EvaluateString [mozilla/dom/src/base/nsJSEnvironment.cpp, line 1100] nsJSThunk::EvaluateScript [mozilla/dom/src/jsurl/nsJSProtocolHandler.cpp, line 302] nsJSChannel::InternalOpen [mozilla/dom/src/jsurl/nsJSProtocolHandler.cpp, line 566] ... and Script appears to be available to Firefox from what I can tell.
Flags: blocking1.8.1?
Attached patch fix (deleted) — Splinter Review
I'm horrified by the Script object, and want to remove it. It was a youthful exuberance that's not standard, not thread safe, and probably not memory safe even with this patch. For 1.9, all that should be left of jsscript.c are the internal APIs used by the code generator and debug/introspection modules (perhaps some of the utility functions in jsemit.c could move to jsscript.c, as a cleanup). Anyway, this is a minimal patch to close the self-modifying script hole. It does not detect oldscript running on other contexts, but that "can't happen" without a run-to-completion violation. The only known r2c violations have to-do with events and timeouts/intervals nesting while a modal dialog is running. All modal dialog script is sourced in .xul files or .js files, not generated via new Script. /be
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #241468 - Flags: review?(igor.bukanov)
Attachment #241468 - Flags: approval1.8.1?
Attachment #241468 - Flags: review?(igor.bukanov) → review+
Fixed on trunk (checking message mentions attachment number): Checking in js.msg; /cvsroot/mozilla/js/src/js.msg,v <-- js.msg new revision: 3.72; previous revision: 3.71 done Checking in jsscript.c; /cvsroot/mozilla/js/src/jsscript.c,v <-- jsscript.c new revision: 3.116; previous revision: 3.115 done /be
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Blocks: sbb?
Flags: blocking1.8.0.8?
Whiteboard: [sg:critical?]
In firefox 1.5.0.7+ I get the "this should never be thrown!" exception, but no crash. In Firefox 2 I crash TB24233863, somewhat different stack from comment 3.
Attached file js1_5/Regress/regress-355655.js (obsolete) (deleted) —
Flags: in-testsuite+
Attached file js1_5/Regress/regress-355655.js (obsolete) (deleted) —
catch error
Attachment #241538 - Attachment is obsolete: true
verified fixed 1.9 20061007 windows/linux
Status: RESOLVED → VERIFIED
Depends on: 355982
Blocking for Fx2 RC3
Flags: blocking1.8.1? → blocking1.8.1+
Comment on attachment 241468 [details] [diff] [review] fix Approved for RC3.
Attachment #241468 - Flags: approval1.8.1? → approval1.8.1+
Fixed on the 1.8 branch, along with bug 355982: Checking in js.msg; /cvsroot/mozilla/js/src/js.msg,v <-- js.msg new revision: 3.43.8.13; previous revision: 3.43.8.12 done Checking in jsscript.c; /cvsroot/mozilla/js/src/jsscript.c,v <-- jsscript.c new revision: 3.79.2.15; previous revision: 3.79.2.14 done /be
Keywords: fixed1.8.1
Flags: blocking1.8.0.8? → blocking1.8.0.8+
Comment on attachment 241468 [details] [diff] [review] fix approved for 1.8.0 branch, a=dveditz for drivers
Attachment #241468 - Flags: approval1.8.0.8+
verified fixed 20061009 1.8 windows/linux/mac*, 1.9 windows/linux
Keywords: fixed1.8.1verified1.8.1
Attached patch 1.8.0 branch patch (obsolete) (deleted) — Splinter Review
There are no unused slots on the branch, so adding to the end.
Attached patch 1.8.0 branch patch (obsolete) (deleted) — Splinter Review
oops, wrong patch...
Attachment #242584 - Attachment is obsolete: true
Attachment #242585 - Flags: review?(brendan)
Attachment #242585 - Flags: approval1.8.0.8?
Attachment #241468 - Flags: approval1.8.0.8+
Comment on attachment 242585 [details] [diff] [review] 1.8.0 branch patch Please include the null test patch from bug 355982 (which this bug's patch regressed on trunk and was fixed all at once with this bug for the 1.8 branch). /be
Attachment #242585 - Flags: review?(brendan) → review-
Attachment #242585 - Attachment is obsolete: true
Attachment #242682 - Flags: review?
Attachment #242585 - Flags: approval1.8.0.8?
Attachment #242682 - Flags: review? → review?(brendan)
Comment on attachment 242682 [details] [diff] [review] 1.8.0 branch patch (with null check) r=me, thanks. /be
Attachment #242682 - Flags: review?(brendan) → review+
Comment on attachment 242682 [details] [diff] [review] 1.8.0 branch patch (with null check) approved for 1.8.0 branch, a=dveditz for drivers
Attachment #242682 - Flags: approval1.8.0.8? → approval1.8.0.8+
mozilla/js/src/js.msg 3.43.8.2.2.2 mozilla/js/src/jsscript.c 3.79.2.5.2.2
Keywords: fixed1.8.0.8
v.fixed on 1.8.0 branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.8pre) Gecko/20061020 Firefox/1.5.0.8pre, no crash or uncaught exception with PoC.
Keywords: fixed1.8.0.8verified1.8.0.8
This is old code, aviary/moz1.7 should get this fix as well.
Flags: blocking1.7.14+
Flags: blocking-aviary1.0.9+
This has been assigned CVE-2006-5463
Summary: running script can be recompiled → running script can be recompiled (CVE-2006-5463)
CCing moz_bug_r_a4 so he can understand what he found in bug 367121.
pvnick is doing a bit of research on XSS and also gathering up bugs with security related test cases to help add to the regression/certification test suites. adding him to the cc list in these...
Attached file js1_5/Regress/regress-355655.js (deleted) —
error message has changed due to bug 376121
Attachment #241573 - Attachment is obsolete: true
Group: security
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-355655.js,v <-- regress-355655.js initial revision: 1.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: