[SERVER-20375] Crash when calling objects with manipulated __proto__ Created: 11/Sep/15  Updated: 07/Oct/15  Resolved: 18/Sep/15

Status: Closed
Project: Core Server
Component/s: JavaScript
Affects Version/s: 3.1.7
Fix Version/s: 3.1.9

Type: Bug Priority: Major - P3
Reporter: Spencer Jackson Assignee: Mira Carey
Resolution: Done Votes: 0
Labels: spidermonkey
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File SERVER-20375.js    
Backwards Compatibility: Fully Compatible
Operating System: ALL
Sprint: Platform 9 (09/18/15)
Participants:

 Description   

It is possible to get and set arbitrary C++ pointers in private fields on JS objects. It is possible to create an object which appears to be a type which had a field set, but wasn't created as such. Using functions on it which access these fields can result in a crash.



 Comments   
Comment by Githook User [ 18/Sep/15 ]

Author:

{u'username': u'hanumantmk', u'name': u'Jason Carey', u'email': u'jcarey@argv.me'}

Message: SERVER-20375 Constrain JS method thisv

This constrains universal access to wraptype methods by providing a
JS_ATTACH_JS_CONSTRAINED_METHOD() macro which allows for a list of types
that are allowed to call said method.

In this way we can lock down all methods without having to add uasserts
to each individual method body.
Branch: master
https://github.com/mongodb/mongo/commit/041e4fe737342bf40a6aedb7a04d8d99ba20e213

Comment by Spencer Jackson [ 11/Sep/15 ]

I've identified some more cases, which I've added to the attached js file.

Generated at Thu Feb 08 03:54:01 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.