[SERVER-20375] Crash when calling objects with manipulated __proto__ Created: 11/Sep/15 Updated: 07/Oct/15 Resolved: 18/Sep/15 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | JavaScript |
| Affects Version/s: | 3.1.7 |
| Fix Version/s: | 3.1.9 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Spencer Jackson | Assignee: | Mira Carey |
| Resolution: | Done | Votes: | 0 |
| Labels: | spidermonkey | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
| Backwards Compatibility: | Fully Compatible |
| Operating System: | ALL |
| Sprint: | Platform 9 (09/18/15) |
| Participants: |
| Description |
|
It is possible to get and set arbitrary C++ pointers in private fields on JS objects. It is possible to create an object which appears to be a type which had a field set, but wasn't created as such. Using functions on it which access these fields can result in a crash. |
| Comments |
| Comment by Githook User [ 18/Sep/15 ] |
|
Author: {u'username': u'hanumantmk', u'name': u'Jason Carey', u'email': u'jcarey@argv.me'}Message: This constrains universal access to wraptype methods by providing a In this way we can lock down all methods without having to add uasserts |
| Comment by Spencer Jackson [ 11/Sep/15 ] |
|
I've identified some more cases, which I've added to the attached js file. |