-
Bug
-
Resolution: Fixed
-
P3
-
8u20
-
b04
-
linux_ubuntu
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8045076 | 8u25 | Sundararajan Athijegannathan | P3 | Resolved | Fixed | b01 |
| JDK-8037993 | 8u20 | Sundararajan Athijegannathan | P3 | Resolved | Fixed | b09 |
| JDK-8052476 | emb-8u26 | Sundararajan Athijegannathan | P3 | Resolved | Fixed | b18 |
FULL PRODUCT VERSION :
A DESCRIPTION OF THE PROBLEM :
Object.defineProperty() can be lured to change a non-writable, non-configurable property, if the property value is a NaN value. The issue is caused by a non-compliant implementation of [[DefineOwnProperty]] (ES5.1 - 8.12.9), see the already return in step 6 of that algorithm.
This is mainly a problem for SES (Secure EcmaScript) and similar approaches. IIRC the problem would be considered a covert channel in the SES model.
Nashorn version: hg tip 18edd7a1b166
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
function dec(n) {
var a = new Uint8Array(new Float64Array([n]).buffer);
return Array.apply(null, a).reduceRight(function(acc, v){return acc + (v < 10 ? "0" : "") + v.toString(16)}, "");
}
jjs> o = Object.defineProperty({}, "NaN", {value: NaN})
[object Object]
jjs> dec(o.NaN)
7ff8000000000000
jjs> Object.defineProperty(o, "NaN", {value: 0/0})
[object Object]
jjs> dec(o.NaN)
fff8000000000000
Expected: `o.NaN` is still the same NaN bit pattern, i.e. 7ff8000000000000
Actual: `o.NaN` bit pattern changed, i.e. fff8000000000000
REPRODUCIBILITY :
This bug can be reproduced always.
A DESCRIPTION OF THE PROBLEM :
Object.defineProperty() can be lured to change a non-writable, non-configurable property, if the property value is a NaN value. The issue is caused by a non-compliant implementation of [[DefineOwnProperty]] (ES5.1 - 8.12.9), see the already return in step 6 of that algorithm.
This is mainly a problem for SES (Secure EcmaScript) and similar approaches. IIRC the problem would be considered a covert channel in the SES model.
Nashorn version: hg tip 18edd7a1b166
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
function dec(n) {
var a = new Uint8Array(new Float64Array([n]).buffer);
return Array.apply(null, a).reduceRight(function(acc, v){return acc + (v < 10 ? "0" : "") + v.toString(16)}, "");
}
jjs> o = Object.defineProperty({}, "NaN", {value: NaN})
[object Object]
jjs> dec(o.NaN)
7ff8000000000000
jjs> Object.defineProperty(o, "NaN", {value: 0/0})
[object Object]
jjs> dec(o.NaN)
fff8000000000000
Expected: `o.NaN` is still the same NaN bit pattern, i.e. 7ff8000000000000
Actual: `o.NaN` bit pattern changed, i.e. fff8000000000000
REPRODUCIBILITY :
This bug can be reproduced always.
- backported by
-
JDK-8037993 Nashorn: Object.defineProperty() can be lured to change fixed NaN property
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-