Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8030197

Nashorn: Object.defineProperty() can be lured to change fixed NaN property

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P3
    • Resolution: Fixed
    • Affects Version/s: 8u20
    • Fix Version/s: 9
    • Component/s: core-libs
    • Labels:
    • Subcomponent:
    • Resolved In Build:
      b04
    • OS:
      linux_ubuntu

      Backports

        Description

        FULL PRODUCT VERSION :


        A DESCRIPTION OF THE PROBLEM :
        Object.defineProperty() can be lured to change a non-writable, non-configurable property, if the property value is a NaN value. The issue is caused by a non-compliant implementation of [[DefineOwnProperty]] (ES5.1 - 8.12.9), see the already return in step 6 of that algorithm.

        This is mainly a problem for SES (Secure EcmaScript) and similar approaches. IIRC the problem would be considered a covert channel in the SES model.

        Nashorn version: hg tip 18edd7a1b166

        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        function dec(n) {
          var a = new Uint8Array(new Float64Array([n]).buffer);
          return Array.apply(null, a).reduceRight(function(acc, v){return acc + (v < 10 ? "0" : "") + v.toString(16)}, "");
        }

        jjs> o = Object.defineProperty({}, "NaN", {value: NaN})
        [object Object]
        jjs> dec(o.NaN)
        7ff8000000000000
        jjs> Object.defineProperty(o, "NaN", {value: 0/0})
        [object Object]
        jjs> dec(o.NaN)
        fff8000000000000

        Expected: `o.NaN` is still the same NaN bit pattern, i.e. 7ff8000000000000
        Actual: `o.NaN` bit pattern changed, i.e. fff8000000000000


        REPRODUCIBILITY :
        This bug can be reproduced always.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  sundar Sundararajan Athijegannathan
                  Reporter:
                  webbuggrp Webbug Group
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: