Adobe Flash incorrect jit optimization with op_setglobalslot

[GoogleCodeExporter]

See previous similar bugs for more details.

op_setglobalslot is marked as not throwing an exception in opcodes.tbl, yet 
looking at the verifier:

opcode.tbl:

//              opCount  throw  stack  internal  name                   hex     

ABC_OP(         0,       0,     -1,    0,        pushscope)             // 0x30 

            case OP_setglobalslot:
            {
                // FIXME need test case
                const ScopeTypeChain* scope = info->declaringScope();
                if (!state->scopeDepth && !scope->size)
                    verifyFailed(kNoGlobalScopeError);
                Traits *globalTraits = scope->size > 0 ? scope->getScopeTraitsAt(0) : state->scopeValue(0).traits;
                checkStack(1,0);
                checkEarlySlotBinding(globalTraits);
                Traits* slotTraits = checkSlot(globalTraits, imm30-1);
                emitCoerce(slotTraits, state->sp());              <-- (a)
                coder->writeOp1(state, pc, opcode, imm30-1, slotTraits);
                state->pop();
                break;
            }

At point (a) we can invoke a callback during the coercion if the particular 
slot of the global object has an early-bound trait of a type which can invoke a 
callback and we provide an object which implements such a callback (for 
example, the global object has a slot with an early-bound String and we provide 
an object atom which implements toString, as the attached PoC does.)

If that callback throws an exception then this will invoke a control-flow path 
not seen by the verifier which can be abused to achieve code execution.

PoC attached for avmshell.

Original issue reported on code.google.com by ianb...@google.com on 23 Sep 2014 at 6:34

Attachments:

• setglobalslot_crash_avmshell.abc

[GoogleCodeExporter]

Original comment by ianb...@google.com on 23 Sep 2014 at 6:41

• Added labels: ReportedOn-2014-September-23

[GoogleCodeExporter]

Original comment by ianb...@google.com on 23 Sep 2014 at 7:13

• Added labels: ReportedOn-2014-Sep-23
• Removed labels: ReportedOn-2014-September-23

[GoogleCodeExporter]

Original comment by ianb...@google.com on 24 Sep 2014 at 9:16

• Added labels: Id-3051

[GoogleCodeExporter]

Original comment by cev...@google.com on 8 Nov 2014 at 2:36

• Added labels: CVE-2014-0584

[GoogleCodeExporter]

http://helpx.adobe.com/security/products/flash-player/apsb14-24.html

Original comment by cev...@google.com on 20 Nov 2014 at 1:24

• Changed state: Fixed
• Added labels: Fixed-2014-Nov-11
• Removed labels: Restrict-View-Commit