Issue 624713 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	titzer@chromium.org
Closed:	Jun 2016
Cc:	yangguo@chromium.org verwa...@chromium.org
Components:	Blink>JavaScript>Runtime
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	----
Type:	Bug-Security
Security_Impact-Head allpublic

Security: Calling from WASM to JS should not pass the global object

Project Member Reported by titzer@chromium.org, Jun 30 2016

Issue description

This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs


VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.

VERSION
Chrome Version: 51+

REPRODUCTION CASE
Calls to JavaScript functions from WASM pass the global object as the receiver. Instead such calls should use the CallFunctionStub which should swap out the global object with the global proxy or undefined.

Comment 1 by yangguo@chromium.org, Jun 30 2016

Are the semantics already spec'ed or can we just always pass undefined?

Comment 2 by titzer@chromium.org, Jun 30 2016

The semantics aren't spec'ed yet, but probably likely that we'll want the same effect as if calling "foo()" without a receiver in JS; so that means receiver conversion.

Project Member

Comment 3 by bugdroid1@chromium.org, Jun 30 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/971731f354842236f3643b7f771f8aac89ac2ef3

commit 971731f354842236f3643b7f771f8aac89ac2ef3
Author: titzer <titzer@chromium.org>
Date: Thu Jun 30 09:40:32 2016

[wasm] Fix receiver conversion for WASM->JS calls.

R=yangguo@chromium.org,ahaas@chromium.org
BUG= chromium:624713 
LOG=Y

Review-Url: https://codereview.chromium.org/2111843002
Cr-Commit-Position: refs/heads/master@{#37428}

[modify] https://crrev.com/971731f354842236f3643b7f771f8aac89ac2ef3/src/compiler/wasm-compiler.cc
[modify] https://crrev.com/971731f354842236f3643b7f771f8aac89ac2ef3/test/mjsunit/wasm/import-table.js
[add] https://crrev.com/971731f354842236f3643b7f771f8aac89ac2ef3/test/mjsunit/wasm/receiver.js

Comment 4 by titzer@chromium.org, Jun 30 2016

Status: Fixed (was: Unconfirmed)

Project Member

Comment 5 by sheriffbot@chromium.org, Jun 30 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 6 by awhalley@chromium.org, Jul 6 2016

Labels: Security_Impact-Head

Project Member

Comment 7 by sheriffbot@chromium.org, Oct 6 2016

Labels: -Restrict-View-SecurityNotify allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 624713 link

Issue metadata

Security: Calling from WASM to JS should not pass the global object

Issue description

Comment 1 by yangguo@chromium.org, Jun 30 2016

Comment 1 Deleted

Comment 2 by titzer@chromium.org, Jun 30 2016

Comment 2 Deleted

Comment 3 by bugdroid1@chromium.org, Jun 30 2016

Comment 3 Deleted

Comment 4 by titzer@chromium.org, Jun 30 2016

Comment 4 Deleted

Comment 5 by sheriffbot@chromium.org, Jun 30 2016

Comment 5 Deleted

Comment 6 by awhalley@chromium.org, Jul 6 2016

Comment 6 Deleted

Comment 7 by sheriffbot@chromium.org, Oct 6 2016

Comment 7 Deleted

Sign in to add a comment