On Sunday, April 24, 2016, juj j <[email protected] <javascript:_e(%7B%7D,'cvml','[email protected]');>> wrote:
> Indeed it is possible to nuke the function pointer table, but I don't > think this is a vulnerability. In order to be a security issue, it would > mean there would have to be some kind of escalation to occur. Handwritten > JavaScript and asm.js C/C++ code should be viewed at the same security > level or arena in a sense, since the developer is in control of the both. > Asm.js does not propose a new security layer where handwritten JS outside > to the asm.js module could be allowed to considered untrusted, but the > usual web security imposed via domain rules applies here. > There's no need for untrusted handwritten js here; you just need some function in the asm.js module that you can call that does something you as an attacker want and has the same call signature as the function pointer that gets overwritten. The rough equivalent in native code is things like forcing a call or return into another part of the executable or standard library that happens to do something the attacker finds useful. Getting something useful out of the exploit might well piggyback on some further vector once you're inside, such as producing malicious html that later gets inserted into the document by code outside the emscripten module (or could you manage to call something more directly via embind::val etc?) -- but that's not code the attacker has to inject previously ... If they could do that, no need to bother with buffer overflows in the asm.js. -- brion -- You received this message because you are subscribed to the Google Groups "emscripten-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
