Security issue with dart:io + dart:mirrors #10963
Labels
area-core-library
SDK core library issues (core, async, ...); use area-vm or area-web for platform specific libraries.
library-io
P2
A bug or feature request we're likely to work on
type-bug
Incorrect behavior (everything from a crash to more subtle misbehavior)
Comments
|
This is expected. Native code needs to validate arguments. It should be fairly simple to implement a secure class for storing native pointers in the heap. |
|
Removed Area-Library label. |
|
It is simple enough to store the native pointer in a native field of a Dart object (by extending NativeFieldWrapperClass1). This will easily work for the direct/sync calls. However for async file operations this pointer is send through a native port to the handler thread. So we need to fix the serialization of this as well. |
|
Removed Area-IO label. |
|
Removed this from the Later milestone. |
|
Removed Oldschool-Milestone-Later label. |
DartBot
added
Type-Defect
library-io
area-core-library
kevmoo
added
P2
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This issue was originally filed by podivilov@google.com
The code below sets arbitrary pointer as _RandomAccessFile._id, which is then reinterpret casted as File* in File_Close.
import 'dart:io';
import 'dart:mirrors';
main() {
var file = new File('test.dart').openSync();
findSymbol(list, name) => list.firstWhere(
(symbol) => symbol.toString() == 'Symbol("$name")');
var ms = currentMirrorSystem();
var library = ms.libraries[Uri.parse('dart:io')];
var clazz = findSymbol(library.classes.keys, '_RandomAccessFile');
var member = findSymbol(library.classes[clazz].members.keys, '_id');
reflect(file).setField(member, 0xdeadbeef);
file.close();
}
The text was updated successfully, but these errors were encountered: