JDK-8030197 : Nashorn: Object.defineProperty() can be lured to change fixed NaN property
  • Type: Bug
  • Component: core-libs
  • Sub-Component: jdk.nashorn
  • Affected Version: 8u20
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: linux_ubuntu
  • Submitted: 2013-12-13
  • Updated: 2014-07-29
  • Resolved: 2014-02-25
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8 JDK 9
8u20Fixed 9 b04Fixed
Description
FULL PRODUCT VERSION :


A DESCRIPTION OF THE PROBLEM :
Object.defineProperty() can be lured to change a non-writable, non-configurable property, if the property value is a NaN value. The issue is caused by a non-compliant implementation of [[DefineOwnProperty]] (ES5.1 - 8.12.9), see the already return in step 6 of that algorithm.

This is mainly a problem for SES (Secure EcmaScript) and similar approaches. IIRC the problem would be considered a covert channel in the SES model.

Nashorn version: hg tip 18edd7a1b166

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
function dec(n) {
  var a = new Uint8Array(new Float64Array([n]).buffer);
  return Array.apply(null, a).reduceRight(function(acc, v){return acc + (v < 10 ? "0" : "") + v.toString(16)}, "");
}

jjs> o = Object.defineProperty({}, "NaN", {value: NaN})
[object Object]
jjs> dec(o.NaN)
7ff8000000000000
jjs> Object.defineProperty(o, "NaN", {value: 0/0})
[object Object]
jjs> dec(o.NaN)
fff8000000000000

Expected: `o.NaN` is still the same NaN bit pattern, i.e. 7ff8000000000000
Actual: `o.NaN` bit pattern changed, i.e. fff8000000000000


REPRODUCIBILITY :
This bug can be reproduced always.