Js math taint propagation

js/src/jsmath.cpp

@@ -27,6 +27,7 @@
 #include "js/PropertySpec.h"
 #include "util/DifferentialTesting.h"
 #include "vm/JSContext.h"
+#include "vm/NumberObject.h"
 #include "vm/Realm.h"
 #include "vm/Time.h"
 
@@ -78,6 +79,15 @@ static bool math_function(JSContext* cx, CallArgs& args) {
   // NB: Always stored as a double so the math function can be inlined
   // through MMathFunction.
   double z = F(x);
+
+  // TaintFox
+  if(isTaintedNumber(args[0])){
+    NumberObject *obj = &args[0].toObject().as<NumberObject>();
+    NumberObject *taintedResult = NumberObject::createTainted(cx, z, obj->getTaintFlow());
+    args.rval().setObjectOrNull(taintedResult);
+    return true;
+  }
+
   args.rval().setDouble(z);
   return true;
 }
@@ -97,6 +107,14 @@ bool js::math_abs(JSContext* cx, unsigned argc, Value* vp) {
     return false;
   }
 
+  // TaintFox
+  if(isTaintedNumber(args[0])){
+    NumberObject *obj = &args[0].toObject().as<NumberObject>();
+    NumberObject *taintedResult = NumberObject::createTainted(cx, math_abs_impl(x), obj->getTaintFlow());
+    args.rval().setObjectOrNull(taintedResult);
+    return true;
+  }
+
   args.rval().setNumber(math_abs_impl(x));
   return true;
 }
@@ -150,6 +168,24 @@ static bool math_atan2(JSContext* cx, unsigned argc, Value* vp) {
   }
 
   double z = ecmaAtan2(y, x);
+
+  // TaintFox
+  NumberObject *taintedResult = NumberObject::create(cx, 0);
+  bool isTainted = false;
+
+  for (unsigned i = 0; i < args.length(); i++) {
+    if(isTaintedNumber(args[i])){
+      isTainted = true;
+      NumberObject *obj = &args[i].toObject().as<NumberObject>();
+      taintedResult->setTaint(TaintFlow::append(taintedResult->getTaintFlow(), obj->getTaintFlow()));
+    }
+  }
+  if(isTainted){
+    taintedResult->setPrimitiveValue(JS::NumberValue(z));
+    args.rval().setObjectOrNull(taintedResult);
+    return true;
+  }
+
   args.rval().setDouble(z);
   return true;
 }
@@ -172,6 +208,14 @@ static bool math_ceil(JSContext* cx, unsigned argc, Value* vp) {
     return false;
   }
 
+  // TaintFox
+  if(isTaintedNumber(args[0])){
+    NumberObject *obj = &args[0].toObject().as<NumberObject>();
+    NumberObject *taintedResult = NumberObject::createTainted(cx, math_ceil_impl(x), obj->getTaintFlow());
+    args.rval().setObjectOrNull(taintedResult);
+    return true;
+  }
+
   args.rval().setNumber(math_ceil_impl(x));
   return true;
 }
@@ -189,6 +233,14 @@ static bool math_clz32(JSContext* cx, unsigned argc, Value* vp) {
     return false;
   }
 
+  // TaintFox
+  if(isTaintedNumber(args[0])){
+    NumberObject *obj = &args[0].toObject().as<NumberObject>();
+    NumberObject *taintedResult = NumberObject::createTainted(cx, n == 0? 32: mozilla::CountLeadingZeroes32(n), obj->getTaintFlow());
+    args.rval().setObjectOrNull(taintedResult);
+    return true;
+  }
+
   if (n == 0) {
     args.rval().setInt32(32);
     return true;
@@ -245,6 +297,14 @@ bool js::math_floor(JSContext* cx, unsigned argc, Value* vp) {
     return false;
   }
 
+  // TaintFox
+  if(isTaintedNumber(args[0])){
+    NumberObject *obj = &args[0].toObject().as<NumberObject>();
+    NumberObject *taintedResult = NumberObject::createTainted(cx, math_floor_impl(x), obj->getTaintFlow());
+    args.rval().setObjectOrNull(taintedResult);
+    return true;
+  }
+
   args.rval().setNumber(math_floor_impl(x));
   return true;
 }
@@ -259,6 +319,27 @@ bool js::math_imul_handle(JSContext* cx, HandleValue lhs, HandleValue rhs,
     return false;
   }
 
+  // TaintFox
+  NumberObject *taintedResult = NumberObject::create(cx, 0);
+  bool isTainted = false;
+
+  if(isTaintedNumber(lhs)){
+    isTainted = true;
+    NumberObject *obj = &lhs.toObject().as<NumberObject>();
+    taintedResult->setTaint(TaintFlow::append(taintedResult->getTaintFlow(), obj->getTaintFlow()));
+  }
+  if(isTaintedNumber(rhs)){
+    isTainted = true;
+    NumberObject *obj = &rhs.toObject().as<NumberObject>();
+    taintedResult->setTaint(TaintFlow::append(taintedResult->getTaintFlow(), obj->getTaintFlow()));
+  }
+
+  if(isTainted){
+    taintedResult->setPrimitiveValue(JS::NumberValue(WrappingMultiply(a, b)));
+    res.setObjectOrNull(taintedResult);
+    return true;
+  }
+
   res.setInt32(WrappingMultiply(a, b));
   return true;
 }
@@ -299,6 +380,19 @@ static bool math_fround(JSContext* cx, unsigned argc, Value* vp) {
     return true;
   }
 
+  // TaintFox
+  if(isTaintedNumber(args[0])){
+    double x;
+    if (!ToNumber(cx, args[0], &x)) {
+      return false;
+    }
+
+    NumberObject *obj = &args[0].toObject().as<NumberObject>();
+    NumberObject *taintedResult = NumberObject::createTainted(cx, RoundFloat32(x), obj->getTaintFlow());
+    args.rval().setObjectOrNull(taintedResult);
+    return true;
+  }
+
   return RoundFloat32(cx, args[0], args.rval());
 }
 
@@ -325,14 +419,37 @@ double js::math_max_impl(double x, double y) {
 bool js::math_max(JSContext* cx, unsigned argc, Value* vp) {
   CallArgs args = CallArgsFromVp(argc, vp);
 
+  NumberObject *taintedResult = NumberObject::create(cx, 0);
+  bool isTainted = false;
+
   double maxval = NegativeInfinity<double>();
   for (unsigned i = 0; i < args.length(); i++) {
     double x;
     if (!ToNumber(cx, args[i], &x)) {
       return false;
     }
+
     maxval = math_max_impl(x, maxval);
+
+    // TaintFox
+    if(isTaintedNumber(args[i]) && maxval == x){
+      isTainted = true;
+      NumberObject *obj = &args[i].toObject().as<NumberObject>();
+      taintedResult->setTaint(obj->getTaintFlow());
+    }
+    else if(maxval == x){
+      //This is done since we only want to propogate the taint if it is the biggest value
+      // if a non tainted value is the biggest, we do not propogate the taint
+      isTainted = false;
+    }
   }
+
+  if(isTainted){
+    taintedResult->setPrimitiveValue(JS::NumberValue(maxval));
+    args.rval().setObjectOrNull(taintedResult);
+    return true;
+  }
+
   args.rval().setNumber(maxval);
   return true;
 }
@@ -350,14 +467,37 @@ double js::math_min_impl(double x, double y) {
 bool js::math_min(JSContext* cx, unsigned argc, Value* vp) {
   CallArgs args = CallArgsFromVp(argc, vp);
 
+  NumberObject *taintedResult = NumberObject::create(cx, 0);
+  bool isTainted = false;
+
   double minval = PositiveInfinity<double>();
   for (unsigned i = 0; i < args.length(); i++) {
     double x;
     if (!ToNumber(cx, args[i], &x)) {
       return false;
     }
+
     minval = math_min_impl(x, minval);
+
+    // TaintFox
+    if(isTaintedNumber(args[i]) && minval == x){
+      isTainted = true;
+      NumberObject *obj = &args[i].toObject().as<NumberObject>();
+      taintedResult->setTaint(obj->getTaintFlow());
+    }
+    else if(minval == x){
+      //This is done since we only want to propogate the taint if it is the lowest value
+      // if a non tainted value is the lowest, we do not propogate the taint
+      isTainted = false;
+    }
+  }
+
+  if(isTainted){
+    taintedResult->setPrimitiveValue(JS::NumberValue(minval));
+    args.rval().setObjectOrNull(taintedResult);
+    return true;
   }
+
   args.rval().setNumber(minval);
   return true;
 }
@@ -479,6 +619,24 @@ static bool math_pow(JSContext* cx, unsigned argc, Value* vp) {
   }
 
   double z = ecmaPow(x, y);
+
+  // TaintFox
+  NumberObject *taintedResult = NumberObject::create(cx, 0);
+  bool isTainted = false;
+
+  for (unsigned i = 0; i < args.length(); i++) {
+    if(isTaintedNumber(args[i])){
+      isTainted = true;
+      NumberObject *obj = &args[i].toObject().as<NumberObject>();
+      taintedResult->setTaint(TaintFlow::append(taintedResult->getTaintFlow(), obj->getTaintFlow()));
+    }
+  }
+  if(isTainted){
+    taintedResult->setPrimitiveValue(JS::NumberValue(z));
+    args.rval().setObjectOrNull(taintedResult);
+    return true;
+  }
+
   args.rval().setNumber(z);
   return true;
 }
@@ -589,6 +747,14 @@ static bool math_round(JSContext* cx, unsigned argc, Value* vp) {
     return false;
   }
 
+  // TaintFox
+  if(isTaintedNumber(args[0])){
+    NumberObject *obj = &args[0].toObject().as<NumberObject>();
+    NumberObject *taintedResult = NumberObject::createTainted(cx, math_round_impl(x), obj->getTaintFlow());
+    args.rval().setObjectOrNull(taintedResult);
+    return true;
+  }
+
   args.rval().setNumber(math_round_impl(x));
   return true;
 }
@@ -791,6 +957,10 @@ static bool math_hypot(JSContext* cx, unsigned argc, Value* vp) {
 
 bool js::math_hypot_handle(JSContext* cx, HandleValueArray args,
                            MutableHandleValue res) {
+
+    NumberObject *taintedResult = NumberObject::create(cx, 0);
+    bool isTainted = false;
+
   // IonMonkey calls the ecmaHypot function directly if two arguments are
   // given. Do that here as well to get the same results.
   if (args.length() == 2) {
@@ -803,6 +973,21 @@ bool js::math_hypot_handle(JSContext* cx, HandleValueArray args,
     }
 
     double result = ecmaHypot(x, y);
+
+    // TaintFox
+    for (unsigned i = 0; i < args.length(); i++) {
+      if(isTaintedNumber(args[i])){
+        isTainted = true;
+        NumberObject *obj = &args[i].toObject().as<NumberObject>();
+        taintedResult->setTaint(TaintFlow::append(taintedResult->getTaintFlow(), obj->getTaintFlow()));
+      }
+    }
+    if(isTainted){
+      taintedResult->setPrimitiveValue(JS::NumberValue(result));
+      res.setObjectOrNull(taintedResult);
+      return true;
+    }
+
     res.setDouble(result);
     return true;
   }
@@ -825,12 +1010,26 @@ bool js::math_hypot_handle(JSContext* cx, HandleValueArray args,
       continue;
     }
 
+    // TaintFox
+    if(isTaintedNumber(args[i])){
+      isTainted = true;
+      NumberObject *obj = &args[i].toObject().as<NumberObject>();
+      taintedResult->setTaint(TaintFlow::append(taintedResult->getTaintFlow(), obj->getTaintFlow()));
+    }
+
     hypot_step(scale, sumsq, x);
   }
 
   double result = isInfinite ? PositiveInfinity<double>()
                   : isNaN    ? GenericNaN()
                              : scale * std::sqrt(sumsq);
+
+  if(isTainted){
+    taintedResult->setPrimitiveValue(JS::NumberValue(result));
+    res.setObjectOrNull(taintedResult);
+    return true;
+  }
+
   res.setDouble(result);
   return true;
 }
@@ -857,6 +1056,14 @@ bool js::math_trunc(JSContext* cx, unsigned argc, Value* vp) {
     return false;
   }
 
+  // TaintFox
+  if(isTaintedNumber(args[0])){
+    NumberObject *obj = &args[0].toObject().as<NumberObject>();
+    NumberObject *taintedResult = NumberObject::createTainted(cx, math_trunc_impl(x), obj->getTaintFlow());
+    args.rval().setObjectOrNull(taintedResult);
+    return true;
+  }
+
   args.rval().setNumber(math_trunc_impl(x));
   return true;
 }
@@ -883,6 +1090,14 @@ static bool math_sign(JSContext* cx, unsigned argc, Value* vp) {
     return false;
   }
 
+  // TaintFox
+  if(isTaintedNumber(args[0])){
+    NumberObject *obj = &args[0].toObject().as<NumberObject>();
+    NumberObject *taintedResult = NumberObject::createTainted(cx, math_sign_impl(x), obj->getTaintFlow());
+    args.rval().setObjectOrNull(taintedResult);
+    return true;
+  }
+
   args.rval().setNumber(math_sign_impl(x));
   return true;
 }