I wonder how we should treat this, in terms of security sensitivity. - This is *not* a present danger. One cannot cause IsAboutToBeFinalized to be applied to an inter-alloc-kind, inter-zone edge without using the Debugger API. - But, there's nothing stopping people from introducing such calls in content-accessible code, which would be a genuine security problem. There's no assertion in IsAboutToBeFinalized that would fire. So even if this bug doesn't provide information on how to exploit Firefox immediately, it does give people something to look out for, something that we won't catch if we introduce. I think we should make IsAboutToBeFinalized safer to use, either by making it give accurate answers, or asserting if it can't.
Bug 1584195 Comment 16 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
I wonder how we should treat this, in terms of security sensitivity. - This is *not* a present danger. One cannot cause IsAboutToBeFinalized to be applied to an inter-alloc-kind, inter-zone edge without using the Debugger API. - But, there's nothing stopping people from introducing such calls in content-accessible code, which would be a genuine security problem. There's no assertion in IsAboutToBeFinalized that would fire. So even if this bug doesn't provide information on how to exploit Firefox immediately, it does give people something to look out for, something that we won't catch if we introduce. If it's possible, we should make IsAboutToBeFinalized safer to use, either by making it give accurate answers, or asserting if it can't. But since IsAboutToBeFinalized has no idea where the edge it's being asked about originated, it's not clear how it could assert.