Closed Bug 326931 Opened 19 years ago Closed 18 years ago

Content should not be able to call SetBoxObjectFor

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: bzbarsky, Assigned: neil)

Details

(Keywords: fixed1.8.1, verified1.8.0.4, Whiteboard: [sg:critical])

Attachments

(2 files, 2 obsolete files)

Updated for review comments
1.64 KB, patch
neil
: approval-aviary1.0.9?
neil
: approval1.7.14?
bzbarsky
: approval-branch-1.8.1+
darin.moz
: approval1.8.0.4+
Details | Diff | Splinter Review
"Scary" trunk patch
8.90 KB, patch
jst
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review 
We have all sorts of code that assumes that it can rely on the box object in the table to be correct... Unfortunately, content can set this value to an object of its choice.  Not good.  :(
Oh, to be precise what this means is that it should be easy to get into situations where we're calling virtual methods on deleted frames.

So I think to fix this we should move the method to nsIDocument (from nsIDOMNSDocument), since the only callers are nsGenericElement and nsXULElement.

The problem is that I really don't have time to write (and test!) the 3+ versions of the patch this will require (for 1.7, 1.8, trunk, with new interfaces added on 1.7/1.8 because we don't want to change nsIDocument) any time in the next few days.

Anyone else willing to help?  :(
Flags: blocking1.9a1?
Flags: blocking1.8.1?
Flags: blocking1.8.0.2?
Flags: blocking1.7.13?
Flags: blocking-aviary1.0.8?
Can we get a security group reading on the security exposure of this?

We're well past code freeze deadline for 1.0.8/1.7.13.  I am minusing for these releases and nominating it for the next 1.0.x/1.7.x release.
Flags: blocking1.7.14?
Flags: blocking1.7.13?
Flags: blocking1.7.13-
Flags: blocking-aviary1.0.9?
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8-
> Can we get a security group reading on the security exposure of this?

As I said in comment 1, "get into situations where we're calling virtual methods on deleted frames".  That means arbitrary code execution (probabilistically) if the attacker can prefill memory with a known byte pattern.

If we're close to shipping 1.7.x we shouldn't hold for this, I guess...
Comment 3 helps understand what the attack can be.  I am still not sure how easy it is to exploit.  How easy is it for an attacker to pre-fill memory and then to call that memory?  Is this vulnerability low, medium, or high risk of exploit?
> How easy is it for an attacker to pre-fill memory

Trivial -- create a large array in JavaScript.  We'll put it in memory somewhere.

> and then to call that memory?

This is a little more difficult to answer, especially since we arena-allocate frames.  David, do you know whether we ever shrink the frame arena during the lifetime of a page?  Basically, if we deallocate the frame's memory while it's still in the tree, we can put the JS array described above on top of it, and then we're screwed.  If we don't shrink the arena, we might be ok.

> Is this vulnerability low, medium, or high risk of exploit?

I guess I'd rate it as medium for now pending figuring out exactly what the arena behavior is, I guess.
Would love a fix in 1.8.0.2, ask for approval if a patch gets created. Until then this isn't looking like it could make it.
Flags: blocking1.8.0.3?
Flags: blocking1.8.0.2?
Flags: blocking1.8.0.2-
Whiteboard: [sg:critical
Whiteboard: [sg:critical → [sg:critical]
For the branches, could we just disallow a non-null boxObject?
That would only require some code rearrangement in nsDocument.
That might work, yeah....
Attached patch Branch-safe patch (obsolete) — Splinter Review 

        Attachment #214092 -
        Flags: superreview?(bzbarsky)

        Attachment #214092 -
        Flags: review?(bzbarsky)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        -w version of above (obsolete)
        — Splinter Review
      

    


  

    
    

    
  
Comment on attachment 214092 [details] [diff] [review]
Branch-safe patch

>Index: nsDocument.cpp
>+  if (!mBoxObjectTable) {
>+    mBoxObjectTable = new nsSupportsHashtable(12);

I know this code didn't use to handle OOM.... but why don't we fix it to deal while we're here?

r+sr=bzbarsky with that; on trunk I'd still like to move the method to nsIDocument (and perhaps rename to "ClearBoxObjectFor"?).

        Attachment #214092 -
        Flags: superreview?(bzbarsky)

        Attachment #214092 -
        Flags: superreview+

        Attachment #214092 -
        Flags: review?(bzbarsky)

        Attachment #214092 -
        Flags: review+

    
    

    
  


  

        Attachment #214092 -
        Attachment is obsolete: true

        Attachment #214093 -
        Attachment is obsolete: true

        Attachment #214101 -
        Flags: approval-branch-1.8.1?(bzbarsky)

    
  

        Attachment #214101 -
        Flags: approval-branch-1.8.1?(bzbarsky) → approval-branch-1.8.1+

    
    

    
  
Fix checked in to the branch for 1.8.1
Keywords: fixed1.8.1

    
    

    
  
Comment on attachment 214101 [details] [diff] [review]
Updated for review comments

Stop people messing around with our table of box objects potentially causing arbitrary code execution.

        Attachment #214101 -
        Flags: approval1.8.0.3?

        Attachment #214101 -
        Flags: approval1.7.14?

        Attachment #214101 -
        Flags: approval-aviary1.0.9?
Flags: blocking1.9a1?
Flags: blocking1.9a1+
Flags: blocking1.8.1?
Flags: blocking1.8.1+
Flags: blocking1.8.0.3?
Flags: blocking1.8.0.3+
Flags: blocking1.7.14?
Flags: blocking1.7.14+
Flags: blocking-aviary1.0.9?
Flags: blocking-aviary1.0.9+

    
    

    
  
Comment on attachment 214101 [details] [diff] [review]
Updated for review comments

 NS_IMETHODIMP
 nsDocument::SetBoxObjectFor(nsIDOMElement* aElement, nsIBoxObject* aBoxObject)
 {
+  if (aBoxObject) {
+    return NS_ERROR_INVALID_ARG;
+  }

So, a non-null aBoxObject is an error?

    
    

    
  
That's correct.  We don't want content to override the box object that _should_ be there, but clearing one is ok (since on next get we'll just create a correct one).  The point is, we need to return the right _types_ of box objects in all cases from GetBoxObjectFor.

    
    

    
  
Comment on attachment 214101 [details] [diff] [review]
Updated for review comments

a=darin on behalf of drivers for MOZILLA_1_8_0_BRANCH.  We'd like to see a trunk patch as well before 1.8.0.3 is released.

        Attachment #214101 -
        Flags: approval1.8.0.3? → approval1.8.0.3+

    
  
Assignee: general → neil

    
    

    
  
(In reply to comment #17)
>We'd like to see a trunk patch as well before 1.8.0.3 is released.
That'll be a bit tricky; obviously the patch has baked on the 1.8.0 branch for six weeks but this function no longer exists on the trunk.

    
    

    
  
OK, that works too.  Please forgive my ignorance :)

    
    

    
  
Er... SetBoxObjectFor seems to exist on the trunk....  Were we going to remove it in some other bug or something?

    
    

    
  
My bad, I was sure we were going to replace it with ClearBoxObjectFor.

darin, this means that the patch has in fact baked on the trunk too :-)

    
    

    
  
> My bad, I was sure we were going to replace it with ClearBoxObjectFor.

Well, we still should.  I don't think this patch got checked in to trunk...  Certainly not according to lxr.

    
    

    
  
Fix checked in to the branch for 1.8.0.3
Keywords: fixed1.8.0.3

    
    

    
  


  
Because it also includes the nsSupportsHashtable to nsInterfaceHashtable update.

        Attachment #219278 -
        Flags: superreview?(bzbarsky)

        Attachment #219278 -
        Flags: review?(jst)

    
    

    
  
Comment on attachment 219278 [details] [diff] [review]
"Scary" trunk patch

Excellent

        Attachment #219278 -
        Flags: superreview?(bzbarsky) → superreview+

    
    

    
  
Comment on attachment 219278 [details] [diff] [review]
"Scary" trunk patch

r=jst

        Attachment #219278 -
        Flags: review?(jst) → review+

    
    

    
  
Trunk fix checked in.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED

    
    

    
  
v.fixed based on comments and code inspection.
Keywords: fixed1.8.0.4verified1.8.0.4

    
    

    
  
could this have caused trunk regression described in https://bugzilla.mozilla.org/show_bug.cgi?id=338630
Group: security
Component: DOM: Mozilla Extensions → DOM
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: