Closed
Bug 371694
Opened 17 years ago
Closed 14 years ago
segfault crash accessing wrappedJSObject for an nsISecurityCheckedComponent [@ nsScriptSecurityManager::CheckPropertyAccessImpl(unsigned int, nsAXPCNativeCallContext*, JSContext*, JSObject*, nsISupports*, nsIURI*, nsIClassInfo*, char const*, int, void**)
Categories
(Core :: Security: CAPS, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: tavin.cole, Assigned: mrbkap)
References
Details
(Keywords: crash, testcase, Whiteboard: [sg:dos] [qa-examined-192])
Attachments
(3 files)
2.89 KB,
application/x-javascript
|
Details | |
412 bytes,
text/html
|
Details | |
1.37 KB,
patch
|
dveditz
:
review+
dveditz
:
approval1.9.2.11-
dveditz
:
approval1.9.2.13+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.9) Gecko/20070115 Firefox/1.5.0.9 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.9) Gecko/20070115 Firefox/1.5.0.9 make an XPCOM component in javascript that sets this.wrappedJSObject = this in the constructor. implement nsISecurityCheckedComponent. get an instance in other javascript. get the wrappedJSObject. watch all firefox windows vanish :) note: i did this from untrusted javascript that got the instance because it was a javascript global property. i don't know if that makes a difference. Reproducible: Always
Updated•17 years ago
|
Component: General → XPConnect
Product: Firefox → Core
QA Contact: general → xpconnect
Version: unspecified → 1.8 Branch
Comment 1•17 years ago
|
||
Can you attach a testcase?
Comment 2•15 years ago
|
||
Is this crash still reproducible in Firefox 3.5? If it isn't, we should resolve it as RESOLVED WORKSFORME.
Comment 3•15 years ago
|
||
I can confirm this bug on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2. What's worse, there is an extension in the wild that indeed sets wrappedJSObject in its ctor (although it never actually tries to access it), which means that users of this extension are vulnerable to a denial-of-service attack. I am not going to disclose the name of the extension as long as this bug is world-readable, but the extension is offered as part of a well-known web application, and helps users interact with said web application.
Comment 4•15 years ago
|
||
A component that sets wrappedJSObject to itself in its constructor. It exposes itself as a global constructor, so content can access it. This is basically a stripped down version of the extension in the wild.
Comment 5•15 years ago
|
||
The HTML page contains a button that instantiates a CrashMe object and then accesses wrappedJSObject on it. Put the component somewhere the browser can find it (e.g. some extension's components directory -- don't forget to force component re-registration after that by removing compreg.dat from your profile and then restarting the browser), and then load the HTML page.
Comment 6•15 years ago
|
||
(In reply to comment #3) > [..] the extension is offered as part of a well-known web > application, and helps users interact with said web application. I should mention that this extension is a JS global constructor (just like the test case I've attached), so the DOS attack can be carried out remotely from any malicious website.
Comment 7•15 years ago
|
||
And this is the crash report: http://crash-stats.mozilla.com/report/index/453cfa00-e000-4acc-a6d0-61d622090819
Assignee | ||
Comment 8•15 years ago
|
||
Confirming based on comment 7. I'll take a look at this.
Assignee: nobody → mrbkap
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee | ||
Comment 9•15 years ago
|
||
Andreas, what is the expected behavior of your testcase? With a fix for the crash, we now throw an exception, not being allowed to access .wrappedJSObject on a JS-implemented component.
Comment 10•15 years ago
|
||
(In reply to comment #9) > Andreas, what is the expected behavior of your testcase? With a fix for the > crash, we now throw an exception, not being allowed to access .wrappedJSObject > on a JS-implemented component. I am unsure whether an exception or a simple |undefined| would be the expected behaviour. You better ask somebody who's a bit more involved with wrappers than me about that. As long as |wrappedJSContent| is inaccessible from content I am happy.
Comment 11•15 years ago
|
||
I think denying access to wrappedJSObject is what I would expect from nsISecurityCheckedComponent.
Assignee | ||
Comment 12•15 years ago
|
||
I've had this lying in my patch queue for months now.
Attachment #416838 -
Flags: review?(dveditz)
Component: XPConnect → Security: CAPS
Keywords: crash
QA Contact: xpconnect → caps
Summary: segfault crash accessing wrappedJSObject for an nsISecurityCheckedComponent → segfault crash accessing wrappedJSObject for an nsISecurityCheckedComponent [@ nsScriptSecurityManager::CheckPropertyAccessImpl(unsigned int, nsAXPCNativeCallContext*, JSContext*, JSObject*, nsISupports*, nsIURI*, nsIClassInfo*, char const*, int, void**)
Comment 13•14 years ago
|
||
Comment on attachment 416838 [details] [diff] [review] Patch r=dveditz
Attachment #416838 -
Flags: review?(dveditz) → review+
Assignee | ||
Comment 14•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/6aeadfc80c1d
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Comment 16•14 years ago
|
||
This patch is not applied to mozilla-1.9.2 (Branch development on Firefox 3.6 and Gecko 1.9.2). See here: http://hg.mozilla.org/releases/mozilla-1.9.2/annotate/c07c6c1b5071/caps/src/nsScriptSecurityManager.cpp#l793
Comment 17•14 years ago
|
||
Is it possible to fix this bug in /mozilla-1.9.2 branch ?
Attachment #416838 -
Flags: approval1.9.2.10?
Comment 18•14 years ago
|
||
Comment on attachment 416838 [details] [diff] [review] Patch Approved for 1.9.2.10, a=dveditz for release-drivers
Attachment #416838 -
Flags: approval1.9.2.10? → approval1.9.2.10+
Comment 19•14 years ago
|
||
Comment on attachment 416838 [details] [diff] [review] Patch missed the 1.9.2.11 release, try for 1.9.2.12
Attachment #416838 -
Flags: approval1.9.2.12+
Attachment #416838 -
Flags: approval1.9.2.11-
Attachment #416838 -
Flags: approval1.9.2.11+
Keywords: checkin-needed
Comment 20•14 years ago
|
||
tried in 1.9.2.12 - still not fixed :(
Comment 21•14 years ago
|
||
Dmitriy: the bug doesn't claim to be fixed in 1.9.2.12, please don't spam bugs with useless comments. if you need help understanding a bug's state, please try a support channel.
Assignee | ||
Comment 22•14 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/a2ba0dadb910
status1.9.2:
--- → .13-fixed
Keywords: checkin-needed
Version: 1.8 Branch → 1.9.2 Branch
Comment 23•14 years ago
|
||
This should be fixed now in 1.9.2. It can be checked with a nightly 1.9.2 build from http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla-1.9.2/.
Whiteboard: [sg:dos] → [sg:dos] [qa-examined-192]
Updated•14 years ago
|
status1.9.1:
--- → wontfix
You need to log in
before you can comment on or make changes to this bug.
Description
•