Closed Bug 642022 Opened 13 years ago Closed 13 years ago

"Assertion failure: compartment mismatched" with InstallTrigger.constructor

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla5
Tracking Flags:
Tracking Status
status2.0 --- ?
status1.9.2 --- unaffected

People

(Reporter: jruderman, Assigned: mrbkap)

References

Details

(Keywords: assertion, testcase, Whiteboard: [sg:critical?])

Attachments

(3 files, 1 obsolete file)

testcase (crashes Firefox when loaded)
99 bytes, text/html
Details
stack trace
5.18 KB, text/plain
Details
Real patch
1.78 KB, patch
gal
: review+
dveditz
: approval2.0+
Details | Diff | Splinter Review 
Assertion failure: compartment mismatched, at js/src/jscntxtinlines.h:545
Attached file stack trace 

    
    

    
  
Reproduced with mozilla-central rev 4866be78732f and tracemonkey rev 67b102d581dd.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch (obsolete)
        — Splinter Review
      

    


  
Assignee: general → mrbkap
Status: NEW → ASSIGNED

        Attachment #519564 -
        Flags: review?(jst)

    
    

    
  
Comment on attachment 519564 [details] [diff] [review]
Patch

oops, wrong bug.

        Attachment #519564 -
        Attachment is obsolete: true

        Attachment #519564 -
        Flags: review?(jst)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Real patchSplinter Review
      

    


  
This was the easiest fix.

        Attachment #519573 -
        Flags: review?(gal)

    
  

        Attachment #519573 -
        Flags: review?(gal) → review+

    
    

    
  
Is this a compartment-leaking security bug (sg:high or worse), or just an oops? I don't crash in an opt build, is "testcase (crashes Firefox when loaded)" simply a fatal assert in a debug build?

    
    

    
  
I think this can cause problems during GC with compartment GCs. Based on that alone I would say sg:something.

    
    

    
  
From talking to billm on IRC, operating on JS objects in the wrong compartment can cause us to collect reachable objects during GC. That's sg:critical. So, we should probably consider this as [sg:critical?]. Looking at the code, I'm not convinced that this case in particular is actually exploitable at all (and the result of the code that causes the assertion is thrown away anyway) but it's better to be safe than sorry.
Whiteboard: [sg:critical?]

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/bed34ea0027c
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED

    
    

    
  
Per security group discussion, requesting landing on mozilla-2.0.

          status2.0:
          --- → ?

        Attachment #519573 -
        Flags: approval2.0?

    
    

    
  
Comment on attachment 519573 [details] [diff] [review]
Real patch

Approved for the mozilla2.0 repository, a=dveditz for release-drivers

        Attachment #519573 -
        Flags: approval2.0? → approval2.0+
Group: core-security

          status1.9.2:
          --- → unaffected
Target Milestone: --- → mozilla5

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: