Closed
Bug 765034
Opened 12 years ago
Closed 12 years ago
GC hazard during global object creation
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla16
Tracking | Status | |
---|---|---|
firefox13 | --- | unaffected |
firefox14 | --- | fixed |
firefox15 | --- | fixed |
firefox16 | --- | fixed |
firefox-esr10 | --- | unaffected |
People
(Reporter: billm, Assigned: billm)
References
Details
(Keywords: regression, sec-high, Whiteboard: [advisory-tracking-][qa-])
Attachments
(1 file)
1.64 KB,
patch
|
bzbarsky
:
review+
lsblakk
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
If we GC right after we create a JSCLASS_DOM_GLOBAL global object, the DOM_PROTOTYPE_SLOT hasn't been set yet. The GC will call TraceProtoOrIfaceCache and crash because it doesn't check if it's okay to call GetProtoOrIfaceArray. This is unlikely to cause a problem in practice, but it's stopping me from running a browser with GC zeal set.
Attachment #633279 -
Flags: review?(bzbarsky)
Comment 1•12 years ago
|
||
Comment on attachment 633279 [details] [diff] [review] fix r=me
Attachment #633279 -
Flags: review?(bzbarsky) → review+
Assignee | ||
Comment 2•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/3f164ec683a5
Target Milestone: --- → mozilla16
Comment 3•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/3f164ec683a5
Comment 4•12 years ago
|
||
Do we want or need this fix on previous branches?
Assignee | ||
Comment 5•12 years ago
|
||
Comment on attachment 633279 [details] [diff] [review] fix I guess we should probably take this on branches. It's an easy fix and it may be exploitable. [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 744772 User impact if declined: Possible security hole. Testing completed (on m-c, etc.): On m-c. Risk to taking this patch (and alternatives if risky): Low. String or UUID changes made by this patch: None.
Attachment #633279 -
Flags: approval-mozilla-beta?
Attachment #633279 -
Flags: approval-mozilla-aurora?
Assignee | ||
Updated•12 years ago
|
Whiteboard: [needs-branches]
Comment 6•12 years ago
|
||
Comment on attachment 633279 [details] [diff] [review] fix Looks small enough and low risk assessment suggests we're good to land this on beta/aurora. Please update status flags once landed and also confirm if we need this on and can land it to the ESR branch as well.
Attachment #633279 -
Flags: approval-mozilla-beta?
Attachment #633279 -
Flags: approval-mozilla-beta+
Attachment #633279 -
Flags: approval-mozilla-aurora?
Attachment #633279 -
Flags: approval-mozilla-aurora+
Updated•12 years ago
|
Assignee | ||
Comment 7•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/5a9b4f19f1b4 https://hg.mozilla.org/releases/mozilla-beta/rev/99bb1f06b597
Comment 8•12 years ago
|
||
(In reply to Bill McCloskey (:billm) from comment #7) > https://hg.mozilla.org/releases/mozilla-aurora/rev/5a9b4f19f1b4 > https://hg.mozilla.org/releases/mozilla-beta/rev/99bb1f06b597 Given status flags in bug 744772, the ESR branch is unaffected.
Updated•12 years ago
|
Whiteboard: [needs-branches] → [needs-branches][advisory-tracking+]
Updated•12 years ago
|
Blocks: 744772
status-firefox13:
--- → unaffected
Keywords: regression,
sec-high
Whiteboard: [needs-branches][advisory-tracking+] → [needs-branches][advisory-tracking-]
Updated•12 years ago
|
Whiteboard: [needs-branches][advisory-tracking-] → [advisory-tracking-]
Updated•12 years ago
|
Group: core-security
Updated•12 years ago
|
Whiteboard: [advisory-tracking-] → [advisory-tracking-][qa-]
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•