Closed
Bug 783867
(CVE-2012-3989)
Opened 12 years ago
Closed 12 years ago
ASSERTION: This only works on nsISupports classes! and segfault
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
RESOLVED
FIXED
mozilla17
People
(Reporter: Ms2ger, Assigned: bzbarsky)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-wildptr, regression, sec-critical, Whiteboard: [advisory-tracking+])
Attachments
(1 file)
|
1.49 KB,
patch
|
peterv
:
review+
lsblakk
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
Running
new Worker("http://base.com") instanceof Components.interfaces.nsIArray
in a mochitest will hit
NS_ASSERTION(mozilla::dom::DOMJSClass::FromJSClass(
js::GetObjectJSClass(obj))->mDOMObjectIsISupports,
"This only works on nsISupports classes!");
at <http://mxr.mozilla.org/mozilla-central/source/js/xpconnect/src/XPCJSID.cpp#484>. We then unwrap the object to nsISupports and try to call QueryInterface on it, and segfault in nsWrapperCache::WrapObject.
|
||
Comment 1•12 years ago
|
||
How dangerous is this?
|
Assignee | |
Comment 2•12 years ago
|
||
This is reasonably bad. It's also a regression from the original landing in bug 740069. Probably too late to fix this on 15 now, but we should fix elsewhere. Also, not check in a test for this until after we ship the fix. :(
Assignee: nobody → bzbarsky
Blocks: 740069
tracking-firefox16:
--- → ?
tracking-firefox17:
--- → ?
Whiteboard: [need review]
|
|
Assignee | |
Comment 3•12 years ago
|
||
Attachment #654288 -
Flags: review?(peterv)
|
||
Updated•12 years ago
|
Attachment #654288 -
Flags: review?(peterv) → review+
|
||
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox14:
--- → wontfix
status-firefox15:
--- → wontfix
status-firefox16:
--- → affected
status-firefox17:
--- → affected
|
|
Assignee | |
Comment 4•12 years ago
|
||
http://hg.mozilla.org/integration/mozilla-inbound/rev/2f60f3a4bdd7 No test landed yet; we should do that once we reopen it.
|
|
Assignee | |
Updated•12 years ago
|
Flags: in-testsuite?
Whiteboard: [need review]
Target Milestone: --- → mozilla17
|
|
Assignee | |
Comment 5•12 years ago
|
||
Comment on attachment 654288 [details] [diff] [review] Don't blindly assume IsDOMClass objects are nsISupports. [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 740069 User impact if declined: Possibly-exploitable crash Testing completed (on m-c, etc.): Tested on testcase in this bug Risk to taking this patch (and alternatives if risky): Very safe: just makes us return false in cases where it should be returned, instead of crashing exploitably. String or UUID changes made by this patch:
Attachment #654288 -
Flags: approval-mozilla-aurora?
|
||
Updated•12 years ago
|
|
||
Comment 6•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/236d384dc4f9
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
|
||
Comment 7•12 years ago
|
||
Apologies, had two security bugs open to mark, and pasted other s-g bug's cset in this one. The correct changeset is: https://hg.mozilla.org/mozilla-central/rev/2f60f3a4bdd7
|
|
||
Updated•12 years ago
|
Attachment #654288 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
Assignee | |
Comment 8•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/5a76e53d11fc
|
||
Comment 9•12 years ago
|
||
Can someone suggest a sec rating for this issue?
|
||
Updated•12 years ago
|
|
|
||
Updated•12 years ago
|
Whiteboard: [advisory-tracking+]
|
|
||
Updated•12 years ago
|
Alias: CVE-2012-3989
|
|
||
Updated•11 years ago
|
Group: core-security
Flags: sec-bounty+
You need to log in
before you can comment on or make changes to this bug.
Description
•