Closed Bug 844211 Opened 11 years ago Closed 11 years ago

Only check the XBL bit if XBL scopes are disabled

Categories

(Core :: XBL, defect)

Product:
Core
Component:
XBL
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla22
Tracking Flags:
Tracking Status
firefox20 --- unaffected
firefox21 + fixed
firefox22 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: bholley, Assigned: bholley)

References

Details

(Keywords: regression, sec-moderate, Whiteboard: [adv-main21-])

Attachments

(2 files)

Only check the XBL bit if XBL scopes are disabled. v1
971 bytes, patch
bzbarsky
: review+
bajaj
: approval-mozilla-aurora+
Details | Diff | Splinter Review
Make this-object nativeCall special-casing actually do something. v1
1.20 KB, patch
jorendorff
: review+
Details | Diff | Splinter Review 
This is one of the causes of bug 842255.

Because the old model of XBL detection uses stack introspection, it's possible to fool it using certain moz_bug_r_a4 tricks. This wasn't really a limiting security factor before XBL scopes, but now we care more because it can cause the XBL scope protections to be circumvented.

Fix should be straightforward. I'll whip it up now.
Comment on attachment 717232 [details] [diff] [review]
Only check the XBL bit if XBL scopes are disabled. v1

r=me
Attachment #717232 - Flags: review?(bzbarsky) → review+
Epic fail. :-(
Attachment #720805 - Flags: review?(jorendorff)
Comment on attachment 720805 [details] [diff] [review]
Make this-object nativeCall special-casing actually do something. v1

Sorry I missed this on review.
Attachment #720805 - Flags: review?(jorendorff) → review+
The b-c failure in that last try push was related to the other patch in the same push. Otherwise, this looks more or less green.

remote:   https://hg.mozilla.org/integration/mozilla-inbound/rev/06b6880a8241
remote:   https://hg.mozilla.org/integration/mozilla-inbound/rev/c5a4010013ed
https://hg.mozilla.org/mozilla-central/rev/c5a4010013ed
https://hg.mozilla.org/mozilla-central/rev/06b6880a8241
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox22: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Comment on attachment 717232 [details] [diff] [review]
Only check the XBL bit if XBL scopes are disabled. v1

[Approval Request Comment]
Bug caused by (feature/regressing bug #): These patches fix a hole in the security protections implemented by running XBL in a separate compartment (bug 834697), which is now on aurora. See bug 842255 for the details on the security flaw here. 
User impact if declined: The security benefits of XBL scopes can potentially be bypassed.
Testing completed (on m-c, etc.): Just landed on m-c.
Risk to taking this patch (and alternatives if risky): Not risky. No alternatives. 
String or UUID changes made by this patch: None
Attachment #717232 - Flags: approval-mozilla-aurora?
(This approval request applies to both patches).
Attachment #717232 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
bug 842255 affects ESR-17, but I suspect that this fix is not wanted there since the xbl scopes change (bug 834697) didn't land there.
Yes. bug 842255 is just another attack of the bug 816071 variety. The only thing that makes it special is that it can attack XBL scopes, which this patch fixes.

We still have no esr17 solution for the general case without landing XBL scopes there.
How far back does this issue go? I assume we shipped 20 with it?
Flags: needinfo?(bobbyholley+bmo)
(In reply to Al Billings [:abillings] from comment #14)
> How far back does this issue go? I assume we shipped 20 with it?

No. The entire issue is not applicable to releases before bug 834697.
Flags: needinfo?(bobbyholley+bmo)
status-firefox20: --- → unaffected
Whiteboard: [adv-main21-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: