Closed Bug 867531 Opened 11 years ago Closed 10 years ago

Consider poisoning DOM stuff

Categories

(Core :: DOM: Core & HTML, enhancement)

Product:
Core
Component:
DOM: Core & HTML
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: MatsPalmgren_bugz, Unassigned)

Details

(Keywords: sec-want)

Attachments

(3 files)

Poison some nsINode subclasses
12.14 KB, patch
Details | Diff | Splinter Review
Poison the nsAttrAndChildArray buffer and nsINodeInfo objects
3.03 KB, patch
Details | Diff | Splinter Review
stack, bug 865076
6.05 KB, text/plain
Details 
      No description provided.
Attached file stack, bug 865076 
I did an experiment with the attached patches (on top of the patches in
bug 867530) to see if it could help mitigate exploitable crashes in
content code.  I used bug 865076 as an example.  Using an Opt build
on Linux64 it seems like it would make it non-exploitable.

There are of course limitations to how useful this is in content code
where the memory is quickly allocated for other purposes (unlike pres-
arena objects) but it might help a bit.  It could be made more useful
with a special purpose allocator for content I guess.
Unless this is much simpler than bug 860254, I'd really prefer that we work on that one instead.
Keywords: sec-want
Mats, shall we close this in lieu of (fixed) bug 860254 or is there something more we can do here?
Flags: needinfo?(matspal)
If nsINode-derived classes are still allocated from the general heap, then yes, bug 860254
should take care of it, except for the issue that Jesse raises in bug 860254 comment 34.
(assuming we use jemalloc on all platforms we care about)
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(matspal)
Resolution: --- → WORKSFORME
Yes, nodes are allocated from the general heap, and we use jemalloc on all Tier 1 platforms.
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: