Closed
Bug 893519
Opened 11 years ago
Closed 11 years ago
Compartment mismatch with asm module in event listener attribute
Categories
(Core :: DOM: Events, defect)
Tracking
()
RESOLVED
FIXED
mozilla26
| Tracking | Status | |
|---|---|---|
| firefox23 | --- | wontfix |
| firefox24 | + | fixed |
| firefox25 | + | fixed |
| firefox26 | + | verified |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: jruderman, Assigned: luke)
References
Details
(Keywords: crash, sec-high, testcase, Whiteboard: [adv-main24+])
Attachments
(5 files)
|
490 bytes,
text/html
|
Details | |
|
23.95 KB,
text/plain
|
Details | |
|
1.54 KB,
patch
|
bbouvier
:
review+
|
Details | Diff | Splinter Review |
|
1.13 KB,
patch
|
luke
:
review+
lsblakk
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
|
1.14 KB,
patch
|
luke
:
review+
lsblakk
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
|
Reporter | |
Comment 1•11 years ago
|
||
|
||
Updated•11 years ago
|
status-firefox25:
--- → affected
status-firefox26:
--- → affected
|
|
||
Updated•11 years ago
|
Assignee: nobody → continuation
|
|
||
Comment 2•11 years ago
|
||
Luke, could you take a look at this? It seems like some kind of problem with cloning asm.js scripts across compartments.
Olli said that setAttribute lazily compiles whatever its argument is, so maybe that's related. I didn't hit an error when I changed the setAttribute line to:
e.ondrag = function module() { 'use asm'; return {}; };
I'm not very familiar with script cloning, so my poking around with the debugger was not very fruitful.Assignee: continuation → nobody
Flags: needinfo?(luke)
|
Assignee | |
Comment 3•11 years ago
|
||
Ah, event handlers. With bug 900669 there will be an easy way to clone an AsmJS module which will allow CloneScript to just clone the the nested asm.js module. However, a quick fix is to just disable Odin on non-compile-and-go scripts. All normal <script>/eval/Function code is compile-and-go, so this shouldn't affect anyone.
Assignee: nobody → luke
Status: NEW → ASSIGNED
Attachment #789180 -
Flags: review?
Flags: needinfo?(luke)
|
|
Assignee | |
Updated•11 years ago
|
Attachment #789180 -
Flags: review? → review?(bbouvier)
|
||
Updated•11 years ago
|
Attachment #789180 -
Flags: review?(bbouvier) → review+
|
|
Assignee | |
Comment 4•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/bb2abb7412e6
|
|
||
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-firefox23:
--- → wontfix
status-firefox24:
--- → affected
status-firefox-esr17:
--- → unaffected
|
||
Comment 5•11 years ago
|
||
checkin - https://hg.mozilla.org/mozilla-central/rev/bb2abb7412e6 patch and test
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
|
|
||
Updated•11 years ago
|
|
|
Assignee | |
Comment 6•11 years ago
|
||
At the least this is trivial to port to aurora (just need to rename /jit/ to /ion/ in paths). [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 840282 User impact if declined: potential security vulnerability Testing completed (on m-c, etc.): m-c Risk to taking this patch (and alternatives if risky): very low
Attachment #789566 -
Flags: review+
Attachment #789566 -
Flags: approval-mozilla-aurora?
|
|
Assignee | |
Comment 7•11 years ago
|
||
[Approval Request Comment] Bug caused by (feature/regressing bug #): bug 840282 User impact if declined: potential security vulnerability Testing completed (on m-c, etc.): m-c Risk to taking this patch (and alternatives if risky): very low
Attachment #789578 -
Flags: review+
Attachment #789578 -
Flags: approval-mozilla-beta?
|
||
Updated•11 years ago
|
|
|
||
Updated•11 years ago
|
Attachment #789566 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
||
Updated•11 years ago
|
Attachment #789578 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
||
Comment 8•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/6e0534f87045 https://hg.mozilla.org/releases/mozilla-beta/rev/ecdbdbed2233 Any particular reason the branch patches didn't include the test?
|
||
Updated•11 years ago
|
Whiteboard: [adv-main24+]
|
||
Comment 9•11 years ago
|
||
Confirmed crash on ASan FF24, 2013-06-06. Verified fixed on ASan FF26, 2013-11-20.
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•