Zone groups can include zones that are not being collected

RESOLVED FIXED in Firefox 32, Firefox OS v2.0

Status

()

Core
JavaScript: GC
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: billm, Assigned: billm)

Tracking

({regression, sec-high})

unspecified
mozilla32
x86_64
Linux
regression, sec-high
Points:
---
Bug Flags:
qe-verify -

Firefox Tracking Flags

(firefox30 unaffected, firefox31 unaffected, firefox32 fixed, firefox-esr24 unaffected, b2g-v1.2 unaffected, b2g-v1.3 unaffected, b2g-v1.3T unaffected, b2g-v1.4 unaffected, b2g-v2.0 fixed)

Details

Attachments

(1 attachment)

(Assignee)

Description

3 years ago
I was doing some testing of zone GCs today to try to track down the cause of the assertion failures in bug 1016738 and I found this problem. This means that, whenever we use GCZoneGroupIter or GCCompartmentGroupIter, we're potentially iterating over zones/compartments that aren't being collected. I'm not sure what the consequences of this are. We rarely do zone GCs, so it's not likely to happen too much. But zone GCs can be triggered by allocating a lot, so it's a potential security issue. Looks like a regression from bug 982561.
(Assignee)

Comment 1

3 years ago
Created attachment 8432156 [details] [diff] [review]
zone-fix
Attachment #8432156 - Flags: review?(jcoppeard)
status-firefox31: --- → unaffected
status-firefox32: --- → affected
Comment on attachment 8432156 [details] [diff] [review]
zone-fix

Review of attachment 8432156 [details] [diff] [review]:
-----------------------------------------------------------------

Ah yes, I missed that possibility.  Thanks for the fix.
Attachment #8432156 - Flags: review?(jcoppeard) → review+
Keywords: sec-high
(Assignee)

Comment 3

3 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/cb3e958fc249
(Assignee)

Updated

3 years ago
Blocks: 1016738
https://hg.mozilla.org/mozilla-central/rev/cb3e958fc249
Status: NEW → RESOLVED
Last Resolved: 3 years ago
status-b2g-v1.2: --- → unaffected
status-b2g-v1.3: --- → unaffected
status-b2g-v1.3T: --- → unaffected
status-b2g-v1.4: --- → unaffected
status-b2g-v2.0: --- → fixed
status-firefox30: --- → unaffected
status-firefox32: affected → fixed
status-firefox-esr24: --- → unaffected
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
Duplicate of this bug: 1018637
Looks like we found this from an audit. If a test case or steps to reproduce surface, we'd be happy to verify the fix, but for now, marking qe-verify-. Thank you.
QA Whiteboard: qe-verify-
QA Whiteboard: qe-verify-
Flags: qe-verify-
Group: core-security
Keywords: regression
You need to log in before you can comment on or make changes to this bug.