Closed
Bug 1021312
Opened 10 years ago
Closed 10 years ago
Zone Mismatch in CloneNonReflectors
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
FIXED
mozilla32
People
(Reporter: bholley, Assigned: bholley)
References
Details
(Keywords: sec-moderate, Whiteboard: [adv-main31+][qa-])
Attachments
(3 files)
954 bytes,
patch
|
mccr8
:
review+
Sylvestre
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
1.43 KB,
patch
|
mccr8
:
review+
|
Details | Diff | Splinter Review |
1.57 KB,
patch
|
mccr8
:
review+
|
Details | Diff | Splinter Review |
CloneNonReflectors currently assumes that it only needs to worry about compartments in the v.isObject() case. However, we can still get mismatches with cross-zone strings. The solution is to wrap the string, which causes non-interned strings to be copied into the target zone. The mismatch is mitigated to sec-moderate because this can only be triggered by a privileged API that doesn't currently have any in-tree consumers.
Assignee | ||
Comment 1•10 years ago
|
||
Attachment #8435350 -
Flags: review?(continuation)
Assignee | ||
Comment 2•10 years ago
|
||
Attachment #8435351 -
Flags: review?(continuation)
Assignee | ||
Comment 3•10 years ago
|
||
Attachment #8435352 -
Flags: review?(continuation)
Updated•10 years ago
|
Attachment #8435351 -
Flags: review?(continuation) → review+
Updated•10 years ago
|
Attachment #8435352 -
Flags: review?(continuation) → review+
Updated•10 years ago
|
Attachment #8435350 -
Flags: review?(continuation) → review+
Assignee | ||
Comment 4•10 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=0872c62a17e2
Assignee | ||
Comment 5•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?changeset=8501686e4923
Assignee | ||
Comment 6•10 years ago
|
||
Comment on attachment 8435350 [details] [diff] [review] Part 1 - Wrap strings in CloneNonReflectors. v1 [Approval Request Comment] Bug caused by (feature/regressing bug #): the introduction of exportFunction - longstanding User impact if declined: potential memory hazard Testing completed (on m-c, etc.): just pushed to m-i Risk to taking this patch (and alternatives if risky): Extremely low risk. String or IDL/UUID changes made by this patch: None
Attachment #8435350 -
Flags: approval-mozilla-aurora?
Comment 7•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/1ab8174e097f https://hg.mozilla.org/mozilla-central/rev/08045ba9192f https://hg.mozilla.org/mozilla-central/rev/340e016163ed
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox32:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
Updated•10 years ago
|
status-firefox31:
--- → affected
Updated•10 years ago
|
Attachment #8435350 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 8•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/9bcea7802320 https://hg.mozilla.org/releases/mozilla-aurora/rev/2b3f51c3c5a7 https://hg.mozilla.org/releases/mozilla-aurora/rev/999c34fa59a2 Should we consider taking this on b2g30 for v1.4 as well?
status-b2g-v1.2:
--- → wontfix
status-b2g-v1.3:
--- → wontfix
status-b2g-v1.3T:
--- → wontfix
status-b2g-v1.4:
--- → affected
status-b2g-v2.0:
--- → fixed
status-firefox30:
--- → wontfix
status-firefox-esr24:
--- → unaffected
Flags: needinfo?(bobbyholley)
Flags: in-testsuite+
Assignee | ||
Comment 9•10 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #8) > Should we consider taking this on b2g30 for v1.4 as well? Naw. Bug 1021244 is the first in-tree usage of this outside of testing, so the uplift is primarily concerned with addons (which aren't a problem for b2g).
Flags: needinfo?(bobbyholley)
Updated•10 years ago
|
Comment 10•10 years ago
|
||
Backed out from Aurora for failures in the new test. https://hg.mozilla.org/releases/mozilla-aurora/rev/95deb57e283b https://tbpl.mozilla.org/php/getParsedLog.php?id=41223994&tree=Mozilla-Aurora
Assignee | ||
Comment 11•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/965578443062
Comment 12•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/a5967705754e https://hg.mozilla.org/releases/mozilla-aurora/rev/68ee1d33fc83 https://hg.mozilla.org/releases/mozilla-aurora/rev/b982a8afab52
Backed out along with bug 1020460 in https://hg.mozilla.org/integration/mozilla-inbound/rev/6502442e6133 Relanded in https://hg.mozilla.org/integration/mozilla-inbound/rev/c0f0a8689dab since it wasn't part of the bustage.
Updated•10 years ago
|
Whiteboard: [adv-main31+]
Comment 15•10 years ago
|
||
Marking [qa-] in the absence of test media or STR, please feel free to provide if you'd like help testing.
Whiteboard: [adv-main31+] → [adv-main31+][qa-]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•