Closed Bug 1021312 Opened 10 years ago Closed 10 years ago

Zone Mismatch in CloneNonReflectors

Categories

(Core :: XPConnect, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla32
Tracking Status
firefox30 --- wontfix
firefox31 --- fixed
firefox32 --- fixed
firefox-esr24 --- unaffected
b2g-v1.2 --- wontfix
b2g-v1.3 --- wontfix
b2g-v1.3T --- wontfix
b2g-v1.4 --- wontfix
b2g-v2.0 --- fixed

People

(Reporter: bholley, Assigned: bholley)

References

Details

(Keywords: sec-moderate, Whiteboard: [adv-main31+][qa-])

Attachments

(3 files)

CloneNonReflectors currently assumes that it only needs to worry about compartments in the v.isObject() case. However, we can still get mismatches with cross-zone strings. The solution is to wrap the string, which causes non-interned strings to be copied into the target zone.

The mismatch is mitigated to sec-moderate because this can only be triggered by a privileged API that doesn't currently have any in-tree consumers.
Attachment #8435350 - Flags: review?(continuation)
Attachment #8435351 - Flags: review?(continuation)
Attachment #8435352 - Flags: review?(continuation)
Attachment #8435351 - Flags: review?(continuation) → review+
Attachment #8435352 - Flags: review?(continuation) → review+
Attachment #8435350 - Flags: review?(continuation) → review+
Blocks: 1021244
Comment on attachment 8435350 [details] [diff] [review]
Part 1 - Wrap strings in CloneNonReflectors. v1

[Approval Request Comment]
Bug caused by (feature/regressing bug #): the introduction of exportFunction - longstanding
User impact if declined: potential memory hazard
Testing completed (on m-c, etc.): just pushed to m-i
Risk to taking this patch (and alternatives if risky): Extremely low risk.
String or IDL/UUID changes made by this patch: None
Attachment #8435350 - Flags: approval-mozilla-aurora?
Attachment #8435350 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #8)
> Should we consider taking this on b2g30 for v1.4 as well?

Naw. Bug 1021244 is the first in-tree usage of this outside of testing, so the uplift is primarily concerned with addons (which aren't a problem for b2g).
Flags: needinfo?(bobbyholley)
Whiteboard: [adv-main31+]
Marking [qa-] in the absence of test media or STR, please feel free to provide if you'd like help testing.
Whiteboard: [adv-main31+] → [adv-main31+][qa-]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.