Closed
Bug 1021312
Opened 10 years ago
Closed 10 years ago
Zone Mismatch in CloneNonReflectors
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
FIXED
mozilla32
People
(Reporter: bholley, Assigned: bholley)
References
Details
(Keywords: sec-moderate, Whiteboard: [adv-main31+][qa-])
Attachments
(3 files)
|
954 bytes,
patch
|
mccr8
:
review+
Sylvestre
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
|
1.43 KB,
patch
|
mccr8
:
review+
|
Details | Diff | Splinter Review |
|
1.57 KB,
patch
|
mccr8
:
review+
|
Details | Diff | Splinter Review |
CloneNonReflectors currently assumes that it only needs to worry about compartments in the v.isObject() case. However, we can still get mismatches with cross-zone strings. The solution is to wrap the string, which causes non-interned strings to be copied into the target zone.
The mismatch is mitigated to sec-moderate because this can only be triggered by a privileged API that doesn't currently have any in-tree consumers.
|
Assignee | |
Comment 1•10 years ago
|
||
Attachment #8435350 -
Flags: review?(continuation)
|
|
Assignee | |
Comment 2•10 years ago
|
||
Attachment #8435351 -
Flags: review?(continuation)
|
|
Assignee | |
Comment 3•10 years ago
|
||
Attachment #8435352 -
Flags: review?(continuation)
|
||
Updated•10 years ago
|
Attachment #8435351 -
Flags: review?(continuation) → review+
|
|
||
Updated•10 years ago
|
Attachment #8435352 -
Flags: review?(continuation) → review+
|
|
||
Updated•10 years ago
|
Attachment #8435350 -
Flags: review?(continuation) → review+
|
|
Assignee | |
Comment 4•10 years ago
|
||
|
|
Assignee | |
Comment 5•10 years ago
|
||
|
|
Assignee | |
Comment 6•10 years ago
|
||
Comment on attachment 8435350 [details] [diff] [review]
Part 1 - Wrap strings in CloneNonReflectors. v1
[Approval Request Comment]
Bug caused by (feature/regressing bug #): the introduction of exportFunction - longstanding
User impact if declined: potential memory hazard
Testing completed (on m-c, etc.): just pushed to m-i
Risk to taking this patch (and alternatives if risky): Extremely low risk.
String or IDL/UUID changes made by this patch: None
Attachment #8435350 -
Flags: approval-mozilla-aurora?
|
||
Comment 7•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/1ab8174e097f
https://hg.mozilla.org/mozilla-central/rev/08045ba9192f
https://hg.mozilla.org/mozilla-central/rev/340e016163ed
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox32:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
|
||
Updated•10 years ago
|
status-firefox31:
--- → affected
|
|
||
Updated•10 years ago
|
Attachment #8435350 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
||
Comment 8•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/9bcea7802320
https://hg.mozilla.org/releases/mozilla-aurora/rev/2b3f51c3c5a7
https://hg.mozilla.org/releases/mozilla-aurora/rev/999c34fa59a2
Should we consider taking this on b2g30 for v1.4 as well?
status-b2g-v1.2:
--- → wontfix
status-b2g-v1.3:
--- → wontfix
status-b2g-v1.3T:
--- → wontfix
status-b2g-v1.4:
--- → affected
status-b2g-v2.0:
--- → fixed
status-firefox30:
--- → wontfix
status-firefox-esr24:
--- → unaffected
Flags: needinfo?(bobbyholley)
Flags: in-testsuite+
|
|
Assignee | |
Comment 9•10 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #8)
> Should we consider taking this on b2g30 for v1.4 as well?
Naw. Bug 1021244 is the first in-tree usage of this outside of testing, so the uplift is primarily concerned with addons (which aren't a problem for b2g).
Flags: needinfo?(bobbyholley)
|
|
||
Updated•10 years ago
|
|
|
||
Comment 10•10 years ago
|
||
Backed out from Aurora for failures in the new test.
https://hg.mozilla.org/releases/mozilla-aurora/rev/95deb57e283b
https://tbpl.mozilla.org/php/getParsedLog.php?id=41223994&tree=Mozilla-Aurora
|
|
Assignee | |
Comment 11•10 years ago
|
||
|
|
||
Comment 12•10 years ago
|
||
Backed out along with bug 1020460 in https://hg.mozilla.org/integration/mozilla-inbound/rev/6502442e6133
Relanded in https://hg.mozilla.org/integration/mozilla-inbound/rev/c0f0a8689dab since it wasn't part of the bustage.
|
|
||
Comment 14•10 years ago
|
||
|
||
Updated•10 years ago
|
Whiteboard: [adv-main31+]
|
||
Comment 15•10 years ago
|
||
Marking [qa-] in the absence of test media or STR, please feel free to provide if you'd like help testing.
Whiteboard: [adv-main31+] → [adv-main31+][qa-]
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
||
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•