Closed Bug 1039516 Opened 5 years ago Closed 5 years ago

SymbolRegistry is missing a read barrier

Categories

(Core :: JavaScript: GC, defect)

defect
Not set

Tracking

()

VERIFIED FIXED
mozilla33
Tracking Status
firefox32 --- unaffected
firefox33 --- verified
firefox-esr24 --- unaffected
firefox-esr31 --- unaffected

People

(Reporter: jonco, Assigned: jonco)

Details

(Keywords: csectype-uaf, sec-high)

Attachments

(1 file)

This can result in use-after-free if we get an unmarked symbol from the registry during incremental GC.
Attachment #8456878 - Flags: review?(terrence)
Comment on attachment 8456878 [details] [diff] [review]
symbol-read-barrier

Review of attachment 8456878 [details] [diff] [review]:
-----------------------------------------------------------------

Good catch!
Attachment #8456878 - Flags: review?(terrence) → review+
Group: core-security
Please file use-after-frees as security bugs, even if they only affect trunk.
https://hg.mozilla.org/mozilla-central/rev/cd712c340dd7
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
Group: core-security
Confirmed assert in Fx33, 2014-07-14.
Verified fixed in Fx33, release candidate.
Status: RESOLVED → VERIFIED
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.