Closed
Bug 1072174
Opened 11 years ago
Closed 11 years ago
XrayToString assumes that there are only two XrayTrait types
Categories
(Core :: XPConnect, defect)
Tracking
()
People
(Reporter: bholley, Assigned: bholley)
References
Details
(Keywords: sec-high, Whiteboard: [adv-main33+][adv-esr31.2+])
Attachments
(2 files)
|
2.34 KB,
patch
|
peterv
:
review+
abillings
:
approval-mozilla-aurora+
abillings
:
approval-mozilla-beta+
abillings
:
approval-mozilla-esr31+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
|
1.31 KB,
patch
|
peterv
:
review+
|
Details | Diff | Splinter Review |
I noticed this while reviewing peterv's patches in bug 787070. The XrayToString method currently checks that we have an XrayWrapper, handles DOMXrays, and then assumes that we have an XPCWrappedNativeXray. If this were done with a JSXray, we'd end up casting arbitrary bits of the JSObject layout to an XPCWrappedNative* and dereferencing it. :-(
This is mitigated somewhat by the fact that Xrays generally aren't exposed to the web. But they are exposed to sandboxes, and we run enough untrusted code in sandboxes that I think this is sec-high.
|
Assignee | |
Comment 1•11 years ago
|
||
Peter, can you make sure I didn't miss any other cases?
Attachment #8494376 -
Flags: review?(peterv)
|
|
Assignee | |
Comment 2•11 years ago
|
||
Attachment #8494377 -
Flags: review?(peterv)
|
|
Assignee | |
Comment 3•11 years ago
|
||
This is a regression from bug 975042, which first introduced the third Xray trait.
Blocks: 975042
status-firefox32:
--- → affected
status-firefox33:
--- → affected
status-firefox34:
--- → affected
status-firefox35:
--- → affected
status-firefox-esr31:
--- → affected
|
|
Assignee | |
Comment 4•11 years ago
|
||
(we now have 4)
|
|
Assignee | |
Comment 5•11 years ago
|
||
Comment on attachment 8494376 [details] [diff] [review]
Handle all the cases XrayWrapper.cpp. v1
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Medium. Triggering the memory hazard is straightforward, though I used a fair amount of specialized knowledge to construct the testcase. It also requires access to a sandbox.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No.
Which older supported branches are affected by this flaw?
All.
If not all supported branches, which bug introduced the flaw?
Bug 975042.
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Straightforward.
How likely is this patch to cause regressions; how much testing does it need?
Low risk.
Attachment #8494376 -
Flags: sec-approval?
|
|
Assignee | |
Updated•11 years ago
|
Flags: in-testsuite?
|
||
Comment 6•11 years ago
|
||
Comment on attachment 8494376 [details] [diff] [review]
Handle all the cases XrayWrapper.cpp. v1
sec-approval+ for trunk. Can we get Aurora, Beta, and ESR31 patches made and nominated too?
Attachment #8494376 -
Flags: sec-approval? → sec-approval+
|
|
||
Updated•11 years ago
|
tracking-firefox33:
--- → +
tracking-firefox34:
--- → +
tracking-firefox35:
--- → +
tracking-firefox-esr31:
--- → 33+
|
||
Updated•11 years ago
|
Attachment #8494376 -
Flags: review?(peterv) → review+
|
|
||
Updated•11 years ago
|
Attachment #8494377 -
Flags: review?(peterv) → review+
|
|
Assignee | |
Comment 7•11 years ago
|
||
Comment on attachment 8494376 [details] [diff] [review]
Handle all the cases XrayWrapper.cpp. v1
Approval Request Comment
[Feature/regressing bug #]: bug 975042
[User impact if declined]: sec-high
[Describe test coverage new/current, TBPL]: Test in bug, but not checking in.
[Risks and why]: Low risk.
[String/UUID change made/needed]: None
Attachment #8494376 -
Flags: approval-mozilla-esr31?
Attachment #8494376 -
Flags: approval-mozilla-beta?
Attachment #8494376 -
Flags: approval-mozilla-aurora?
|
|
||
Updated•11 years ago
|
Attachment #8494376 -
Flags: approval-mozilla-esr31?
Attachment #8494376 -
Flags: approval-mozilla-esr31+
Attachment #8494376 -
Flags: approval-mozilla-beta?
Attachment #8494376 -
Flags: approval-mozilla-beta+
Attachment #8494376 -
Flags: approval-mozilla-aurora?
Attachment #8494376 -
Flags: approval-mozilla-aurora+
|
|
Assignee | |
Comment 8•11 years ago
|
||
|
||
Comment 9•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla35
|
||
Comment 10•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/ea83cf4e9233
https://hg.mozilla.org/releases/mozilla-beta/rev/bb4423c0da47
https://hg.mozilla.org/releases/mozilla-b2g32_v2_0/rev/97d964f765af
https://hg.mozilla.org/releases/mozilla-esr31/rev/face4eab3098
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → fixed
status-b2g-v2.0M:
--- → affected
status-b2g-v2.1:
--- → fixed
status-b2g-v2.2:
--- → fixed
|
|
||
Comment 11•11 years ago
|
||
|
||
Comment 12•11 years ago
|
||
Confirmed assert with attached test in Fx32. Verified fixed in Fx33, built 2014-10-06.
Will verify on other branches shortly.
|
|
||
Updated•11 years ago
|
Whiteboard: [adv-main33+][adv-esr31.2+]
|
|
||
Comment 13•11 years ago
|
||
Verified fixed on Fx34/Fx35/Fx31.2.0esr, 2014-10-07.
Status: RESOLVED → VERIFIED
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
||
Updated•10 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•