Closed
Bug 1112307
Opened 9 years ago
Closed 9 years ago
WebSockets + e10s + workers use a non thread-safe ChannelEventQueue
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla37
Tracking | Status | |
---|---|---|
e10s | - | --- |
firefox34 | --- | unaffected |
firefox35 | --- | disabled |
firefox36 | + | fixed |
firefox37 | + | fixed |
firefox-esr31 | --- | unaffected |
b2g-v1.4 | --- | unaffected |
b2g-v2.0 | --- | unaffected |
b2g-v2.0M | --- | unaffected |
b2g-v2.1 | --- | unaffected |
b2g-v2.2 | --- | fixed |
People
(Reporter: baku, Assigned: baku)
Details
(Keywords: sec-high)
Attachments
(1 file)
846 bytes,
patch
|
jduell.mcbugs
:
review+
abillings
:
approval-mozilla-aurora+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
We keep a reference of ChannelEventQueue to avoid that, during some callback, the webSocketChannelChild gets freed. But this queue is not thread-safe and we have a crash in e10s when this is used from workers.
Attachment #8537426 -
Flags: review?(jduell.mcbugs)
Comment 1•9 years ago
|
||
Is this e10s only issue?
Assignee | ||
Comment 2•9 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #1) > Is this e10s only issue? Yes it is.
Updated•9 years ago
|
tracking-e10s:
--- → -
Comment 3•9 years ago
|
||
I'm not sure if e10s is enabled for Aurora, but it certainly is not enabled for Beta.
status-firefox34:
--- → unaffected
status-firefox35:
--- → disabled
status-firefox36:
--- → affected
status-firefox37:
--- → affected
Keywords: sec-high
Comment 4•9 years ago
|
||
Comment on attachment 8537426 [details] [diff] [review] ws3.patch Review of attachment 8537426 [details] [diff] [review]: ----------------------------------------------------------------- Thanks Andrea!
Attachment #8537426 -
Flags: review?(jduell.mcbugs) → review+
Assignee | ||
Updated•9 years ago
|
Keywords: checkin-needed
Comment 5•9 years ago
|
||
This needs sec-approval before landing.
Flags: needinfo?(amarchesini)
Keywords: checkin-needed
Assignee | ||
Comment 6•9 years ago
|
||
Comment on attachment 8537426 [details] [diff] [review] ws3.patch [Security approval request comment] How easily could an exploit be constructed based on the patch? e10s is not enabled by default in beta, but this issue is easy to reproduce. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? Yes. We just have a thread-safe refcounter. Which older supported branches are affected by this flaw? n/a If not all supported branches, which bug introduced the flaw? n/a Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? n/a How likely is this patch to cause regressions; how much testing does it need? No regressions.
Flags: needinfo?(amarchesini)
Attachment #8537426 -
Flags: sec-approval?
Comment 7•9 years ago
|
||
Comment on attachment 8537426 [details] [diff] [review] ws3.patch sec-approval+ for trunk. Please make an Aurora patch as well and nominate it so we can get it there. We have a lot of folks using e10s in Aurora on the Web Developer edition.
Attachment #8537426 -
Flags: sec-approval? → sec-approval+
Updated•9 years ago
|
Assignee | ||
Comment 8•9 years ago
|
||
> sec-approval+ for trunk. Please make an Aurora patch as well and nominate it
> so we can get it there. We have a lot of folks using e10s in Aurora on the
> Web Developer edition.
I guess the same patch works for aurora.
Assignee | ||
Comment 9•9 years ago
|
||
Comment on attachment 8537426 [details] [diff] [review] ws3.patch Approval Request Comment [Feature/regressing bug #]: 504553 [User impact if declined]: a crash for e10s [Describe test coverage new/current, TBPL]: none [Risks and why]: this patch is extremely simple. [String/UUID change made/needed]: none
Attachment #8537426 -
Flags: approval-mozilla-aurora?
Updated•9 years ago
|
Keywords: checkin-needed
Comment 10•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/8ef1de3364d7
Keywords: checkin-needed
Updated•9 years ago
|
Attachment #8537426 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 11•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/8ef1de3364d7
Status: NEW → RESOLVED
Closed: 9 years ago
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.2:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•