Closed Bug 1133909 Opened 9 years ago Closed 9 years ago

Fix hazards revealed by adding in missing GCPointers

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla39
Tracking Flags:
Tracking Status
firefox35 --- wontfix
firefox36 --- wontfix
firefox37 + fixed
firefox38 + fixed
firefox39 + fixed
firefox-esr31 --- unaffected
b2g-v1.4 --- unaffected
b2g-v2.0 --- fixed
b2g-v2.0M --- fixed
b2g-v2.1 --- fixed
b2g-v2.1S --- fixed
b2g-v2.2 --- fixed
b2g-master --- fixed

People

(Reporter: sfink, Assigned: sfink)

Details

(Keywords: sec-high, Whiteboard: [adv-main37+])

Attachments

(1 file)

Fix hazards revealed by adding in new GCPointers
5.25 KB, patch
terrence
: review+
lmandel
: approval-mozilla-aurora+
lmandel
: approval-mozilla-beta+
abillings
: sec-approval+
Details | Diff | Splinter Review 
Bug 1132744 added in some new and renamed GCPointers, which revealed a few undetected hazards. I am not marking the dependency since currently bug 1132744 is public.

        Attachment #8565564 -
        Flags: review?(terrence)

    
  
Assignee: nobody → sphink
Status: NEW → ASSIGNED

    
    

    
  
Comment on attachment 8565564 [details] [diff] [review]
Fix hazards revealed by adding in new GCPointers

Review of attachment 8565564 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM

        Attachment #8565564 -
        Flags: review?(terrence) → review+
Keywords: sec-high

    
    

    
  
Are these hazards dangerous?  If this is actually sec-high, it should have gotten sec-approval prior to landing.
Flags: needinfo?(sphink)

    
    

    
  
(In reply to Andrew McCreight [:mccr8] from comment #4)
> Are these hazards dangerous?  If this is actually sec-high, it should have
> gotten sec-approval prior to landing.

Oh, sorry. I thought that was only sec-crit.

Are they dangerous? Hm. There are 2 real hazards here. They're both UAF of gcthings. The Symbols one looks like it would give you very limited read-only access. The JitCode one would interpret 3 words as pointers and free them. I don't know how bad that is considered?
Flags: needinfo?(sphink)

    
    

    
  
No, it is for sec-high and sec-crit.

Thanks for the explanation, that does sound bad, though difficult to exploit.  I guess just fill out the sec-approval thing and Al can set flags and whatever else.

    
    

    
  
Comment on attachment 8565564 [details] [diff] [review]
Fix hazards revealed by adding in new GCPointers

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

If you recognize that GC problems are nasty, it wouldn't be hard to trigger a crash. An exploit seems difficult, but it'd probably be useful in combination with other holes.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

No

Which older supported branches are affected by this flaw?

Looks like gecko 32 and up.

If not all supported branches, which bug introduced the flaw?

I would guess bug 1066322 (Fx36) for the Symbol part, and bug 976446 (Fx32) for the jitcode part.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

I haven't tried making them yet, but they should be nearly identical and low risk. The most likely thing to cause conflicts is only shutting up a false positive, so it can be dropped if it causes trouble.

How likely is this patch to cause regressions; how much testing does it need?

It's very low risk. It has a high probability of fixing the actual flaws, since they were things that the static analysis should be able to catch but couldn't because we renamed some things underneath it. Taking those renamings into account, the analysis is happy.

        Attachment #8565564 -
        Flags: sec-approval?

    
    

    
  
(In reply to Steve Fink [:sfink, :s:] from comment #9)

> Which older supported branches are affected by this flaw?
> 
> Looks like gecko 32 and up.

 I see that Terrence Cole marked this as affecting 31. Is this actually on 32 up and ESR31 is unaffected? It sounds like this is the case.

    
    

    
  
(In reply to Al Billings [:abillings] from comment #10)
> (In reply to Steve Fink [:sfink, :s:] from comment #9)
> 
> > Which older supported branches are affected by this flaw?
> > 
> > Looks like gecko 32 and up.
> 
>  I see that Terrence Cole marked this as affecting 31. Is this actually on
> 32 up and ESR31 is unaffected? It sounds like this is the case.

Sorry, Steve is correct: I thought we landed the JitCode change earlier than 32.

          status-firefox-esr31:
          affectedunaffected

    
    

    
  
Comment on attachment 8565564 [details] [diff] [review]
Fix hazards revealed by adding in new GCPointers

sec-approval+ for trunk.

We should take this on Aurora and Beta as well.

        Attachment #8565564 -
        Flags: sec-approval? → sec-approval+

    
    

    
  
Given that this has already landed on m-c, I would prefer to take the fix in Beta 2 if possible.

Steve - Can you request uplift early on Monday?
Flags: needinfo?(sphink)

    
    

    
  
Comment on attachment 8565564 [details] [diff] [review]
Fix hazards revealed by adding in new GCPointers

Approval Request Comment
[Feature/regressing bug #]: bug 1066322 (Fx36) for the Symbol part, and bug 976446 for the jitcode
[User impact if declined]: potentially exploitable UAF
[Describe test coverage new/current, TreeHerder]: on central
[Risks and why]: Safe. These changes have trivial effects during normal operation. (Minor reordering of independent operations.)
[String/UUID change made/needed]: none
Flags: needinfo?(sphink)

        Attachment #8565564 -
        Flags: approval-mozilla-beta?

        Attachment #8565564 -
        Flags: approval-mozilla-b2g37?

        Attachment #8565564 -
        Flags: approval-mozilla-b2g34?

        Attachment #8565564 -
        Flags: approval-mozilla-b2g32?

        Attachment #8565564 -
        Flags: approval-mozilla-aurora?

    
    

    
  
Comment on attachment 8565564 [details] [diff] [review]
Fix hazards revealed by adding in new GCPointers

Let's get this sec-high fix on upstream branches. Beta+ Aurora+

        Attachment #8565564 -
        Flags: approval-mozilla-beta?

        Attachment #8565564 -
        Flags: approval-mozilla-beta+

        Attachment #8565564 -
        Flags: approval-mozilla-aurora?

        Attachment #8565564 -
        Flags: approval-mozilla-aurora+

    
    

    
  
Comment on attachment 8565564 [details] [diff] [review]
Fix hazards revealed by adding in new GCPointers

sec-high doesn't need any extra b2g approvals

        Attachment #8565564 -
        Flags: approval-mozilla-b2g37?

        Attachment #8565564 -
        Flags: approval-mozilla-b2g34?

        Attachment #8565564 -
        Flags: approval-mozilla-b2g32?
Whiteboard: [adv-main37+]

    
  
Group: core-security → core-security-release
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.