Closed
Bug 1137326
Opened 9 years ago
Closed 9 years ago
Avoid compartment iterator invalidation
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
RESOLVED
FIXED
mozilla39
People
(Reporter: sfink, Assigned: sfink)
References
Details
(Keywords: csectype-bounds, sec-high, Whiteboard: [adv-main37+][adv-esr31.6+])
Attachments
(1 file)
3.00 KB,
patch
|
sfink
:
review+
abillings
:
approval-mozilla-aurora+
abillings
:
approval-mozilla-beta+
abillings
:
approval-mozilla-esr31+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
+++ This bug was initially created as a clone of Bug #1120655 +++ Separate bug for the patch "Fix out of bounds error in JS_iterateCompartments" from bug 1120655 so that it can land before the other parts.
Assignee | ||
Comment 1•9 years ago
|
||
Ugh. bzexport fail when trying to move to a different bug.
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → sphink
Status: NEW → ASSIGNED
Assignee | ||
Comment 2•9 years ago
|
||
Comment on attachment 8569987 [details] [diff] [review] Fix out of bounds error in JS_iterateCompartments, Carrying over terrence's r+.
Attachment #8569987 -
Flags: review+
Assignee | ||
Comment 3•9 years ago
|
||
Comment on attachment 8569987 [details] [diff] [review] Fix out of bounds error in JS_iterateCompartments, [Security approval request comment] How easily could an exploit be constructed based on the patch? Difficult. Maybe you could do it with some iframe juggling? But then you'd need to have an iterator going too, which doesn't really happen from user code. Theoretically possible, I guess, but I don't know how to do it. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? The patch name says "out of bounds error". Which older supported branches are affected by this flaw? I would guess this goes way back. Perhaps not as far as the introduction of compartments in FF4, but it doesn't depend on moving GC so it might come before that. If not all supported branches, which bug introduced the flaw? Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? They will be semantically the same, but they might need to be done to different code once we move past the introduction of zones. (I looked at beta; this patch should apply there unchanged.) They won't be any riskier than the patch to the current source in terms of introducing new problems, and it's low risk. How likely is this patch to cause regressions; how much testing does it need? Fairly unlikely. It switches a rare failure mode from being an out of bounds access into a safe but incomplete iteration. I doubt any of our tests cover it; you'd probably need to run about:memory while closing tabs or something?
Attachment #8569987 -
Flags: sec-approval?
Assignee | ||
Updated•9 years ago
|
Summary: Make the analysis detect compartment iterator invalidation → Avoid compartment iterator invalidation
Updated•9 years ago
|
status-firefox36:
--- → wontfix
status-firefox37:
--- → affected
status-firefox38:
--- → affected
status-firefox39:
--- → affected
status-firefox-esr31:
--- → affected
tracking-firefox37:
--- → +
tracking-firefox38:
--- → +
tracking-firefox39:
--- → +
tracking-firefox-esr31:
--- → ?
Comment 4•9 years ago
|
||
Comment on attachment 8569987 [details] [diff] [review] Fix out of bounds error in JS_iterateCompartments, sec-approval+. We should get this on branches as well once it is on trunk.
Attachment #8569987 -
Flags: sec-approval? → sec-approval+
Assignee | ||
Comment 5•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/cde1ceac0788
Assignee | ||
Comment 6•9 years ago
|
||
Comment on attachment 8569987 [details] [diff] [review] Fix out of bounds error in JS_iterateCompartments, Approval Request Comment [Feature/regressing bug #]: compartments (FF4 timeframe) [User impact if declined]: difficult to exploit out of bounds access, probably not exposed to content code [Describe test coverage new/current, TreeHerder]: just landed on mozilla-inbound [Risks and why]: low risk. Turns an out of bound access into a safe but incomplete iteration. [String/UUID change made/needed]: none
Attachment #8569987 -
Flags: approval-mozilla-beta?
Attachment #8569987 -
Flags: approval-mozilla-aurora?
Comment 7•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/cde1ceac0788
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
Updated•9 years ago
|
Attachment #8569987 -
Flags: approval-mozilla-beta?
Attachment #8569987 -
Flags: approval-mozilla-beta+
Attachment #8569987 -
Flags: approval-mozilla-aurora?
Attachment #8569987 -
Flags: approval-mozilla-aurora+
Comment 8•9 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/2a92625b924e https://hg.mozilla.org/releases/mozilla-beta/rev/10eff960b898 Looks like we need an esr31 nomination here too? Also, setting in-testsuite? here presuming it can be changed to + once bug 1120655 lands.
status-b2g-v1.4:
--- → affected
status-b2g-v2.0:
--- → affected
status-b2g-v2.1:
--- → affected
status-b2g-v2.2:
--- → affected
status-b2g-master:
--- → fixed
Flags: needinfo?(sphink)
Flags: in-testsuite?
Assignee | ||
Comment 9•9 years ago
|
||
Comment on attachment 8569987 [details] [diff] [review] Fix out of bounds error in JS_iterateCompartments, [Approval Request Comment] Same as the other a? for aurora,beta.
Flags: needinfo?(sphink)
Attachment #8569987 -
Flags: approval-mozilla-esr31?
Updated•9 years ago
|
Updated•9 years ago
|
Attachment #8569987 -
Flags: approval-mozilla-esr31? → approval-mozilla-esr31+
Comment 11•9 years ago
|
||
https://hg.mozilla.org/releases/mozilla-b2g34_v2_1/rev/b897fa86b438 https://hg.mozilla.org/releases/mozilla-b2g32_v2_0/rev/ca470cc0a674 https://hg.mozilla.org/releases/mozilla-b2g30_v1_4/rev/3fc43021d56f https://hg.mozilla.org/releases/mozilla-esr31/rev/434bb6ebc748
Comment 12•9 years ago
|
||
https://hg.mozilla.org/releases/mozilla-b2g34_v2_1s/rev/b897fa86b438 https://hg.mozilla.org/releases/mozilla-b2g32_v2_0m/rev/ca470cc0a674
status-b2g-v2.0M:
--- → fixed
status-b2g-v2.1S:
--- → fixed
Updated•9 years ago
|
Whiteboard: [adv-main37+][adv-esr31.6+]
Updated•9 years ago
|
Group: javascript-core-security
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•