Closed
Bug 1183882
Opened 9 years ago
Closed 9 years ago
PushMessageData extends nsWrapperCache, but is not cycle collectable, nor has QI support for nsWrapperCache
Categories
(Core :: DOM: Service Workers, defect)
Tracking
()
RESOLVED
FIXED
mozilla42
Tracking | Status | |
---|---|---|
firefox40 | --- | unaffected |
firefox41 | + | fixed |
firefox42 | + | fixed |
firefox-esr31 | --- | unaffected |
firefox-esr38 | --- | unaffected |
b2g-v2.0 | --- | unaffected |
b2g-v2.0M | --- | unaffected |
b2g-v2.1 | --- | unaffected |
b2g-v2.1S | --- | unaffected |
b2g-v2.2 | --- | unaffected |
b2g-v2.2r | --- | unaffected |
b2g-master | --- | fixed |
People
(Reporter: smaug, Assigned: smaug)
References
Details
(Keywords: sec-high, Whiteboard: [post-critsmash-triage])
Attachments
(1 file)
1.51 KB,
patch
|
nsm
:
review+
abillings
:
approval-mozilla-aurora+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
Run the following in ServiceWorker:
var e = new PushEvent("test");
e.data.foo = e;
#0 0x00007fffed486d4b in nsWrapperCache::PreserveWrapper(nsISupports*) (this=0x7fffbabb09c8, aScriptObjectHolder=0x7fffbabb09c0)
at /home/smaug/mozilla/hg/push-m-i/js/xpconnect/wrappers/../../../dom/base/nsWrapperCache.h:234
#1 0x00007fffee509ec3 in mozilla::dom::PreserveWrapperHelper<mozilla::dom::workers::PushMessageData, true>::PreserveWrapper(mozilla::dom::workers::PushMessageData*) (aObject=0x7fffbabb09c0)
at ../../dist/include/mozilla/dom/BindingUtils.h:2639
#2 0x00007fffee509e95 in mozilla::dom::PreserveWrapper<mozilla::dom::workers::PushMessageData>(mozilla::dom::workers::PushMessageData*) (aObject=0x7fffbabb09c0)
at ../../dist/include/mozilla/dom/BindingUtils.h:2646
#3 0x00007fffee4d93b5 in mozilla::dom::PushMessageDataBinding_workers::_addProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>) (cx=0x7fffc16b3480, obj=..., id=..., val=...)
at ./PushMessageDataBinding.cpp:148
#4 0x00007ffff2169290 in js::CallJSAddPropertyOp(JSContext*, bool (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>), JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>) (cx=0x7fffc16b3480, op=0x7fffee4d9350 <mozilla::dom::PushMessageDataBinding_workers::_addProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>)>, obj=..., id=..., v=...)
at /home/smaug/mozilla/hg/push-m-i/js/src/jscntxtinlines.h:330
#5 0x00007ffff2112e22 in CallAddPropertyHook(js::ExclusiveContext*, JS::Handle<js::NativeObject*>, JS::Handle<js::Shape*>, JS::Handle<JS::Value>) (cx=0x7fffc16b3480, obj=..., shape=..., value=...)
at /home/smaug/mozilla/hg/push-m-i/js/src/vm/NativeObject.cpp:995
#6 0x00007ffff20c752f in AddOrChangeProperty(js::ExclusiveContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JSPropertyDescriptor>) (cx=0x7fffc16b3480, obj=..., id=..., desc=...)
at /home/smaug/mozilla/hg/push-m-i/js/src/vm/NativeObject.cpp:1177
Simple ServiceWorkerConsole https://github.com/smaug----/serviceworkerconsole, but don't know how to actually serve that as
https + html page. github pages don't seem to work for me.
but running that as localhost works.
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → bugs
Assignee | ||
Comment 1•9 years ago
|
||
(note, I'm adding assertions to catch this kind of errors)
Assignee | ||
Comment 2•9 years ago
|
||
Attachment #8633791 -
Flags: review?(nsm.nikhil)
Attachment #8633791 -
Flags: review?(nsm.nikhil) → review+
Assignee | ||
Comment 3•9 years ago
|
||
Comment on attachment 8633791 [details] [diff] [review]
patch
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Rather easily, I'd say
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Commit message could be
"Bug 1183882, properly implement wrapper caching on PushMessageData, r=nsm"
Which older supported branches are affected by this flaw?
I was told this is exposed in Aurora/Nightly
If not all supported branches, which bug introduced the flaw?
bug 1038811
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
The patch should work with aurora too.
How likely is this patch to cause regressions; how much testing does it need?
Not likely
Attachment #8633791 -
Flags: sec-approval?
Attachment #8633791 -
Flags: approval-mozilla-aurora?
Comment 4•9 years ago
|
||
poiru: it would be interesting to see if your CC analysis stuff would have caught this...
Assignee | ||
Comment 5•9 years ago
|
||
The assertions from Bug 1183604 did catch this.
I'll land that patch once the issues it found have been landed.
Luckily no issues exposed to web in release builds.
Comment 6•9 years ago
|
||
Comment on attachment 8633791 [details] [diff] [review]
patch
Approvals given for landing.
Attachment #8633791 -
Flags: sec-approval?
Attachment #8633791 -
Flags: sec-approval+
Attachment #8633791 -
Flags: approval-mozilla-aurora?
Attachment #8633791 -
Flags: approval-mozilla-aurora+
Updated•9 years ago
|
status-firefox40:
--- → unaffected
status-firefox41:
--- → affected
status-firefox42:
--- → affected
tracking-firefox41:
--- → +
tracking-firefox42:
--- → +
Assignee | ||
Comment 7•9 years ago
|
||
Comment 8•9 years ago
|
||
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
Comment 9•9 years ago
|
||
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.1S:
--- → unaffected
status-b2g-v2.2:
--- → unaffected
status-b2g-v2.2r:
--- → unaffected
status-b2g-master:
--- → fixed
status-firefox-esr31:
--- → unaffected
status-firefox-esr38:
--- → unaffected
Flags: in-testsuite?
Updated•9 years ago
|
Group: dom-core-security → release-core-security
Updated•9 years ago
|
Whiteboard: [post-critsmash-triage]
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•