Make nsTArrayHeader::sEmptyHdr const
Categories
(Core :: XPCOM, defect)
Tracking
()
People
(Reporter: q1, Assigned: froydnj)
References
Details
(Keywords: sec-want, Whiteboard: [post-critsmash-triage][adv-main82-])
Attachments
(3 files)
If a bug lets an attacker cause FF to write beyond the end of an empty nsTArray, she can overwrite static variables inside xul.dll. This is very dangerous, because the exact identity and order of those variables is fixed by the build, and is thus known to the attacker. Putting nsTArrayHeader::sEmptyHdr into readonly memory would much reduce the risk posed by this kind of bug. I raised this issue in https://bugzilla.mozilla.org/show_bug.cgi?id=1232069#c2 (a bug that allows exactly this kind of write-beyond-end), but think that it deserves its own bug. Andrew McCreight also raised a related issue in https://bugzilla.mozilla.org/show_bug.cgi?id=1240838 . I marked this bug as closed because it might suggest targets to attackers.
Some amount of memory (perhaps a few pages?) following &nsTArrayHeader::sEmptyHdr should also be readonly, because an empty nsTArray indexes the byte just following nsTArrayHeader::sEmptyHdr.
Updated•8 years ago
|
Assignee | ||
Comment 2•8 years ago
|
||
Do we need this now that we bounds-check array accesses?
(In reply to Nathan Froyd [:froydnj] from comment #2) > Do we need this now that we bounds-check array accesses? That doesn't help if a caller uses nsTArray::Elements() to get a pointer to the first element, then overruns the array.
(In reply to Nathan Froyd [:froydnj] from comment #2) > Do we need this now that we bounds-check array accesses? Ack! What I mean is that the bounds-check doesn't help if a caller uses nsTArray::Elements() to get a pointer to the first element, then overruns the array.
Assignee | ||
Comment 5•4 years ago
|
||
We fixed what I think is the lone instance of writing into the (empty)
header in SetLength
because it was causing TSan violations, so we should
be clear to make this const
. This change is not terribly effective on its
own (cf. the const_cast
required to make this work at all), but in the
next patch, we can rig up sEmptyTArrayHeader
to be surrounded with "guard
pages" and make rogue accesses off the array header a little more protected.
Updated•4 years ago
|
Assignee | ||
Comment 6•4 years ago
|
||
Depends on D88657
Assignee | ||
Comment 7•4 years ago
|
||
Depends on D88658
Comment 9•4 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/ac566cd8ff453656c996a3b792579e370a8b7a68
https://hg.mozilla.org/mozilla-central/rev/ac566cd8ff45
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Updated•3 years ago
|
Comment 10•2 years ago
|
||
The bug assignee didn't login in Bugzilla in the last 7 months.
:nika, could you have a look please?
For more information, please visit auto_nag documentation.
Comment 11•2 years ago
|
||
Tom, why did you reopen this issue? If there's some remaining hardening that could be done here, perhaps you could file a new bug for it? Thanks.
Updated•2 years ago
|
Comment 12•2 years ago
|
||
We did not resolve this issue fully - we made the object const, but not read-only. I will open a new bug for that task.
Updated•2 years ago
|
Description
•