Closed Bug 1277866 Opened 3 years ago Closed 3 years ago
Out-of-bounds write to unboxed object in arm64 backend
The arm64 MacroAssembler method storeUnboxedPayload calls storePtr to do a four byte write, which AIUI writes eight bytes. This can result in writing past the end of the object. I'm not sure whether arm64 is used in production yet, but marking this s-s to be safe.
Attachment #8759687 - Flags: review?(nicolas.b.pierron)
Fwiw, we're not testing ARM64 yet in fuzzing (at least I don't). If it's supposed to be tested, it would be good to know.
Attachment #8759687 - Flags: review?(nicolas.b.pierron) → review+
Comment on attachment 8759687 [details] [diff] [review] arm64-unboxed-store [Security approval request comment] I'm still not sure whether arm64 is used in any shipping product but I'm requesting approval just in case. How easily could an exploit be constructed based on the patch? Difficult but possible. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? If you know what you're looking for then it's pretty obvious from the patch. Which older supported branches are affected by this flaw? Everything back to 41. If not all supported branches, which bug introduced the flaw? Bug 1166527. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? The same patch should apply. How likely is this patch to cause regressions; how much testing does it need? Unlikley.
Attachment #8759687 - Flags: sec-approval?
Comment on attachment 8759687 [details] [diff] [review] arm64-unboxed-store sec-approval+ for trunk.
Attachment #8759687 - Flags: sec-approval? → sec-approval+
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main50+]
You need to log in before you can comment on or make changes to this bug.