Closed
Bug 1277866
Opened 8 years ago
Closed 8 years ago
Out-of-bounds write to unboxed object in arm64 backend
Categories
(Core :: JavaScript Engine: JIT, defect)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
FIXED
mozilla50
| Tracking | Status | |
|---|---|---|
| firefox47 | --- | unaffected |
| firefox-esr45 | --- | unaffected |
| firefox50 | --- | fixed |
People
(Reporter: jonco, Assigned: jonco)
References
Details
(Keywords: csectype-other, sec-high, Whiteboard: [post-critsmash-triage][adv-main50+])
Attachments
(1 file)
|
984 bytes,
patch
|
nbp
:
review+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
The arm64 MacroAssembler method storeUnboxedPayload calls storePtr to do a four byte write, which AIUI writes eight bytes. This can result in writing past the end of the object. I'm not sure whether arm64 is used in production yet, but marking this s-s to be safe.
|
||
Updated•8 years ago
|
Group: core-security → javascript-core-security
status-firefox47:
--- → unaffected
status-firefox-esr45:
--- → unaffected
Keywords: csectype-other,
sec-high
|
Assignee | |
Updated•8 years ago
|
Attachment #8759687 -
Flags: review?(nicolas.b.pierron)
|
||
Comment 2•8 years ago
|
||
Fwiw, we're not testing ARM64 yet in fuzzing (at least I don't). If it's supposed to be tested, it would be good to know.
|
||
Updated•8 years ago
|
Attachment #8759687 -
Flags: review?(nicolas.b.pierron) → review+
|
|
Assignee | |
Comment 3•8 years ago
|
||
Comment on attachment 8759687 [details] [diff] [review] arm64-unboxed-store [Security approval request comment] I'm still not sure whether arm64 is used in any shipping product but I'm requesting approval just in case. How easily could an exploit be constructed based on the patch? Difficult but possible. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? If you know what you're looking for then it's pretty obvious from the patch. Which older supported branches are affected by this flaw? Everything back to 41. If not all supported branches, which bug introduced the flaw? Bug 1166527. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? The same patch should apply. How likely is this patch to cause regressions; how much testing does it need? Unlikley.
Attachment #8759687 -
Flags: sec-approval?
|
||
Comment 4•8 years ago
|
||
Comment on attachment 8759687 [details] [diff] [review] arm64-unboxed-store sec-approval+ for trunk.
Attachment #8759687 -
Flags: sec-approval? → sec-approval+
|
||
Comment 5•8 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/551541092f09
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox50:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
|
|
||
Updated•8 years ago
|
Group: javascript-core-security → core-security-release
|
||
Updated•8 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
|
|
||
Updated•8 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main50+]
|
|
||
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•