Closed
Bug 1309720
Opened 7 years ago
Closed 7 years ago
Ensure the child passed to nsINode::InsertBefore is kept alive
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
People
(Reporter: smaug, Assigned: smaug)
References
Details
(Keywords: csectype-uaf, sec-critical, Whiteboard: [post-critsmash-triage][adv-main50+][adv-esr45.5+])
Attachments
(2 files)
|
12.25 KB,
patch
|
ehsan.akhgari
:
review+
abillings
:
approval-mozilla-aurora+
abillings
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
|
12.13 KB,
patch
|
abillings
:
approval-mozilla-esr45+
|
Details | Diff | Splinter Review |
bug 1308922 fixed one instance, but I noticed today couple of more in HTML Table code.
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → bugs
|
|
Assignee | |
Comment 1•7 years ago
|
||
The issue is way more common than I thought :(
|
|
Assignee | |
Comment 2•7 years ago
|
||
Attachment #8800451 -
Flags: review?(ehsan)
|
|
Assignee | |
Comment 3•7 years ago
|
||
I decided to go this route and not change InsertBefore, since changing InsertBefore would make it slower in common case (JS using it) and we are just violating com rules here.
|
||
Comment 4•7 years ago
|
||
We really need some kind of GC-like analysis for DOM nodes. :(
|
|
||
Comment 5•7 years ago
|
||
I'm going to assume that at least something in there can be triggered.
Keywords: csectype-uaf,
sec-critical
|
||
Comment 6•7 years ago
|
||
It seems possible to avoid this general pattern by making InsertBefore take a |const nsCOMPtr<nsINode>&| as its second argument. Is there any reason why you didn't do that?
Flags: needinfo?(bugs)
|
|
||
Comment 7•7 years ago
|
||
Comment on attachment 8800451 [details] [diff] [review] patch Review of attachment 8800451 [details] [diff] [review]: ----------------------------------------------------------------- At any rate, this patch itself is good, but I still think we should also do comment 6, and backport that as well.
Attachment #8800451 -
Flags: review?(ehsan) → review+
|
|
Assignee | |
Comment 8•7 years ago
|
||
(In reply to :Ehsan Akhgari from comment #6) > It seems possible to avoid this general pattern by making InsertBefore take > a |const nsCOMPtr<nsINode>&| as its second argument. Is there any reason > why you didn't do that? This is a method added for and used by webidl bindings, and they pass raw pointer. No need to slow that down. And, wouldn't const nsCOMPtr<nsINode>& still allow passing member variables.
Flags: needinfo?(bugs)
|
|
Assignee | |
Comment 9•7 years ago
|
||
Comment on attachment 8800451 [details] [diff] [review] patch [Security approval request comment] See bug 1308922. This is very similar How easily could an exploit be constructed based on the patch? It is still a bit unclear to me how to construct an exploit from this. Initially we end up doing deletedobject[someoffset] == <something else> comparison. If someone manages to control the memory area for deleted object and the right offset, then worse things could happen. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? Commit message could be: Bug 1309720, ensure expected DOM tree operations when calling insertBefore, r=ehsan Which older supported branches are affected by this flaw? All Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? I don't have yet, but should be easy to create. The patch applies cleanly to aurora and beta, but esr45 needs a new patch because there has been some file renaming. How likely is this patch to cause regressions; how much testing does it need? safe stuff. Just keeping objects alive longer.
Attachment #8800451 -
Flags: sec-approval?
|
|
||
Comment 10•7 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #8) > (In reply to :Ehsan Akhgari from comment #6) > > It seems possible to avoid this general pattern by making InsertBefore take > > a |const nsCOMPtr<nsINode>&| as its second argument. Is there any reason > > why you didn't do that? > This is a method added for and used by webidl bindings, and they pass raw > pointer. > No need to slow that down. Can we use a binaryName for that, and call it InsertBeforeWebIDLConsumerOnly or some such and not use that version in our internal code? > And, wouldn't const nsCOMPtr<nsINode>& still allow passing member variables. It would. Is that not OK?
|
|
Assignee | |
Comment 11•7 years ago
|
||
(In reply to :Ehsan Akhgari from comment #10) > It would. Is that not OK? That is definitely not ok in general. We need to follow COM rules here and elsewhere, caller is supposed to keep params alive, and using member variables doesn't guarantee that. But, nsCOMPtr<>& as a param might make this code less fragile. I'll file a followup.
|
||
Comment 12•7 years ago
|
||
sec-approval+ for trunk. I think we should take this everywhere but I need release management to approve these.
status-firefox49:
--- → wontfix
status-firefox50:
--- → affected
status-firefox51:
--- → affected
status-firefox52:
--- → affected
status-firefox-esr45:
--- → affected
tracking-firefox50:
--- → ?
tracking-firefox51:
--- → ?
tracking-firefox52:
--- → +
tracking-firefox-esr45:
--- → ?
Flags: needinfo?(rkothari)
|
|
||
Updated•7 years ago
|
Attachment #8800451 -
Flags: sec-approval? → sec-approval+
|
|
||
Comment 13•7 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #11) > (In reply to :Ehsan Akhgari from comment #10) > > It would. Is that not OK? > That is definitely not ok in general. We need to follow COM rules here and > elsewhere, caller is supposed to keep params alive, and using member > variables doesn't guarantee that. Right, but that's similar to the cases where we have kungfu death grips... > But, nsCOMPtr<>& as a param might make this code less fragile. > I'll file a followup. Thanks!
Given that this is rated as a sec-crit, we can take it on Beta50, Aurora51 and ESR45. Please nominate patches for uplift.
Flags: needinfo?(rkothari)
|
|
Assignee | |
Comment 15•7 years ago
|
||
Went through again all the InsertBefore instance in tree, and couldn't find more.
[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
It is sec-crit
User impact if declined: security sensitive crashes.
Fix Landed on Version: About to land to FF52
Risk to taking this patch (and alternatives if risky): Should be safe. Just more kungfuDeathGrips
String or UUID changes made by this patch: NA
Attachment #8801084 -
Flags: approval-mozilla-esr45?
|
|
Assignee | |
Comment 16•7 years ago
|
||
Comment on attachment 8800451 [details] [diff] [review] patch Approval Request Comment See comment 15
Attachment #8800451 -
Flags: approval-mozilla-beta?
Attachment #8800451 -
Flags: approval-mozilla-aurora?
|
|
Assignee | |
Comment 17•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/63d0a40426ecc68cb9bbf93179e769ab06c7afa0
|
|
||
Comment 18•7 years ago
|
||
Comment on attachment 8800451 [details] [diff] [review] patch Approving branch patches based on release management comments.
Attachment #8800451 -
Flags: approval-mozilla-beta?
Attachment #8800451 -
Flags: approval-mozilla-beta+
Attachment #8800451 -
Flags: approval-mozilla-aurora?
Attachment #8800451 -
Flags: approval-mozilla-aurora+
|
|
||
Updated•7 years ago
|
Attachment #8801084 -
Flags: approval-mozilla-esr45? → approval-mozilla-esr45+
|
|
||
Updated•7 years ago
|
Keywords: checkin-needed
|
||
Comment 19•7 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/24f9300535ef https://hg.mozilla.org/releases/mozilla-beta/rev/af995f34ee2e https://hg.mozilla.org/releases/mozilla-esr45/rev/8e0bab4216de
Keywords: checkin-needed
|
||
Comment 20•7 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/63d0a40426ec
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
|
||
Updated•7 years ago
|
Group: dom-core-security → core-security-release
|
||
Updated•7 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
|
|
||
Updated•6 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main50+][adv-esr45.5+]
|
|
||
Updated•6 years ago
|
Group: core-security-release
|
||
Updated•4 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•