Cell iterators need a read barrier

RESOLVED FIXED in Firefox -esr45

Status

()

defect
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: jonco, Assigned: jonco)

Tracking

({csectype-uaf, sec-high})

unspecified
mozilla54
Points:
---
Bug Flags:
qe-verify -

Firefox Tracking Flags

(firefox-esr4552+ fixed, firefox51 wontfix, firefox52+ fixed, firefox-esr52 fixed, firefox53+ fixed, firefox54+ fixed)

Details

(Whiteboard: [adv-main52+][adv-esr45.8+])

Attachments

(3 attachments)

Iterating through allocated cells can hand out pointers to otherwise unreachable cells, and so needs a read barrier in case there's an incremental GC going on.

This came up originally in bug 1322420.
Patch to add a barrier to AreanCellIter.  ArenaCellIterImpl is used both during and outside of GC so this needs a dynamic check.  It does a full ExposeToActiveJS as we can find gray things in the heap and then hand them back to the caller.
Assignee: nobody → jcoppeard
Attachment #8830414 - Flags: review?(sphink)
Hey Steve, this is a security issue. Can you please move this review request to the top of your pile?
If not, please redirect to someone else ASAP (and make sure they do have the time!)
Flags: needinfo?(sphink)
Comment on attachment 8830414 [details] [diff] [review]
bug1322420-barrier-cell-iter

Review of attachment 8830414 [details] [diff] [review]:
-----------------------------------------------------------------

Sorry for the delay. I don't have a great system for secure bugs, it seems. Please ping after 48 hours.
Attachment #8830414 - Flags: review?(sphink) → review+
Flags: needinfo?(sphink)
Comment on attachment 8830414 [details] [diff] [review]
bug1322420-barrier-cell-iter

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Very difficult.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

No.

Which older supported branches are affected by this flaw?

At least as far back as 32.

If not all supported branches, which bug introduced the flaw?

Bug 1001159 introduced this class but the flaw may have been present before then.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

It may require rebasing but the result shouldn't be very different.

How likely is this patch to cause regressions; how much testing does it need?

Unlikely.
Attachment #8830414 - Flags: sec-approval?
sec-approval+ for trunk.
We'll want this on affected branches as well if you can nominate patches.
Attachment #8830414 - Flags: sec-approval? → sec-approval+
Jon, can you please nominate branch patches for all other affected branches?
I mistakenly landed this with the wrong bug number:

https://hg.mozilla.org/mozilla-central/rev/4e919ac282a4
Flags: needinfo?(jcoppeard)
Approval Request Comment
[Feature/Bug causing the regression]: Bug 1001159.
[User impact if declined]: Possible crash / security violation.
[Is this code covered by automated tests?]: Yes.
[Has the fix been verified in Nightly?]: Yes.
[Needs manual test from QE? If yes, steps to reproduce]: No.
[List of other uplifts needed for the feature/fix]: None.
[Is the change risky?]: No.
[Why is the change risky/not risky?]: This is a fairly simple change that adds a read barrier when iterating cells in arenas.
[String changes made/needed]: None.
Attachment #8837584 - Flags: approval-mozilla-beta?
Attachment #8837584 - Flags: approval-mozilla-aurora?
[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-high bug.
User impact if declined: Possible crash / security vulnerability.
Fix Landed on Version: 54.
Risk to taking this patch (and alternatives if risky): Low.
String or UUID changes made by this patch: None.
Attachment #8837594 - Flags: approval-mozilla-esr45?
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Group: javascript-core-security → core-security-release
Target Milestone: --- → mozilla54
Comment on attachment 8837584 [details] [diff] [review]
bug1322971-backport

Approving for Beta and Aurora. I'll wait for release management to make a decision for ESR45.
Attachment #8837584 - Flags: approval-mozilla-beta?
Attachment #8837584 - Flags: approval-mozilla-beta+
Attachment #8837584 - Flags: approval-mozilla-aurora?
Attachment #8837584 - Flags: approval-mozilla-aurora+
Comment on attachment 8837594 [details] [diff] [review]
bug1322971-esr45

Fix a sec-high. ESR45+.
Attachment #8837594 - Flags: approval-mozilla-esr45? → approval-mozilla-esr45+
Setting qe-verify- based on Jon's assessment on manual testing needs (Comment 9) and the fact that this fix has automated coverage.
Flags: qe-verify-
Whiteboard: [adv-main52+][adv-esr45.8+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.