Closed
Bug 1339591
Opened 8 years ago
Closed 8 years ago
Possible UAFs with AutoRestore in SMIL code
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
People
(Reporter: mccr8, Assigned: birtles)
Details
(Keywords: csectype-uaf, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main52+])
Attachments
(1 file)
2.42 KB,
patch
|
mccr8
:
review+
gchang
:
approval-mozilla-aurora+
jcristau
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
This contains:
AutoRestore<bool> autoRestoreRunningSample(mRunningSample);
...
nsCOMPtr<nsIDocument> document(mDocument); // keeps 'this' alive too
If |document| keeps this alive, then it is possible that destroying |document| will destroy |this|, which means the restore will be a use after free.
Reporter | ||
Comment 1•8 years ago
|
||
Similarly in nsSMILInstanceTime::HandleChangedInterval.
Summary: Possible UAF in nsSMILAnimationController::DoSample → Possible UAFs with AutoRestore in SMIL code
Reporter | ||
Comment 2•8 years ago
|
||
The only code we're running in between the two is destroying two nsTHashtables, so it would be hard to exploit it. (Well, aside from whatever is going on with other threads.)
Keywords: csectype-uaf,
sec-moderate
Assignee | ||
Comment 3•8 years ago
|
||
Assignee: nobody → bbirtles
Status: NEW → ASSIGNED
Attachment #8837443 -
Flags: review?(continuation)
Reporter | ||
Updated•8 years ago
|
Attachment #8837443 -
Flags: review?(continuation) → review+
Assignee | ||
Comment 4•8 years ago
|
||
sec-moderate so landing this myself:
https://hg.mozilla.org/integration/mozilla-inbound/rev/33f49f751b63cde40ffe16d4c5fee0b4a64a6a79
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox54:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Comment 6•8 years ago
|
||
Please request Aurora/Beta approval on this when you get a chance.
status-firefox51:
--- → wontfix
status-firefox52:
--- → affected
status-firefox53:
--- → affected
status-firefox-esr45:
--- → wontfix
status-firefox-esr52:
--- → affected
tracking-firefox52:
--- → ?
tracking-firefox53:
--- → ?
tracking-firefox54:
--- → ?
tracking-firefox-esr52:
--- → ?
Flags: needinfo?(bbirtles)
Assignee | ||
Comment 7•8 years ago
|
||
Comment on attachment 8837443 [details] [diff] [review]
Patch
Approval Request Comment
[Feature/Bug causing the regression]: bug 814921
[User impact if declined]: Unpatched user-after-free (although it appears hard to exploit)
[Is this code covered by automated tests?]: The SMIL functionality is well-tested but there is not specific test case for this vulnerability.
[Has the fix been verified in Nightly?]: Yes
[Needs manual test from QE? If yes, steps to reproduce]: No
[List of other uplifts needed for the feature/fix]: None
[Is the change risky?]: No
[Why is the change risky/not risky?]: It just re-orders two stack based classes so that their destructors are run in a safe order.
[String changes made/needed]: None
Flags: needinfo?(bbirtles)
Attachment #8837443 -
Flags: approval-mozilla-beta?
Attachment #8837443 -
Flags: approval-mozilla-aurora?
Comment 8•8 years ago
|
||
Comment on attachment 8837443 [details] [diff] [review]
Patch
Fix a security issue. Aurora53+.
Attachment #8837443 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Updated•8 years ago
|
Comment 9•8 years ago
|
||
Comment on attachment 8837443 [details] [diff] [review]
Patch
fix UAF in SMIL, beta52+
Attachment #8837443 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 10•8 years ago
|
||
uplift |
Comment 11•8 years ago
|
||
uplift |
Updated•8 years ago
|
Group: layout-core-security → core-security-release
Updated•8 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Updated•8 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main52+]
Updated•7 years ago
|
Group: core-security-release
Updated•6 years ago
|
Product: Core → Core Graveyard
Updated•6 years ago
|
Component: Layout: Misc Code → Layout
Product: Core Graveyard → Core
You need to log in
before you can comment on or make changes to this bug.
Description
•