Closed Bug 1339601 Opened 9 years ago Closed 6 years ago

Possible UAF in AppWindow::Destroy()

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla76
Tracking Flags:
Tracking Status
firefox-esr68 --- wontfix
firefox74 --- wontfix
firefox75 --- wontfix
firefox76 --- fixed

People

(Reporter: mccr8, Assigned: smaug)

Details

(Keywords: csectype-uaf, sec-low, Whiteboard: [post-critsmash-triage][adv-main76+r])

Attachments

(1 file)

Bug 1339601, remove useless placeHolder variable, r=bgrins
47 bytes, text/x-phabricator-request
Details | Review
mozilla::AutoRestore<bool> guard(mDestroying); ... nsCOMPtr<nsIXULWindow> placeHolder = this; If placeHolder is the last reference to the window, then the AutoRestore will turn into a (probably unexploitable) UAF.
The comment suggests the deathgrip isn't really needed: // XXXTAB This shouldn't be an issue anymore because the ownership model // only goes in one direction. When webshell container is fully removed // try removing this...
Keywords: sec-low
Keywords: csectype-uaf

This file has been moved so updating the title to match: https://searchfox.org/mozilla-central/rev/13b081a62d3f3e3e3120f95564529257b0bf451c/xpfe/appshell/AppWindow.cpp#636.

Brendan, do you have any idea if the deathgrip here is needed, or who else to ask? The comment there says "When webshell container is fully removed try removing this" but I'm not sure exactly what this is referring to.

Flags: needinfo?(bdahl)
Summary: Possible UAF in nsXULWindow::Destroy() → Possible UAF in AppWindow::Destroy()

I'm not sure what the web shell container refers to. Maybe Olli knows if we can get rid of this^

Flags: needinfo?(bdahl) → needinfo?(bugs)

The comment isn't quite right, at least not anymore, since in theory anything could happen when xul-window-destroyed is notified.
Just move nsCOMPtr<nsIAppWindow> placeHolder = this; higher up, or fix all the callers to keep a strong reference?

Flags: needinfo?(bugs)
Assignee: nobody → bugs

And that WebProgressListener removal deals with WeakRefs only.

review ping for a tiny patch

Flags: needinfo?(bgrinstead)

(In reply to Olli Pettay [:smaug] from comment #8)

review ping for a tiny patch

Sorry about that - responded in the patch.

Flags: needinfo?(bgrinstead)

https://hg.mozilla.org/integration/autoland/rev/72bed4d016bdc463884832b32a21235439ec2571
https://hg.mozilla.org/mozilla-central/rev/72bed4d016bd

Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox76: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla76

Doesn't sound like this needs to be backported, but feel free to nominate if you feel otherwise.

status-firefox74: --- → wontfix
status-firefox75: --- → wontfix
status-firefox-esr68: --- → wontfix
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main76+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: