Closed
Bug 1371853
Opened 8 years ago
Closed 8 years ago
Possible native rooting issue in XPCConvert::JSObject2NativeInterface()
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
RESOLVED
FIXED
mozilla56
People
(Reporter: mccr8, Assigned: bzbarsky)
References
Details
(Keywords: csectype-uaf, sec-critical, Whiteboard: [adv-main55-][adv-esr52.3-][post-critsmash-triage])
Attachments
(1 file)
|
2.58 KB,
patch
|
mccr8
:
review+
|
Details | Diff | Splinter Review |
This method contains a call to CheckedUnwrap:
JSObject* inner = js::CheckedUnwrap(src, /* stopAtWindowProxy = */ false);
then an XPCWN is gotten off of inner, an nsISupports is gotten from that XPCWN, then we call QI on it. If the QI is implemented in JS (is that possible?) and src != inner, then the XPCWN or the nsISupports might get destroyed. |inner| should probably at least be rooted, if not the XPCWN and |iface|.
|
Reporter | |
Comment 1•8 years ago
|
||
There's similar issues with the CheckedUnwrap call in XPCConvert::JSValToXPCException().
|
|
Reporter | |
Updated•8 years ago
|
See Also: → CVE-2017-7801
|
Assignee | |
Comment 2•8 years ago
|
||
> If the QI is implemented in JS (is that possible?)
Yes, if it's a double-wrapped XPCWrappedJS.
|
|
Assignee | |
Comment 3•8 years ago
|
||
Just for posterity, the failure mode is if entering JS causes us to turn src into a DeadObjectWrapper, thereby effectively leaving "inner" not rooted and possibly killing the XPCWN hanging off it.
|
|
Assignee | |
Comment 4•8 years ago
|
||
Attachment #8877718 -
Flags: review?(continuation)
|
|
Assignee | |
Updated•8 years ago
|
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 5•8 years ago
|
||
Comment on attachment 8877718 [details] [diff] [review]
Root the unwrapped object in XPCConvert code
[Security approval request comment]
How easily could an exploit be constructed based on the patch? Not very. For one thing, the set of objects that pages can access that are actually XPCWrappedNative is pretty limited. But also, it's not immediately clear how "unwrapped" could fail to be rooted.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? Not any more so than the actual change.
Which older supported branches are affected by this flaw? All of them.
If not all supported branches, which bug introduced the flaw? Effectively bug 695480.
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? This should be pretty easy and safe to backport.
How likely is this patch to cause regressions; how much testing does it need? Not likely and not much.
Attachment #8877718 -
Flags: sec-approval?
|
|
Reporter | |
Updated•8 years ago
|
Attachment #8877718 -
Flags: review?(continuation) → review+
|
|
Reporter | |
Updated•8 years ago
|
Keywords: csectype-uaf,
sec-critical
|
|
Assignee | |
Updated•8 years ago
|
Attachment #8877718 -
Flags: sec-approval?
|
||
Updated•8 years ago
|
status-firefox54:
--- → wontfix
status-firefox55:
--- → affected
status-firefox56:
--- → affected
status-firefox-esr52:
--- → affected
tracking-firefox55:
--- → +
tracking-firefox56:
--- → +
tracking-firefox-esr52:
--- → 55+
|
|
Assignee | |
Comment 7•8 years ago
|
||
Fixed by bug 1371259.
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
|
||
Updated•8 years ago
|
Group: dom-core-security → core-security-release
|
||
Updated•8 years ago
|
|
|
||
Updated•8 years ago
|
Target Milestone: --- → mozilla56
|
|
||
Comment 8•8 years ago
|
||
Minusing this for advisories since Nils' bug will get advisory credit.
Whiteboard: [adv-main55-][adv-esr52.3-]
|
||
Updated•8 years ago
|
Flags: qe-verify-
Whiteboard: [adv-main55-][adv-esr52.3-] → [adv-main55-][adv-esr52.3-][post-critsmash-triage]
|
|
||
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•