Closed
Bug 1372992
Opened 9 years ago
Closed 9 years ago
Compartment mismatch in nsObjectLoadingContent::TeardownProtoChain()
Categories
(Core Graveyard :: Plug-ins, defect)
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: mccr8, Unassigned)
References
Details
(Keywords: crash)
Crash Data
This bug was filed from the Socorro interface and is
report bp-6abdbf11-7136-40db-a0cd-0619f0170609.
=============================================================
This crash is a compartment mismatch for the JS_GetPrototype call in nsObjectLoadingContent::TeardownProtoChain(). I'm guessing that the prototype chain crosses compartments, but we don't enter the new compartment. I don't know how exploitable this is.
Comment 1•9 years ago
|
||
In what cases can a proto chain cross compartments?
Overholt I need the DOM team to own triage on this: I don't know enough about JSAPI to make a good decision.
Flags: needinfo?(overholt)
| Reporter | ||
Comment 2•9 years ago
|
||
Boris, is a cross-compartment proto chain something that can happen?
Flags: needinfo?(bzbarsky)
Comment 3•9 years ago
|
||
> I'm guessing that the prototype chain crosses compartments
That should never happen. In particular, JS_SetPrototype asserts that obj and proto are same-compartment, and object creation with a given proto asserts that the proto is same-compartment with cx (and the new object get created in the compartment of cx).
I don't see any operation on unwrapped objects in the TeardownProtoChain code (apart from the nsNPObjWrapper::IsWrapper(js::UncheckedUnwrap(proto)) bit, but that doesn't change any local state), so I don't see how we could end up with a compartment mismatch here unless something is _really_ broken somewhere... :(
Flags: needinfo?(bzbarsky)
| Reporter | ||
Comment 4•9 years ago
|
||
Thanks for looking, Boris. This could just be generic memory corruption, then. I only see a single crash like this, so I'll just close this as incomplete for now.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
| Reporter | ||
Updated•9 years ago
|
Flags: needinfo?(overholt)
| Reporter | ||
Updated•9 years ago
|
Summary: Crash in js::CompartmentChecker::fail → Compartment mismatch in nsObjectLoadingContent::TeardownProtoChain()
Updated•6 years ago
|
Group: dom-core-security
Updated•4 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•