Closed
Bug 1442318
Opened 6 years ago
Closed 6 years ago
mozilla::css::URLValueData::GetUTF16String is unsound.
Categories
(Core :: CSS Parsing and Computation, defect)
Core
CSS Parsing and Computation
Tracking
()
RESOLVED
FIXED
mozilla60
People
(Reporter: emilio, Assigned: emilio)
References
Details
(Keywords: regression, sec-high, Whiteboard: [adv-main59+])
Attachments
(1 file)
554 bytes,
patch
|
jdm
:
review+
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-release+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
mStrings.mString = converted; calls operator= on a string that is garbage.
Assignee | ||
Comment 1•6 years ago
|
||
Approval Request Comment [Feature/Bug causing the regression]: bug 1397971 [User impact if declined]: Memory safety issue. [Is this code covered by automated tests?]: No, but will be once the dependent bug lands. [Has the fix been verified in Nightly?]: no [Needs manual test from QE? If yes, steps to reproduce]: no [List of other uplifts needed for the feature/fix]: none [Is the change risky?]: not risky [Why is the change risky/not risky?]: one-liner fixing memory safety issue. [String changes made/needed]: none
Attachment #8955212 -
Flags: review?(josh)
Attachment #8955212 -
Flags: approval-mozilla-beta?
Updated•6 years ago
|
Attachment #8955212 -
Flags: review?(josh) → review+
Updated•6 years ago
|
status-firefox58:
--- → affected
status-firefox59:
--- → affected
status-firefox60:
--- → affected
status-firefox-esr52:
--- → unaffected
Keywords: regression,
sec-high
Comment 2•6 years ago
|
||
Is this really 59 only? Your patch isn't for trunk? It seems like this code affects 58 and higher. This bugs needs sec-approval to land. Please mark sec-approval? on the patch per https://wiki.mozilla.org/Security/Bug_Approval_Process and fill out the resulting template.
Flags: needinfo?(emilio)
Comment 3•6 years ago
|
||
Trunk is now 60. Wontfixing this for 58 since we don't have any dot releases in the works and are a week and a half away from 59 release.
Comment 4•6 years ago
|
||
Comment on attachment 8955212 [details] [diff] [review] Patch Adding mozilla-release flag here for 59.
Attachment #8955212 -
Flags: approval-mozilla-release?
Assignee | ||
Comment 5•6 years ago
|
||
Comment on attachment 8955212 [details] [diff] [review] Patch [Security approval request comment] How easily could an exploit be constructed based on the patch? not too easily, but it's obvious to spot the problem. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No. Which older supported branches are affected by this flaw? 57+ If not all supported branches, which bug introduced the flaw? Bug 1397971 Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Should apply cleanly. How likely is this patch to cause regressions; how much testing does it need? Not likely.
Flags: needinfo?(emilio)
Attachment #8955212 -
Flags: sec-approval?
Comment 6•6 years ago
|
||
Comment on attachment 8955212 [details] [diff] [review] Patch Review of attachment 8955212 [details] [diff] [review]: ----------------------------------------------------------------- ::: layout/style/nsCSSValue.cpp @@ +2911,4 @@ > nsDependentCSubstring rust = GetRustString(); > nsString converted = NS_ConvertUTF8toUTF16(rust); > Servo_ReleaseArcStringData(&mStrings.mRustString); > + new (&mStrings) RustOrGeckoString(converted); It might be cleaner to also use > mStrings.~RustOrGeckoString(); for the previous line, I guess, so that we have a pair of dtor and ctor which tells reader that we are replacing the content.
Assignee | ||
Comment 7•6 years ago
|
||
(In reply to Xidorn Quan [:xidorn] UTC+10 from comment #6) > It might be cleaner to also use > > mStrings.~RustOrGeckoString(); > for the previous line, I guess, so that we have a pair of dtor and ctor > which tells reader that we are replacing the content. Given that line does nothing, I'm not sure if it would help or add complexity... But sure, can do that.
Comment 8•6 years ago
|
||
I mean replace > Servo_ReleaseArcStringData(&mStrings.mRustString); with > mStrings.~RustOrGeckoString(); ... and then I realized that I was wrong... Ignore that, then.
Comment 9•6 years ago
|
||
Comment on attachment 8955212 [details] [diff] [review] Patch sec-approval+ for trunk.
Attachment #8955212 -
Flags: sec-approval? → sec-approval+
Updated•6 years ago
|
tracking-firefox59:
--- → +
tracking-firefox60:
--- → +
Assignee | ||
Comment 10•6 years ago
|
||
remote: View your change here: remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/5cb1132d56be5f2237a3c5cf26f90a8323838fe4
Comment 11•6 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/5cb1132d56be
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
Comment 12•6 years ago
|
||
Comment on attachment 8955212 [details] [diff] [review] Patch Approved for Fx59rc1.
Attachment #8955212 -
Flags: approval-mozilla-release?
Attachment #8955212 -
Flags: approval-mozilla-release+
Attachment #8955212 -
Flags: approval-mozilla-beta?
Attachment #8955212 -
Flags: approval-mozilla-beta+
Comment 13•6 years ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/c65305d4880f (FIREFOX_59b_RELBRANCH) https://hg.mozilla.org/releases/mozilla-release/rev/96e8880e3d86
Updated•6 years ago
|
Whiteboard: [adv-main59+]
Updated•6 years ago
|
Group: core-security → core-security-release
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•