Closed Bug 1479588 Opened 6 years ago Closed 6 years ago

No null-check on mParentContent when creating remote browsers

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla63
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox-esr60 --- wontfix
firefox61 --- wontfix
firefox62 --- wontfix
firefox63 --- fixed

People

(Reporter: nika, Assigned: nika)

Details

(Keywords: crash, csectype-nullptr, testcase-wanted, Whiteboard: [sg:dos])

Attachments

(1 file)

Bug 1479588 - Check mOwnerContent when starting new remote browser, r=bzbarsky
46 bytes, text/x-phabricator-request
bzbarsky
: review+
Details | Review 
We currently do this check for non-remote browsers correctly.

This caused me a segfault in some code when running the debugger, due to the debugger attempting to access the loadContext argument of a dead nsFrameLoader and causing a null deref.
Comment on attachment 8996092 [details]
Bug 1479588 - Check mOwnerContent when starting new remote browser, r=bzbarsky

Boris Zbarsky [:bz] (no decent commit message means r-) has approved the revision.

https://phabricator.services.mozilla.com/D2524
Attachment #8996092 - Flags: review+
Is this really a security bug? "dead nsFrameLoader" sounds bad, but this patch fixes a guaranteed null-deref. Are there other places/ways the dead nsFrameLoader could be referenced and do bad things without hitting this null? If so that's not getting fixed here (yet?) but does sound like a good reason to keep the bug hidden.
Group: core-security → dom-core-security
Has STR: --- → no
Flags: needinfo?(nika)
Keywords: crash, csectype-nullptr, testcase-wanted
(In reply to Daniel Veditz [:dveditz] from comment #3)
> Is this really a security bug? "dead nsFrameLoader" sounds bad, but this
> patch fixes a guaranteed null-deref. Are there other places/ways the dead
> nsFrameLoader could be referenced and do bad things without hitting this
> null? If so that's not getting fixed here (yet?) but does sound like a good
> reason to keep the bug hidden.

I am not aware of any way to trigger this without opening the jsdebugger, and I don't think there's any way to make it anything other than a null-deref, so I imagine this is not really a sec bug, but I marked it as one just-in-case.
Flags: needinfo?(nika)
Group: dom-core-security
Whiteboard: [sg:dos]
Priority: -- → P2
Attachment #8996092 - Attachment description: Bug 1479588 - Check mParentContent when starting new remote browser, r=bzbarsky → Bug 1479588 - Check mOwnerContent when starting new remote browser, r=bzbarsky
Pushed by nlayzell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a578e22f77c6
Check mOwnerContent when starting new remote browser, r=bzbarsky
https://hg.mozilla.org/mozilla-central/rev/a578e22f77c6
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox63: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Component: DOM → DOM: Core & HTML
Type: enhancement → defect
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: