Closed
Bug 1504365
Opened 6 years ago
Closed 6 years ago
Potential shutdown UAF in various shutdown observers
Categories
(Core :: General, defect)
Core
General
Tracking
()
RESOLVED
FIXED
mozilla65
People
(Reporter: mccr8, Assigned: mccr8)
References
Details
(Keywords: csectype-uaf, sec-moderate, Whiteboard: [adv-main64+][adv-esr60.4+])
Attachments
(1 file, 1 obsolete file)
|
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr60+
|
Details | Review |
It is possible for the event loop to spin while the observer service is notifying things of shutdown. In that case, TextTractManager can be destroyed while its ShutdownObserverProxy is still alive, leading to a UAF. The fix is to clear the pointer for the shutdown observer when destroying the manager.
This happened on tree herder for similar class for the canvas context in bug 1503082.
|
Assignee | |
Comment 1•6 years ago
|
||
Another class that uses this bad pattern is WidgetShutdownObserver.
Component: DOM → General
Summary: Potential shutdown UAF in TextTrackManager::ShutdownObserverProxy::Observe() → Potential shutdown UAF in various shutdown observers
|
|
Assignee | |
Comment 2•6 years ago
|
||
Also, WillShutdownObserver in gfx/thebes/gfxFT2FontList.cpp.
I found these by auditing every class that has "ShutdownObserver" in the name. I don't know if there's a better way to look for these.
|
|
Assignee | |
Comment 3•6 years ago
|
||
I was wrong about WidgetShutdownObserver. The widget dtor calls WidgetShutdownObserver::Unregister(), which does clear the weak pointer.
|
|
Assignee | |
Comment 4•6 years ago
|
||
|
||
Comment 5•6 years ago
|
||
I think Gabriel is ran into something similar in has ObserverService refactoring in bug 1435683. Gabriel do you have patches that already cover this, or am I mistaken?
Flags: needinfo?(gsvelto)
|
||
Comment 6•6 years ago
|
||
No, I hadn't run into this particular issue yet though I fixed one that's vaguely similar in bug 1476250 (but those were different type of observers).
Flags: needinfo?(gsvelto)
|
|
Assignee | |
Comment 7•6 years ago
|
||
> This changes the order of NotifyShutdown and UnregisterShutdownObserver, is that intentional and desired?
This is needed because Unregister clears mManager. I think the order shouldn't matter.
> It seems like this won't compile due to mObserver not being a member. I think you want this?
Good catch. I thought this file was Windows-only for some reason, and I did a Windows try run, but it looks like it is Android only. (Of course, the only platform I failed to test...)
> What's the point moving this to a Remove method if this is the only thing that calls it?
Remove() accesses a protected member, mFontList.
> Also, don't we still want to clear mObserver?
mObserver is an nsCOMPtr, so clearing it does not do anything.
|
|
Assignee | |
Comment 8•6 years ago
|
||
|
||
Updated•6 years ago
|
Attachment #9023443 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 9•6 years ago
|
||
This version actually builds on Android!
|
||
Comment 10•6 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/f5c1dbff0c9afe001c1f32576058138c7b799d2b
https://hg.mozilla.org/mozilla-central/rev/f5c1dbff0c9a
Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox65:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
|
||
Comment 11•6 years ago
|
||
Please nominate this for Beta/ESR60 approval when you get a chance. It grafts cleanly to both as-landed.
status-firefox63:
--- → wontfix
status-firefox64:
--- → affected
status-firefox-esr60:
--- → affected
tracking-firefox64:
--- → +
tracking-firefox65:
--- → +
tracking-firefox-esr60:
--- → 64+
Flags: needinfo?(continuation)
|
|
Assignee | |
Comment 12•6 years ago
|
||
Comment on attachment 9026223 [details]
Bug 1504365 - Clear weak pointers in shutdown observers.
[ESR Uplift Approval Request]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: This is probably not an exploitable issue, but it might be, and seems low risk.
User impact if declined: see previous
Fix Landed on Version: 65
Risk to taking this patch: Low
Why is the change risky/not risky? (and alternatives if risky): Low risk. This just clears out some pointers during shutdown.
String or UUID changes made by this patch: none
[Beta/Release Uplift Approval Request]
Feature/Bug causing the regression: None
User impact if declined:
Is this code covered by automated tests?: Yes
Has the fix been verified in Nightly?: No
Needs manual test from QE?: No
If yes, steps to reproduce:
List of other uplifts needed: None
Risk to taking this patch: Low
Why is the change risky/not risky? (and alternatives if risky):
String changes made/needed:
Flags: needinfo?(continuation)
Attachment #9026223 -
Flags: approval-mozilla-esr60?
Attachment #9026223 -
Flags: approval-mozilla-beta?
|
|
||
Comment 13•6 years ago
|
||
Comment on attachment 9026223 [details]
Bug 1504365 - Clear weak pointers in shutdown observers.
[Triage Comment]
Low-risk sec fix, approved for 64.0b13 and 60.4.0esr.
Attachment #9026223 -
Flags: approval-mozilla-esr60?
Attachment #9026223 -
Flags: approval-mozilla-esr60+
Attachment #9026223 -
Flags: approval-mozilla-beta?
Attachment #9026223 -
Flags: approval-mozilla-beta+
|
|
||
Comment 14•6 years ago
|
||
| uplift | ||
|
|
||
Updated•6 years ago
|
Flags: qe-verify-
|
|
||
Comment 15•6 years ago
|
||
| uplift | ||
|
||
Updated•6 years ago
|
Whiteboard: [adv-main64+][adv-esr60.4+]
|
||
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•