Closed Bug 1574971 Opened 6 years ago Closed 3 years ago

Consider using weak ptrs for mSegmentReader/mSegmentWriter in h2 code

Categories

(Core :: Networking: HTTP, task, P2)

Product:
Core
Component:
Networking: HTTP
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
94 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- fixed
firefox70 --- wontfix
firefox93 --- fixed
firefox94 --- fixed

People

(Reporter: mayhemer, Assigned: mayhemer)

References

Details

(Keywords: sec-want, Whiteboard: [necko-triaged][will fix sec-high UAFs])

Attachments

(3 files)

Bug 1574971, draft
47 bytes, text/x-phabricator-request
Details | Review
Bug 1574971 - Migrate some network classes to use multiple inheritance from SupportsWeakPtr<>
47 bytes, text/x-phabricator-request
Details | Review
Bug 1574971 - Turn segment reader and writer refrences to WeakPtrs where appropriate
47 bytes, text/x-phabricator-request
Details | Review

Currently those are raw ptrs. We never nullify them and we use them expecting to be non-null. When the outer class is released, those members keep refs to released memory, causing e.g. UAF bug 1402014.

I think these are single thread used (socket thread) so weak ptr would do well here to avoid cycles and UAFs.

Keywords: sec-want
Whiteboard: [necko-triaged] → [necko-triaged][will fix sec-high UAFs]
Assignee: nobody → honzab.moz
Priority: P1 → P2

Existing implementers of nsAHttpSegmentReader/nsAHttpSegmentWriter already mix* nsSupportsWeakReference and SupportsWeakPtr<T>. We need to consolidate first, I vote for SupportsWeakPtr<> . It's more modern.

    • nsHttpConnection was added along with HalfOpen nsSupportsWeakReference in bug bug 1341572.

Making base classes SupportsWeakPtr-derived + the final class again SupportsWeakPtr-derived (for it's own type) causes a compilation error for SelfReferencingWeakPtr() being declared on base and derived again with only the return type differing.

I tried some template EnableIf magic, but that doesn't work as I'd like to.

Attached file Bug 1574971, draft

Nathan, FYI, this bug is the main motivation for bug 1580182. I don't want to add dependencies to open bugs here.

(add more info what blocks me)

Flags: needinfo?(honzab.moz)

(In reply to Honza Bambas (:mayhemer) from comment #7)

(add more info what blocks me)

I'll go with Comment 6 and see how it goes.

Flags: needinfo?(honzab.moz)

Releasing this bug from now, I don't think we have an immediate problem here. This could be actually considered an enhancement/improvement of the existing code only.

Assignee: honzab.moz → nobody
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED

Fixed in bug 1667102 (I think).

Group: network-core-security → core-security-release
status-firefox70: affectedwontfix
status-firefox93: --- → fixed
status-firefox94: --- → fixed
status-firefox-esr91: --- → fixed
Depends on: CVE-2021-43535
Target Milestone: --- → 94 Branch
Depends on: 1740274
Attachment #9092734 - Attachment is obsolete: true
Assignee: nobody → honzab.moz
Group: core-security-release
Attachment #9092734 - Attachment is obsolete: false
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: