Closed Bug 1575515 Opened 5 years ago Closed 5 years ago

mozilla::jsipc::JavaScriptBase::RecvDOMInstanceOf doesn't validate argument leading to out of bounds read

Categories

(Core :: JavaScript Engine, task)

Product:
Core
Component:
JavaScript Engine
Type:
task
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: pauljt, Unassigned)

References

Details

(Keywords: sec-low)

I found what looks like an issue using a static analysis tool to trace dataflow from IPC. RecvDOMInstanceOf, receives a integer argument depth which ultimately is used as an offset to when reading an array.

mozilla::jsipc::JavaScriptBase::RecvDOMInstanceOf takes an argument called depth , which is passed to WrapperAnswer::RecvDOMInstanceOf which then calls mozilla::dom::InterfaceHasInstance where the value is used as index (depth & prototypeID both come from IPC) :

bool InterfaceHasInstance(JSContext* cx, int prototypeID, int depth,
                          JS::Handle<JSObject*> instance, bool* bp) {
  const DOMJSClass* domClass = GetDOMClass(js::UncheckedUnwrap(instance));

  MOZ_ASSERT(!domClass || prototypeID != prototypes::id::_ID_Count,
             "Why do we have a hasInstance hook if we don't have a prototype "
             "ID?");

  *bp = (domClass && domClass->mInterfaceChain[depth] == prototypeID);
  return true;
}

At a quick skim, it looks like an out of bounds read, but the value isn't returned directly so not sure if really is a security issue. prototypeID is controlled by IPC so maybe could be infoleak through trial and error but it looks like prototypeID is constrained so maybe not. Anyways, I'm mostly filing this as I would like to make sure this from someone who knows this code better. And then either add a fix, or mark as false positive.

Hm I wonder if this (CPOW?) code is still reachable, it could be automation only IIRC.

It should be automation-only, yes. We still use CPOWs outside of automation, but only for object identity when passing objects from the child to the parent and back to the child. They can't actually be used as cross-process wrappers.

Also, we should never send CPOWs from the parent to the child, so there wouldn't be much opportunity to exploit this anyway.

Ah ok, thanks for the explanation! I'll mark as false positive.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID

It might still make sense to fix this, but like Jan said after bug 1465911 there is hopefully no way to exploit this.

Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.