Closed Bug 1600570 Opened 1 year ago Closed 11 months ago

Refactor StreamControl's lifecycle to avoid self-deletion

Categories

(Core :: DOM: Service Workers, task, P3)

task

Tracking

()

RESOLVED DUPLICATE of bug 1626728

People

(Reporter: ytausky, Assigned: ytausky)

Details

(Keywords: sec-want)

Currently CacheStreamControlParent deletes itself via a very long chain of function calls that begins here and ends here. This needs to be changed, as this is a source of use-after-free bugs, e.g. bug 1507180.

:ytausky, do we have any hint on the risk of other UAFs caused by this? Are there even other existing we could try to re-conduct to this reason?

Flags: needinfo?(ytausky)

This is generally risky, because any code that remains on the stack and touches the destructed object's fields is a UAF. I don't know of any other bugs we currently have in this area (if there were then bug 1507180's error message would have appeared there instead). The current risk from this is that some other code change could easily introduce UAF without it being obvious from looking at it.

Flags: needinfo?(ytausky)

sec-want issue and it's a task, so mark this as P3. Please feel free to raise the priority!

Priority: -- → P3
Assignee: nobody → ytausky
Status: NEW → RESOLVED
Closed: 11 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: CVE-2020-6820
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.