Closed Bug 1611457 Opened 3 years ago Closed 2 years ago

JSWindowActor runs script at unsafe times

Categories

(Core :: DOM: Content Processes, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla74
Tracking Status
firefox-esr68 --- wontfix
firefox72 --- wontfix
firefox73 --- wontfix
firefox74 --- fixed

People

(Reporter: bzbarsky, Assigned: nika)

References

Details

(Keywords: sec-moderate, Whiteboard: [post-critsmash-triage][adv-main74+r])

Attachments

(1 file)

STEPS TO REPRODUCE:

  1. Apply patch from bug 1181918. Might need merging to tip.
  2. Try to start a debug build

I get an assertion failure with this stack:

#16 0x00007ffa17c9c1d3 in MOZ_ReportAssertionFailure(char const*, char const*, int)
    (aStr=0x85 <error: Cannot access memory at address 0x85>, aFilename=0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>, aLine=0) at ../../dist/include/mozilla/Assertions.h:184
#17 0x00007ffa17cb2efb in mozilla::dom::AutoEntryScript::AutoEntryScript(nsIGlobalObject*, char const*, bool) (this=0x7fff0616abd0, aGlobalObject=
    0x7ff9ffac1e00, aReason=0x7ffa0ee1fac1 "JSWindowActor destroy callback", aIsMainThread=true) at /home/bzbarsky/mozilla/dom-work/mozilla/dom/script/ScriptSettings.cpp:585
#18 0x00007ffa17a910f4 in mozilla::dom::JSWindowActor::InvokeCallback(mozilla::dom::JSWindowActor::CallbackFunction) (this=0x7ff9ff678280, callback=mozilla::dom::JSWindowActor::CallbackFunction::WillDestroy)
    at /home/bzbarsky/mozilla/dom-work/mozilla/dom/ipc/JSWindowActor.cpp:58
#19 0x00007ffa17a93fce in mozilla::dom::JSWindowActorChild::StartDestroy() (this=0x7ff9ff678280) at /home/bzbarsky/mozilla/dom-work/mozilla/dom/ipc/JSWindowActorChild.cpp:148
#20 0x00007ffa17ab2ae8 in mozilla::dom::WindowGlobalChild::Destroy() (this=0x7ff9ff62c940) at /home/bzbarsky/mozilla/dom-work/mozilla/dom/ipc/WindowGlobalChild.cpp:235
#21 0x00007ffa15cab0f1 in nsGlobalWindowInner::FreeInnerObjects() (this=0x7ff9fde11400) at ../../../mozilla/dom/base/nsGlobalWindowInner.cpp:1223
#22 0x00007ffa15cd75eb in nsGlobalWindowOuter::SetNewDocument(mozilla::dom::Document*, nsISupports*, bool, mozilla::dom::WindowGlobalChild*) (
    this=0x7ff9ffa935c8, aDocument=<optimized out>, aState=0x0, aForceReuseInnerWindow=<optimized out>, aActor=<optimized out>) at ../../../mozilla/dom/base/nsGlobalWindowOuter.cpp:2216
#23 0x00007ffa18147e4a in nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::dom::WindowGlobalChild*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool)
    (this=<optimized out>, aParentWidget=0x7ff900000001, aState=0x0, aActor=0x0, aBounds=..., aDoCreation=<optimized out>, aNeedMakeCX=<optimized out>, aForceSetNewDocument=<optimized out>)
    at /home/bzbarsky/mozilla/dom-work/mozilla/layout/base/nsDocumentViewer.cpp:955
#24 0x00007ffa181479cb in nsDocumentViewer::Init(nsIWidget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::dom::WindowGlobalChild*)
    (this=0x2, aParentWidget=0x7fff06168430, aBounds=..., aActor=0xffffffffffffffff) at /home/bzbarsky/mozilla/dom-work/mozilla/layout/base/nsDocumentViewer.cpp:757
#25 0x00007ffa191e82dd in nsDocShell::SetupNewViewer(nsIContentViewer*, mozilla::dom::WindowGlobalChild*) (this=<optimized out>, aNewViewer=0x7ff900000000, aWindowActor=<optimized out>)
    at /home/bzbarsky/mozilla/dom-work/mozilla/docshell/base/nsDocShell.cpp:8016
#26 0x00007ffa191e7af6 in nsDocShell::Embed(nsIContentViewer*, mozilla::dom::WindowGlobalChild*) (this=0x7ff9fde5b800, aContentViewer=0x7fff06168430, aWindowActor=0x85)
    at /home/bzbarsky/mozilla/dom-work/mozilla/docshell/base/nsDocShell.cpp:5791
#27 0x00007ffa191cdb4e in nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**)
    (this=<optimized out>, aContentType=..., aRequest=<optimized out>, aContentHandler=<optimized out>) at /home/bzbarsky/mozilla/dom-work/mozilla/docshell/base/nsDocShell.cpp:7818

The scriptblocker in question is the one that went on the stack at the top of nsDocumentViewer::InitInternal.

Should this stuff be running off a scriptrunner?

Flags: needinfo?(nika)
Assignee: nobody → nika
Status: NEW → ASSIGNED
Flags: needinfo?(nika)
Depends on: 1612724
Attachment #9123790 - Attachment description: Bug 1611457 - Respect script blocker in JSWindowActor, r=bzbarsky → Bug 1611457 - Respect script blocker in JSWindowActor,

bz: is this a sec-moderate or sec-high kind of issue? isn't JSWindowActor a chrome thing, or can web content be impacted as well?

Flags: needinfo?(bzbarsky)

It's purely a Chrome JS thing, this doesn't allow web content to run during !IsSafeToRunScript times. I think this is at most sec-moderate (potentially even sec-low, or sec-other? It may be unexploitable).

Flags: needinfo?(bzbarsky)

I agree with Nika: this is a sec-moderate at best as things stand.

Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla74

Doesn't sound like we need this on ESR. Please nominate for approval if you disagree, however.

Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main74+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.