Closed
Bug 1611457
Opened 4 years ago
Closed 4 years ago
JSWindowActor runs script at unsafe times
Categories
(Core :: DOM: Content Processes, defect)
Core
DOM: Content Processes
Tracking
()
RESOLVED
FIXED
mozilla74
People
(Reporter: bzbarsky, Assigned: nika)
References
Details
(Keywords: sec-moderate, Whiteboard: [post-critsmash-triage][adv-main74+r])
Attachments
(1 file)
STEPS TO REPRODUCE:
- Apply patch from bug 1181918. Might need merging to tip.
- Try to start a debug build
I get an assertion failure with this stack:
#16 0x00007ffa17c9c1d3 in MOZ_ReportAssertionFailure(char const*, char const*, int)
(aStr=0x85 <error: Cannot access memory at address 0x85>, aFilename=0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>, aLine=0) at ../../dist/include/mozilla/Assertions.h:184
#17 0x00007ffa17cb2efb in mozilla::dom::AutoEntryScript::AutoEntryScript(nsIGlobalObject*, char const*, bool) (this=0x7fff0616abd0, aGlobalObject=
0x7ff9ffac1e00, aReason=0x7ffa0ee1fac1 "JSWindowActor destroy callback", aIsMainThread=true) at /home/bzbarsky/mozilla/dom-work/mozilla/dom/script/ScriptSettings.cpp:585
#18 0x00007ffa17a910f4 in mozilla::dom::JSWindowActor::InvokeCallback(mozilla::dom::JSWindowActor::CallbackFunction) (this=0x7ff9ff678280, callback=mozilla::dom::JSWindowActor::CallbackFunction::WillDestroy)
at /home/bzbarsky/mozilla/dom-work/mozilla/dom/ipc/JSWindowActor.cpp:58
#19 0x00007ffa17a93fce in mozilla::dom::JSWindowActorChild::StartDestroy() (this=0x7ff9ff678280) at /home/bzbarsky/mozilla/dom-work/mozilla/dom/ipc/JSWindowActorChild.cpp:148
#20 0x00007ffa17ab2ae8 in mozilla::dom::WindowGlobalChild::Destroy() (this=0x7ff9ff62c940) at /home/bzbarsky/mozilla/dom-work/mozilla/dom/ipc/WindowGlobalChild.cpp:235
#21 0x00007ffa15cab0f1 in nsGlobalWindowInner::FreeInnerObjects() (this=0x7ff9fde11400) at ../../../mozilla/dom/base/nsGlobalWindowInner.cpp:1223
#22 0x00007ffa15cd75eb in nsGlobalWindowOuter::SetNewDocument(mozilla::dom::Document*, nsISupports*, bool, mozilla::dom::WindowGlobalChild*) (
this=0x7ff9ffa935c8, aDocument=<optimized out>, aState=0x0, aForceReuseInnerWindow=<optimized out>, aActor=<optimized out>) at ../../../mozilla/dom/base/nsGlobalWindowOuter.cpp:2216
#23 0x00007ffa18147e4a in nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::dom::WindowGlobalChild*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool)
(this=<optimized out>, aParentWidget=0x7ff900000001, aState=0x0, aActor=0x0, aBounds=..., aDoCreation=<optimized out>, aNeedMakeCX=<optimized out>, aForceSetNewDocument=<optimized out>)
at /home/bzbarsky/mozilla/dom-work/mozilla/layout/base/nsDocumentViewer.cpp:955
#24 0x00007ffa181479cb in nsDocumentViewer::Init(nsIWidget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::dom::WindowGlobalChild*)
(this=0x2, aParentWidget=0x7fff06168430, aBounds=..., aActor=0xffffffffffffffff) at /home/bzbarsky/mozilla/dom-work/mozilla/layout/base/nsDocumentViewer.cpp:757
#25 0x00007ffa191e82dd in nsDocShell::SetupNewViewer(nsIContentViewer*, mozilla::dom::WindowGlobalChild*) (this=<optimized out>, aNewViewer=0x7ff900000000, aWindowActor=<optimized out>)
at /home/bzbarsky/mozilla/dom-work/mozilla/docshell/base/nsDocShell.cpp:8016
#26 0x00007ffa191e7af6 in nsDocShell::Embed(nsIContentViewer*, mozilla::dom::WindowGlobalChild*) (this=0x7ff9fde5b800, aContentViewer=0x7fff06168430, aWindowActor=0x85)
at /home/bzbarsky/mozilla/dom-work/mozilla/docshell/base/nsDocShell.cpp:5791
#27 0x00007ffa191cdb4e in nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**)
(this=<optimized out>, aContentType=..., aRequest=<optimized out>, aContentHandler=<optimized out>) at /home/bzbarsky/mozilla/dom-work/mozilla/docshell/base/nsDocShell.cpp:7818
The scriptblocker in question is the one that went on the stack at the top of nsDocumentViewer::InitInternal
.
Should this stuff be running off a scriptrunner?
Reporter | ||
Updated•4 years ago
|
Flags: needinfo?(nika)
Assignee | ||
Comment 1•4 years ago
|
||
Updated•4 years ago
|
Assignee: nobody → nika
Status: NEW → ASSIGNED
Assignee | ||
Updated•4 years ago
|
Flags: needinfo?(nika)
Updated•4 years ago
|
Attachment #9123790 -
Attachment description: Bug 1611457 - Respect script blocker in JSWindowActor, r=bzbarsky → Bug 1611457 - Respect script blocker in JSWindowActor,
Comment 2•4 years ago
|
||
bz: is this a sec-moderate or sec-high kind of issue? isn't JSWindowActor a chrome thing, or can web content be impacted as well?
Updated•4 years ago
|
Flags: needinfo?(bzbarsky)
Assignee | ||
Comment 3•4 years ago
|
||
It's purely a Chrome JS thing, this doesn't allow web content to run during !IsSafeToRunScript
times. I think this is at most sec-moderate (potentially even sec-low, or sec-other? It may be unexploitable).
Flags: needinfo?(bzbarsky)
Updated•4 years ago
|
Keywords: sec-moderate
Reporter | ||
Comment 4•4 years ago
|
||
I agree with Nika: this is a sec-moderate at best as things stand.
Comment 5•4 years ago
|
||
Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox74:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla74
Comment 6•4 years ago
|
||
Doesn't sound like we need this on ESR. Please nominate for approval if you disagree, however.
Updated•4 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Updated•4 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main74+r]
Updated•3 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•