Closed Bug 1639590 (CVE-2020-12406) Opened 4 years ago Closed 4 years ago

Fix GetOwnPropertyPure


(Core :: JavaScript Engine, defect, P1)




Tracking Status
firefox-esr68 77+ fixed
firefox76 --- wontfix
firefox77 + fixed
firefox78 + fixed


(Reporter: iain, Assigned: iain)




(Keywords: regression, sec-high, Whiteboard: [adv-main77+][adv-esr68.9+][post-critsmash-triage][sec-survey])


(2 files)

In bug 1620193 we fixed a mistake that crept in during unboxed objects removal, where we didn't check that an object was native before calling as<NativeObject> on it. (Fortunately proxy objects couldn't reach that point, so it only affected typed objects, which are nightly-only.)

That patch was flagged in a mozregression for bug 1638706. I've convinced myself that the mozregression was wrong, but while I was staring at this code I noticed that there was a second instance of the same bug in the following function.

Like bug 1620193, this bug should only affect nightly.

Summary: Finish → Fix GetOwnPropertyPure
Group: core-security → javascript-core-security
Keywords: regression, sec-high
Type: task → defect

I think the tracking flags are wrong, and I've reset them based on the original regressing bug (also set).

You can see the old isNative check here:

Has Regression Range: --- → yes

We're building the RC builds for 77/68.9esr early next week, so please request sec-approval on this patch ASAP. Looks like the patch applies cleanly as-is to Beta and ESR68, so feel free to go ahead with those approval requests also.

Flags: needinfo?(iireland)

Comment on attachment 9150467 [details]
Bug 1639590: Finish removing unboxed objects code r=mgaudet

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Unclear. This bug was identified by looking at the code, not based on a failing testcase. The incorrect function only has two callers, so it's possible that it can't be exploited.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: All
  • If not all supported branches, which bug introduced the flaw?: Bug 1505574
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: This patch applies cleanly to all supported branches.
  • How likely is this patch to cause regressions; how much testing does it need?: Very unlikely. Any code affected by this patch would trigger a debug assert. Also, like the equivalent bug in bug 1620193, this should only be possible to trigger using typed objects, which are nightly only.
Flags: needinfo?(iireland)
Attachment #9150467 - Flags: sec-approval?

Comment on attachment 9150467 [details]
Bug 1639590: Finish removing unboxed objects code r=mgaudet


Attachment #9150467 - Flags: sec-approval? → sec-approval+

Comment on attachment 9150467 [details]
Bug 1639590: Finish removing unboxed objects code r=mgaudet

we're going to take this in FIrefox 77, which means landing on mozilla-release, and also landing on the ESR branch (no RC for ESR yet so I don't think there's any special sub-branch). a=dveditz for branches after checking w/Ryan and Pascal

Attachment #9150467 - Flags: approval-mozilla-release+
Attachment #9150467 - Flags: approval-mozilla-esr68+
Attachment #9150467 - Flags: approval-mozilla-beta+
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla78
Whiteboard: [adv-main77+]
Whiteboard: [adv-main77+] → [adv-main77+][adv-esr68.9+]
Attached file advisory.txt
Alias: CVE-2020-12406
Flags: qe-verify-
Whiteboard: [adv-main77+][adv-esr68.9+] → [adv-main77+][adv-esr68.9+][post-critsmash-triage]

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(iireland)
Whiteboard: [adv-main77+][adv-esr68.9+][post-critsmash-triage] → [adv-main77+][adv-esr68.9+][post-critsmash-triage][sec-survey]
Flags: needinfo?(iireland)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.