Always clear nsSHistory::mRootBC before deleting the relevant BrowsingContext
Categories
(Core :: DOM: Navigation, defect, P2)
Tracking
()
People
(Reporter: smaug, Assigned: smaug)
References
Details
(Keywords: csectype-uaf, sec-high, Whiteboard: [sec-survey][adv-main91+r][adv-esr78.13+r])
Attachments
(3 files, 1 obsolete file)
48 bytes,
text/x-phabricator-request
|
dveditz
:
sec-approval+
|
Details | Review |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
tjr
:
approval-mozilla-esr78+
tjr
:
sec-approval+
|
Details | Review |
Accessing deleted object is possibly the reason for bug 1704718.
Patch coming.
This is not Fission specific.
Assignee | ||
Comment 1•3 years ago
|
||
Writing the test took a bit time, and it is for the CanonicalBrowsingContext owner only.
The test crashes at least in Fission without the patch.
The stack isn't quite the same as in the other bug, but the top part of it looks similar.
Updated•3 years ago
|
Assignee | ||
Comment 2•3 years ago
|
||
Depends on D119114
Assignee | ||
Comment 3•3 years ago
|
||
Had to expand NS_IMPL_CYCLE_COLLECTION_INHERITED(CanonicalBrowsingContext)
to be able to add the code to unlink and also added destructor for CanonicalBrowsingContext.
Assignee | ||
Comment 4•3 years ago
|
||
For some reason the testcase doesn't trigger the crash on esr78 although there is similar code there.
Assignee | ||
Comment 5•3 years ago
|
||
Assignee | ||
Comment 6•3 years ago
|
||
Comment on attachment 9229782 [details]
Bug 1719178 - properly disconnect nsSHistory from the owner object, r=peterv
Security Approval Request
- How easily could an exploit be constructed based on the patch?: I don't know how one could trigger the issue from a web page. There is the separate test which runs in the parent process and uses chrome only APIs which can trigger the crash quite easily
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?:
- How likely is this patch to cause regressions; how much testing does it need?: The patch should be safe. Just clearing a variable when the owner is going away.
Beta/Release Uplift Approval Request
- User impact if declined: Crashes, especially with Fission
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky):
- String changes made/needed:
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined:
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky):
- String or UUID changes made by this patch:
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 7•3 years ago
|
||
Comment on attachment 9230161 [details]
Bug 1719178 - properly disconnect nsSHistory from the owner object (for esr78), r=peterv
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined:
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky):
- String or UUID changes made by this patch:
Comment 8•3 years ago
|
||
We've already built (and maybe released to beta channel?) RC builds for the Fx90 release in 5 days. Given the STR (in the other bug) involve user interaction in chrome-privileged pages, and your comment above about chrome-only APIs this bug doesn't rate a re-spin. and will have to wait for 91. In fact, given those constraints maybe it's really sec-moderate
despite being a UAF.
Comment 9•3 years ago
|
||
Comment on attachment 9230139 [details]
Bug 1719178 - properly disconnect nsSHistory from the owner object (for beta 90), r=peterv
Too late for 90
Comment 10•3 years ago
|
||
Comment on attachment 9229782 [details]
Bug 1719178 - properly disconnect nsSHistory from the owner object, r=peterv
sec-approval = dveditz
This can land now on nightly, and then ride the train to Fx91. Will approve for ESR-78 later -- please don't land on ESR during this cycle!
Comment 11•3 years ago
|
||
Comment on attachment 9230161 [details]
Bug 1719178 - properly disconnect nsSHistory from the owner object (for esr78), r=peterv
Explicitly setting the sec-approval request on the ESR patch because we will want to approve it after the July 13 release.
Updated•3 years ago
|
Assignee | ||
Comment 12•3 years ago
|
||
Ok, and I'll land the test once the patch is in esr78 too.
Comment 13•3 years ago
|
||
properly disconnect nsSHistory from the owner object, r=peterv
https://hg.mozilla.org/integration/autoland/rev/1ba3d134e71dbe7dbdcc8d94523c4b83db678884
Comment 14•3 years ago
|
||
Comment 15•3 years ago
|
||
Comment on attachment 9230161 [details]
Bug 1719178 - properly disconnect nsSHistory from the owner object (for esr78), r=peterv
Now that we've cut the branch we can land this in ESR.
Comment 16•3 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
Comment 17•3 years ago
|
||
uplift |
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Comment 18•2 years ago
|
||
Updated•2 years ago
|
Updated•1 year ago
|
Description
•