Closed Bug 1811331 (CVE-2023-25736) Opened 1 year ago Closed 1 year ago

cfi-derived-cast: Invalid downcast in GetTableSelectionMode

Categories

(Core :: DOM: Selection, defect)

Product:
Core
Component:
DOM: Selection
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
111 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox109 --- wontfix
firefox110 + fixed
firefox111 + fixed

People

(Reporter: lukas.bernhard, Assigned: smaug)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-undefined, sec-low, Whiteboard: [adv-main110+])

Attachments

(2 files)

Bug 1811331 - remove useless static_cast, r=mccr8
48 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
Details | Review
advisory.txt
179 bytes, text/plain
Details

Steps to reproduce:

When compiling Firefox with cfi-derived-cast, crashtest editor/libeditor/crashtests/1618906.html fails due to the downcasting here: https://searchfox.org/mozilla-central/rev/daf613efc5c358f3a94961d73b90472c00703838/dom/base/Selection.cpp#512
The dynamic type of the casted object is nsHTMLDocument, which is not derived from nsIContent.

This might not be s-s, just flagging as a precaution.

Blocks: cfi
Group: firefox-core-security → core-security
Component: Untriaged → DOM: Core & HTML
Product: Firefox → Core
Group: core-security → dom-core-security
Component: DOM: Core & HTML → DOM: Selection

It looks safe-ish outside of undefined behavior kind of issues. The only method called on startContent is IsHTMLElement, which is an inline method that does mNodeInfo->Equals(aTag, kNameSpaceID_XHTML);, and mNodeInfo is a field on nsINode, and nsHTMLDocument is an nsINode. Following the chain of inheritance to nsINode up for both nsHTMLDocument and nsIContent, it always goes via the first superclass, so the cast won't actually do anything at runtime, I'm guessing. It would still be good to fix, of course.

Assignee: nobody → smaug
Severity: -- → S4

remove useless static_cast, r=mccr8
https://hg.mozilla.org/integration/autoland/rev/84398671e7e1872f3ddf17f28b3f87905c6bd3d8
https://hg.mozilla.org/mozilla-central/rev/84398671e7e1

Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox111: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 111 Branch

The patch landed in nightly and beta is affected.
:smaug, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox110 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(smaug)

Comment on attachment 9313232 [details]
Bug 1811331 - remove useless static_cast, r=mccr8

Beta/Release Uplift Approval Request

  • User impact if declined: I think the behavior should be actual fine even without the patch, cfi-derived-cast just complains about this case. But to the safe, worth to land also to beta, maybe.
  • Is this code covered by automated tests?: Unknown
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: NA
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): the patch removes a useless static_cast
  • String changes made/needed: NA
  • Is Android affected?: Yes
Flags: needinfo?(smaug)
Attachment #9313232 - Flags: approval-mozilla-beta?

Comment on attachment 9313232 [details]
Bug 1811331 - remove useless static_cast, r=mccr8

Approved for 110 beta 5, thanks.

Attachment #9313232 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Whiteboard: [adv-main110+]
Alias: CVE-2023-25736
QA Whiteboard: [post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: