Clean up some manual AddRef/Release implementations
Categories
(Core :: XPCOM, defect)
Tracking
()
People
(Reporter: nika, Assigned: nika)
Details
(Keywords: csectype-race, sec-high, Whiteboard: [adv-main116+] [adv-ESR115.1+] [adv-ESR102.14+])
Attachments
(3 files)
|
48 bytes,
text/x-phabricator-request
|
diannaS
:
approval-mozilla-beta+
tjr
:
sec-approval+
|
Details | Review |
|
48 bytes,
text/x-phabricator-request
|
diannaS
:
approval-mozilla-beta+
diannaS
:
approval-mozilla-esr102+
diannaS
:
approval-mozilla-esr115+
tjr
:
sec-approval+
|
Details | Review |
|
252 bytes,
text/plain
|
Details |
While reading over the refcnt implementations in https://phabricator.services.mozilla.com/D182992, I noticed some of the implementations were manual and in some cases a bit sketchy when they didn't need to be.
This patch is to track cleaning them up, and potentially fixing race issues in atomic refcounts which were not being handled correctly.
|
||
Updated•2 years ago
|
|
Assignee | |
Comment 1•2 years ago
|
||
It appears that when this was originally added in bug 430061, the inline
refcounting macros didn't exist yet.
|
|
Assignee | |
Comment 2•2 years ago
|
||
When the code was originally added in bug 1842658, it was to use non-atomic
refcounting across multiple threads due to some invariants preventing
concurrent access. That was changed in bug 1607762 to fix a race issue.
We should be able to switch to using the macros now, which will simplify the
code here a bit.
Depends on D183203
|
|
||
Comment 3•2 years ago
|
||
Nika pointed out that this can lead to double frees (which could lead to UAFs), if the refcount is at 2, then 2 threads decrement, then they both read the refcount as zero, so I'm going to mark this sec-high. I don't know how easily exploitable that is for these particular classes. These don't look directly exposed to web content, but they can certainly be created and destroyed by it.
|
|
Assignee | |
Comment 4•2 years ago
|
||
Specifically the sec-high part is only part 2, part 1 should have no changes due to it never being a threadsafe refcnt.
|
|
Assignee | |
Comment 5•2 years ago
|
||
Comment on attachment 9343147 [details]
Bug 1842658 - Part 2: Use refcounting macros for nsHtml5OwningUTF16Buffer, r=mccr8!
Security Approval Request
- How easily could an exploit be constructed based on the patch?: It would be quite difficult to. The issue is due to multiple atomic loads during a
Releasefunction of a platform object. - Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: All
- If not all supported branches, which bug introduced the flaw?: Bug 1607762
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: I expect that the patch will apply cleanly on all impacted branches.
- How likely is this patch to cause regressions; how much testing does it need?: Unlikely to cause regressions
- Is Android affected?: Yes
|
|
Assignee | |
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Comment 6•2 years ago
|
||
Comment on attachment 9343147 [details]
Bug 1842658 - Part 2: Use refcounting macros for nsHtml5OwningUTF16Buffer, r=mccr8!
Approved to land and uplift if desired.
|
|
||
Comment 7•2 years ago
|
||
Comment on attachment 9343146 [details]
Bug 1842658 - Part 1: Use a refcounting macro for imgCacheEntry, r=emilio!
Approved to land and uplift if desired.
|
|
Assignee | |
Comment 8•2 years ago
|
||
Comment on attachment 9343147 [details]
Bug 1842658 - Part 2: Use refcounting macros for nsHtml5OwningUTF16Buffer, r=mccr8!
Beta/Release Uplift Approval Request
- User impact if declined: Potential race condition leading to UAF.
Only part 2 could actually lead to a security issue, so part 1 could be not uplifted if desired, but they uplift well as a package.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Change to use battle-tested reference counting macros rather than manually implemented reference counting on some objects.
- String changes made/needed: None
- Is Android affected?: Yes
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined: Potential race condition leading to UAF.
Only part 2 could actually lead to a security issue, so part 1 could be not uplifted if desired, but they uplift well as a package.
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Change to use battle-tested reference counting macros rather than manually implemented reference counting on some objects.
|
|
Assignee | |
Updated•2 years ago
|
|
||
Comment 10•2 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/642d09cfa740
https://hg.mozilla.org/mozilla-central/rev/509bf5b39d3f
|
||
Comment 11•2 years ago
|
||
Comment on attachment 9343146 [details]
Bug 1842658 - Part 1: Use a refcounting macro for imgCacheEntry, r=emilio!
Approved for 116.0b6
|
|
||
Updated•2 years ago
|
|
||
Comment 12•2 years ago
|
||
| uplift | ||
|
|
||
Updated•2 years ago
|
|
|
||
Comment 13•2 years ago
|
||
Comment on attachment 9343147 [details]
Bug 1842658 - Part 2: Use refcounting macros for nsHtml5OwningUTF16Buffer, r=mccr8!
Approved for 115.1esr
|
|
||
Comment 14•2 years ago
|
||
| uplift | ||
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Comment 15•2 years ago
|
||
Comment on attachment 9343147 [details]
Bug 1842658 - Part 2: Use refcounting macros for nsHtml5OwningUTF16Buffer, r=mccr8!
Approved for 102.14esr
|
|
||
Comment 16•2 years ago
|
||
| uplift | ||
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Comment 17•2 years ago
|
||
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
Description
•