clear nsDisplayListBuilder::mCurrentContainerASR at the end of a paint
Categories
(Core :: Web Painting, defect)
Tracking
()
People
(Reporter: tnikkel, Assigned: tnikkel)
Details
(Keywords: csectype-uaf, sec-high, Whiteboard: [potential UAF, no testcase][adv-main116+r][adv-ESR115.1+r][adv-ESR102.14+r])
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
diannaS
:
approval-mozilla-beta+
diannaS
:
approval-mozilla-esr102+
diannaS
:
approval-mozilla-esr115+
dveditz
:
sec-approval+
|
Details | Review |
We store a few raw pointers to ASRs that are kept around from one paint to the next. All of them but mCurrentContainerASR are saved and restored to their previous value using a RAII class (since they are init'ed to null this clears them by the time the paint is complete). mCurrentContainerASR however is set to the result of a call to ActiveScrolledRoot::PickAncestor in the destructor of the RAII class that manages it.
And there is another places in the code that assigns directly to it without a RAII class that I can see, although I think this code is currently not active due to the value of a pref.
We should just clear it at the end of a paint.
|
Assignee | |
Comment 1•2 years ago
|
||
|
||
Updated•2 years ago
|
|
||
Comment 2•2 years ago
|
||
Not sure if you're describing an independent "sec-high" bug from bug 1840362, or more of a "sec-audit" latent bug. Not marked as a "task" so "sec-other" seems wrong.
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 3•2 years ago
|
||
Bug 1840362 seems to be a pretty broad bug dealing with ActiveScrolledRoot related crashes that could be sec issues, some of them look like cpu bugs, some look like bit flips, some can't be categorized as a cpu bug or bit flip.
This bug could be a UAF relating to ASRs (and hence could show up as one of the crashes from bug 1840362), so sec-high seems reasonable for this bug (erring on the side of caution).
|
|
Assignee | |
Comment 4•2 years ago
|
||
Comment on attachment 9344179 [details]
Bug 1843847. Clear nsDisplayListBuilder::mCurrentContainerASR at the end of a paint. r?mstange,#gfx-reviewers
Security Approval Request
- How easily could an exploit be constructed based on the patch?: patch pretty clearly identifies a field that needs to be cleared. an attacker would have to get that field to be deleted. which is not trivial, but probably possible.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: trivial
- How likely is this patch to cause regressions; how much testing does it need?: very unlikely
- Is Android affected?: Yes
|
|
||
Updated•2 years ago
|
|
|
||
Comment 5•2 years ago
|
||
Comment on attachment 9344179 [details]
Bug 1843847. Clear nsDisplayListBuilder::mCurrentContainerASR at the end of a paint. r?mstange,#gfx-reviewers
sec-approval+ = dveditz
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 6•2 years ago
|
||
Comment on attachment 9344179 [details]
Bug 1843847. Clear nsDisplayListBuilder::mCurrentContainerASR at the end of a paint. r?mstange,#gfx-reviewers
Beta/Release Uplift Approval Request
- User impact if declined: possible uaf
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): clearing a variable that needs to be initialized fresh at the start of any paint and should not have been kept around
- String changes made/needed: none
- Is Android affected?: Yes
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-high
- User impact if declined: potential uaf
- Fix Landed on Version: 117
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): clearing a variable that needs to be initialized fresh at the start of any paint and should not have been kept around
|
||
Comment 8•2 years ago
|
||
|
||
Comment 9•2 years ago
|
||
Comment on attachment 9344179 [details]
Bug 1843847. Clear nsDisplayListBuilder::mCurrentContainerASR at the end of a paint. r?mstange,#gfx-reviewers
Approved for 116.0b7
|
||
Comment 10•2 years ago
|
||
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Comment 11•2 years ago
|
||
Comment on attachment 9344179 [details]
Bug 1843847. Clear nsDisplayListBuilder::mCurrentContainerASR at the end of a paint. r?mstange,#gfx-reviewers
Approved for 102.14esr
Approved for 115.1esr
|
|
||
Comment 12•2 years ago
|
||
| uplift | ||
|
|
||
Comment 13•2 years ago
|
||
| uplift | ||
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Updated•1 year ago
|
Description
•