The default bug view has changed. See this FAQ.
Bug 584180 (CVE-2010-2762)

SJOWs create scope chains ending in outer objects

RESOLVED FIXED

Status

()

Core
XPConnect
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: mrbkap, Assigned: mrbkap)

Tracking

(Blocks: 1 bug, {verified1.9.2})

Trunk
x86_64
Linux
verified1.9.2
Points:
---

Firefox Tracking Flags

(blocking2.0 betaN+, status2.0 ?, blocking1.9.2 .9+, status1.9.2 .9-fixed, status1.9.1 unaffected)

Details

(Whiteboard: [sg:critical?])

Attachments

(3 attachments, 2 obsolete attachments)

(Assignee)

Description

7 years ago
A SJOW around an outer window creates a scope function parented directly to the outer window's global object, which is... the outer window.

I don't know if this is exploitable, but it's definitely hitting us on bug 581539, because window.postMessage indirectly depends on the scope chain ending in an inner object.
(Assignee)

Comment 1

7 years ago
Created attachment 462513 [details] [diff] [review]
Fix

We'll need this on the 1.9.2 branch as well.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #462513 - Flags: review?(jst)
(Assignee)

Comment 2

7 years ago
Created attachment 462514 [details]
testcase

This aborts Firefox on load.
(In reply to comment #1)
> We'll need this on the 1.9.2 branch as well.

Is 1.9.1 affected?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
status1.9.2: --- → ?
status2.0: --- → ?
(Assignee)

Comment 4

7 years ago
No, it isn't.

Updated

7 years ago
Attachment #462513 - Flags: review?(jst) → review+

Comment 5

7 years ago
Loading the testcase in an opt build doesn't do anything obviously bad, but in a debug build I get:

###!!! ABORT: should have gotten an inner window here: 'callerInnerWin->IsInnerWindow()', file /Users/jruderman/mozilla-central/dom/base/nsGlobalWindow.cpp, line 5442

Updated

7 years ago
blocking1.9.2: ? → .9+
status1.9.1: --- → unaffected
status1.9.2: ? → wanted

Updated

7 years ago
blocking2.0: ? → betaN+

Updated

7 years ago
Whiteboard: [sg:critical?]
(Assignee)

Comment 6

7 years ago
Created attachment 464611 [details] [diff] [review]
Better fix

Need to make sure we update the scope object if we're around an outer window that navigates.
Attachment #462513 - Attachment is obsolete: true
Attachment #464611 - Flags: review?(jst)
Comment on attachment 464611 [details] [diff] [review]
Better fix

+  if (JSVAL_IS_OBJECT(v)) {
+    JSObject *funobj = JSVAL_TO_OBJECT(v);
+    if (JS_GetGlobalForObject(cx, funobj) != scopeobj &&
+        !JS_SetParent(cx, funobj, scopeobj)) {
+      return nsnull;
+    }
+
+    return funobj;

I think I'd rather see us create a new function in this case than to change the existing function's scope in this rare case, just in case there's a way to exploit this function whose scope ends up changing through some bizarre way.

r=jst with that.
Attachment #464611 - Flags: review?(jst) → review+
(Assignee)

Comment 8

7 years ago
Created attachment 465441 [details] [diff] [review]
With that
Attachment #464611 - Attachment is obsolete: true
Attachment #465441 - Flags: review+
(Assignee)

Comment 9

7 years ago
Created attachment 465443 [details] [diff] [review]
For 1.9.2

Trivial merge.
Attachment #465443 - Flags: review+
Attachment #465443 - Flags: approval1.9.2.9?
Pushed to mozilla-central.

http://hg.mozilla.org/mozilla-central/rev/11ca949a6aff
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED

Comment 11

7 years ago
Comment on attachment 465443 [details] [diff] [review]
For 1.9.2

a=LegNeato for 1.9.2.9.

This needs to be landed as soon as possible.
Attachment #465443 - Flags: approval1.9.2.9? → approval1.9.2.9+
(Assignee)

Comment 12

7 years ago
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/29fac3124689
status1.9.2: wanted → .9-fixed
Verified fixed in 1.9.2 using my own debug build (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9pre) Gecko/20100818 Namoroka/3.6.9pre ( .NET CLR 3.5.30729)).
Keywords: verified1.9.2
Alias: CVE-2010-2762
Group: core-security
You need to log in before you can comment on or make changes to this bug.