Closed
Bug 635137
Opened 13 years ago
Closed 13 years ago
failure to root when using JSString::getChars(Z) with newly allocated strings
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
People
(Reporter: Waldo, Assigned: automation)
Details
(Whiteboard: [sg:moderate][hardblocker][has patch], fixed-in-tracemonkey)
Attachments
(1 file)
1.97 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
I was looking at some JSON code and saw what looked like another failure-to-anchor bug. I poked Luke about it, and we determined nothing would go wrong so long as JSContext::malloc can't GC. So we looked at that to see whether it could, and it comes down to whether the registered error reporter can GC. (JSContext::mallocNoReport would be the alternative.) So I looked at error reporters. While NS_ScriptErrorReporter looks careful to not do anything, a number of others seem capable of invoking script again: * DOMWorkerErrorReporter synchronously calls an onerror handler * XBL_ProtoErrorReporter logs a message to the console which sync-notifies observers synchronously * mozJSLoaderErrorReporter also logs a console message So it looks like most to all cx->mallocs can GC right now, and as I understand it we (JS engine) had thought of that as an invariant we could (and do) rely upon. CCed a semi-random bunch of people associated with these reporters or with the JS engine, feel free to add other people if it makes sense.
Comment 1•13 years ago
|
||
Ideally, we'd make error reporting async on the JS side, but JS itself has no concept of an event loop and whatnot.... Failing that, we should fix all those error reporters to post events, imo.
Comment 2•13 years ago
|
||
Boris, can you look into this for 2.0 final? If not, let me know...
Assignee: nobody → bzbarsky
blocking2.0: --- → final+
Whiteboard: [sg:critical?] → [sg:critical?][hardblocker]
Comment 3•13 years ago
|
||
waldo, can you please point out the code where this is causing a rooting hazard?
Comment 4•13 years ago
|
||
Stealing from bz.
Updated•13 years ago
|
Assignee: bzbarsky → gal
Comment 5•13 years ago
|
||
cx->malloc is a valid GC point IMO. Call sites that are not aware of it are wrong and needs to be fixed. We don't have to touch the error reporters. I talked to Waldo. The case Luke and him found is in json. We grab the chars part of a string and the string might become unrooted under us. This is a bug that we ran into before and we have anchors for it. Waldo is right that its a pain to audit the code for this but thats the right thing to do here. I will audit the code and add anchors. That patch should be very low risk and done in a few.
Comment 6•13 years ago
|
||
Comment 7•13 years ago
|
||
We only read from these strings (they are flat by definition, so no sharing of buffers via dependent strings). I don't think this is exploitable.
Whiteboard: [sg:critical?][hardblocker] → [sg:high][hardblocker]
Comment 8•13 years ago
|
||
This patch adds anchors in a few places that follow the same pattern that Waldo found. This is not a good complete fix. I am pretty sure I missed more places like this. We should model this with a nice type system. AutoAnchoredStringPtr and then allow getChars(Z) only on that. We should also get rid of the JS API calls that allow extracting string buffers. But thats all post-4 fodder. I will file a follow-up bug after this bug has landed.
Updated•13 years ago
|
Attachment #514969 -
Flags: review?(lw)
Updated•13 years ago
|
Summary: Most JSErrorReporters can execute JS code in case of OOM → failure to root when using JSString::getChars(Z) with newly allocated strings
Comment 9•13 years ago
|
||
Comment on attachment 514969 [details] [diff] [review] patch omg the extra store caused by the Anchor is going to totall kill our e4x perf
Attachment #514969 -
Flags: review?(lw) → review+
Updated•13 years ago
|
Whiteboard: [sg:high][hardblocker] → [sg:high][hardblocker][has patch]
Comment 10•13 years ago
|
||
For what it's worth, I'd be happy to do a belt-and-suspenders fix to the error reporters too. It's really not that hard, and I'm sort of free at the moment. Let me know.
Comment 11•13 years ago
|
||
It can't hurt, but I don't think it helps much either. We do all sorts of stuff while holding getChars() and not rooting the string, the least of which is OOM reporting. The 2 other places I found would not be fixed by cleaning up OOM handling.
Comment 12•13 years ago
|
||
We should check 1.9.2 and 1.9.1.
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
Comment 13•13 years ago
|
||
Bleh, I messed up and this got split into two almost identical changesets, both with the same title. Go me. http://hg.mozilla.org/tracemonkey/rev/95d1efa60347 http://hg.mozilla.org/tracemonkey/rev/06e88afd8bbf
Whiteboard: [sg:high][hardblocker][has patch] → [sg:high][hardblocker][has patch], fixed-in-tracemonkey
Comment 14•13 years ago
|
||
Landed in mozilla-central (as one combined patch): http://hg.mozilla.org/mozilla-central/rev/a5eccf9bebda Marking fixed.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment 16•13 years ago
|
||
branches don't have Anchor<> so we'd need a completely different branch patch.
blocking1.9.1: ? → ---
blocking1.9.2: ? → ---
status1.9.1:
--- → wanted
status1.9.2:
--- → wanted
Whiteboard: [sg:high][hardblocker][has patch], fixed-in-tracemonkey → [sg:moderate][hardblocker][has patch], fixed-in-tracemonkey
Assignee | ||
Updated•9 years ago
|
Assignee: gal → automation
Assignee | ||
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•